Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1 to v3 namespace rbac shim #1853

Merged
merged 1 commit into from
Sep 20, 2023
Merged

Conversation

jctanner
Copy link
Collaborator

@jctanner jctanner commented Aug 29, 2023

https://issues.redhat.com/browse/AAH-2197

depends on ansible/galaxy#3248

What this is doing:

In the initial v1 implementation, legacy namespaces had an optional foreign key to a v3 namespace. Since many github logins don't conform to v3 namespace name requirements, those foreign keys weren't filled in.

Per AAH-2197 we are forcing all legacy namespaces to have a v3 namespace foreign key and to control access to the legacy namespace via rbac on the v3 namespace.

I've repurposed "provider" namespaces from the old v1 to expose the v3 namespace in the v1 viewsets. Now you can see what the actual v3 namespace for the legacy namespace is and how to get to it. When looking at the /owners endpoint, it will present the list of users that own the v3 namespace. Manipulating the v1 owners endpoint manipulates the v3 namespace's rbac.

How it works:

There's a bunch of helper utils written to build up an "algorithm" of sorts to consistently return some v3 suitable namespace name based on the github user's login and github id. The v3 namespace may match their login if valid or be a complete nonsensical name that they'd never use to push collections to, but that was the requirement given.

Along with making a bunch of v3 namespaces and linking them to the v1 namespaces, we have a github user validation scheme going on with trying to flip around email addresses on synced users to <GITHUBID>@<SOMEPLACE> until they actually login and have their true email set.

All of this logic should be encapsulated and shared among the v1 sync code, the social auth code and the new django commands i've added.

Once the go-live date for beta galaaxy is hit, we need to remove all this v1 sync stuff and never do syncs again. If we eventually ship api/v1 downstream, then "sync" needs to be completely rethought. We shouldn't be second guessing our oauth provider and we shouldn't require a custom build of social-auth.

Testing

pulpcore-manager sync-galaxy-namespaces encapsulates all of the magic in this PR. I decided not to implement it as a new REST endpoint for various reasons.

architecture ...

pulpcore-manager sync-galaxy-namespaces
    upstream_namespace_iterator
        process_namespace
             get or create legacy namespace
             get or create v3 namespace
             bind v3 namespace to legacy namespace
             set v3 namespace metadata
             set v3 namespace owners

@jctanner jctanner marked this pull request as draft August 29, 2023 00:13
@jctanner jctanner changed the title Update github shim to use sqlite and have editable users. [WIP] Update github shim to use sqlite and have editable users. Aug 29, 2023
@jctanner jctanner changed the title [WIP] Update github shim to use sqlite and have editable users. [WIP] v1 to v3 namespace rbac shim Sep 9, 2023
@jctanner jctanner force-pushed the V1_NS_RBAC_SHIM branch 2 times, most recently from a764399 to cb7d829 Compare September 12, 2023 12:52
@jctanner jctanner marked this pull request as ready for review September 18, 2023 21:37
@jctanner jctanner changed the title [WIP] v1 to v3 namespace rbac shim v1 to v3 namespace rbac shim Sep 18, 2023
@jctanner jctanner merged commit 2a4c463 into ansible:master Sep 20, 2023
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants