Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RBAC] failed grouprole permission migrations fix #2274

Merged
merged 7 commits into from
Sep 26, 2024
Merged

[RBAC] failed grouprole permission migrations fix #2274

merged 7 commits into from
Sep 26, 2024

Conversation

jctanner
Copy link
Collaborator

@jctanner
Test this.
bf9c543 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@github-actions github-actions bot added backport-4.9 This PR should be backported to stable-4.9 (2.4) backport-4.10 labels Sep 25, 2024
@jctanner jctanner removed the backport-4.9 This PR should be backported to stable-4.9 (2.4) label Sep 25, 2024
@jctanner
Copy link
Collaborator Author

With the latest commit, the namespace does retain it's groups ...

# curl -s -u admin:admin http://localhost:55001/api/galaxy/_ui/v1/namespaces/ | jq .
{
  "meta": {
    "count": 1
  },
  "links": {
    "first": "/api/galaxy/_ui/v1/namespaces/?limit=10&offset=0",
    "previous": null,
    "next": null,
    "last": "/api/galaxy/_ui/v1/namespaces/?limit=10&offset=0"
  },
  "data": [
    {
      "pulp_href": "/api/galaxy/pulp/api/v3/pulp_ansible/namespaces/1/",
      "id": 1,
      "name": "foospace",
      "company": "",
      "email": "",
      "avatar_url": "",
      "description": "",
      "groups": [
        {
          "id": 1,
          "name": "foogroup",
          "object_roles": [
            "galaxy.collection_namespace_owner_namespace"
          ]
        }
      ],
      "users": [],
      "related_fields": {},
      "metadata_sha256": "e03b8028831331e4b5226c154487b24d39955bbd71d4de89ffc5a85ebafe62de",
      "avatar_sha256": null
    }
  ]
}

However, nothing got copied over to the dab side ...

# curl -s -u admin:admin http://localhost:55001/api/galaxy/_ui/v2/role_team_assignments/ | jq .
{
  "count": 0,
  "next": null,
  "previous": null,
  "results": []
}

@AlanCoding
Copy link
Member

The assignments should be copied later in migrate_role_assignments. There are a few logs from that which we might be able to look for in the output from what you ran. I would firstly look for:

Data migration could not find team by name {group.name}

@AlanCoding
Copy link
Member

Obvious question from last comment, can you see that a team exists for all groups after the migration?

The team model was created in the migration 0049_organization. I'm struggling to find where we create teams from existing groups. There is a signal that does this, but signals don't run in migrations.

@jctanner
Find the team object a different way.
68557ef 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@jctanner
Get rid of prints.
e6e7b6c 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@jctanner
Extra newlines.
4eeedc2 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@jctanner
Copy link
Collaborator Author

Failure from the certified sync workflow's migration step ...

FINISHED CREATING PERMISSIONS                                       
Traceback (most recent call last):                                                                                                       
  File "/usr/local/bin/pulpcore-manager", line 8, in <module>       
    sys.exit(manage())                                              
             ^^^^^^^^                                                                                                                    
  File "/usr/local/lib/python3.11/site-packages/pulpcore/app/manage.py", line 11, in manage                                              
    execute_from_command_line(sys.argv)                                                                                                                                                                                                                                           
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line              
    utility.execute()                                                                                                                    
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute                                
    self.fetch_command(subcommand).run_from_argv(self.argv)                                                                              
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 412, in run_from_argv                              
    self.execute(*args, **cmd_options)                                                                                                   
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 458, in execute                                    
    output = self.handle(*args, **options)           
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                                               
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 106, in wrapper                                    
    res = handle_func(*args, **kwargs)                      
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                                                   
  File "/usr/local/lib/python3.11/site-packages/django/core/management/commands/migrate.py", line 356, in handle                         
    post_migrate_state = executor.migrate(                
                         ^^^^^^^^^^^^^^^^^                                                                                               
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/executor.py", line 135, in migrate                                  
    state = self._migrate_all_forwards(            
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                                                  
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/executor.py", line 167, in _migrate_all_forwards                    
    state = self.apply_migration(                                   
            ^^^^^^^^^^^^^^^^^^^^^                                                                                                        
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/executor.py", line 252, in apply_migration                          
    state = migration.apply(state, schema_editor)                  
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                                        
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/migration.py", line 132, in apply                                   
    operation.database_forwards(                                                                                                         
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/operations/special.py", line 193, in database_forwards              
    self.code(from_state.apps, schema_editor)                                                                                            
  File "/src/galaxy_ng/galaxy_ng/app/migrations/_dab_rbac.py", line 57, in split_pulp_roles                                              
    ct_codenames = combine_values(permissions_allowed_for_role(cls))                                                                     
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                                      
  File "/usr/local/lib/python3.11/site-packages/ansible_base/rbac/validators.py", line 51, in permissions_allowed_for_role               
    raise ValidationError(f'Django-ansible-base RBAC does not track permissions for model {cls._meta.model_name}')                                                                                                                                                                
rest_framework.exceptions.ValidationError: [ErrorDetail(string='Django-ansible-base RBAC does not track permissions for model synclist', code='invalid')]

@jctanner
Try skipping.
f0c3d55 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@jctanner
Add some code comments.
2a83b25 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@jctanner jctanner changed the title [RBAC] workaround failed grouprole permission migrations [RBAC] failed grouprole permission migrations fix Sep 25, 2024
@jctanner jctanner requested a review from a team September 26, 2024 00:36
@jctanner jctanner merged commit f2262c6 into ansible:master Sep 26, 2024
18 of 22 checks passed
@patchback Patchback
Copy link

patchback bot commented Sep 26, 2024
edited
Loading

Backport to stable-4.10: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-4.10/f2262c6837fe1d2660817c390e87f372e33095ef/pr-2274

Backported as #2276

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Sep 26, 2024
@jctanner @patchback
[RBAC] failed grouprole permission migrations fix (#2274)
1aac7fd 
Newly created roles during migrations we not getting permissions assigned, and that made it appear
that no user owned any resources. This change re-adds the relevant model permissions to preserve
the "ownership" the API would evaluation and display.

No-Issue

Signed-off-by: James Tanner <[email protected]>
(cherry picked from commit f2262c6)
@patchback patchback bot mentioned this pull request Sep 26, 2024
Merged
jctanner added a commit that referenced this pull request Sep 26, 2024
@patchback @jctanner
[PR #2274/f2262c68 backport][stable-4.10] [RBAC] failed grouprole per…
f73fa09 
…mission migrations fix (#2276)

[RBAC] failed grouprole permission migrations fix (#2274)

Newly created roles during migrations we not getting permissions assigned, and that made it appear
that no user owned any resources. This change re-adds the relevant model permissions to preserve
the "ownership" the API would evaluation and display.

No-Issue

Signed-off-by: James Tanner <[email protected]>
(cherry picked from commit f2262c6)

Co-authored-by: jctanner <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rochacbruno rochacbruno rochacbruno approved these changes

@AlanCoding AlanCoding AlanCoding approved these changes

Assignees
No one assigned
Labels
backport-4.10 multi-commit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jctanner @AlanCoding @rochacbruno