Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORE-182] Move listRuntimes over to new Sam permissions model #4810

Merged
merged 11 commits into from
Jan 2, 2025
Merged

[CORE-182] Move listRuntimes over to new Sam permissions model #4810

merged 11 commits into from
Jan 2, 2025

Conversation

marctalbott
Copy link
Member

@marctalbott marctalbott commented Dec 10, 2024
edited
Loading

Jira ticket: https://broadworkbench.atlassian.net/browse/CORE-182

Summary of changes

Change how listRuntimes gathers user runtimes to rely on the new permissions model in Sam. See https://broadworkbench.atlassian.net/wiki/spaces/IA/pages/3362848772/Leonardo+Access+Control+-+Desired+State for more details.

What

Why

Testing these changes

What to test

Who tested and where

  • This change is covered by automated tests
    • NB: Rerun automation tests on this PR by commenting jenkins retest or jenkins multi-test.
  • I validated this change
  • Primary reviewer validated this change
  • I validated this change in the dev environment

@codecov Codecov
Copy link

codecov bot commented Dec 10, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.63%. Comparing base (109a9a7) to head (aab279b).
Report is 1 commits behind head on develop.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #4810      +/-   ##
===========================================
- Coverage    74.77%   74.63%   -0.15%     
===========================================
  Files          165      165              
  Lines        14954    14850     -104     
  Branches      1187     1187              
===========================================
- Hits         11182    11083      -99     
+ Misses        3772     3767       -5
Files with missing lines Coverage Δ
...orkbench/leonardo/db/RuntimeServiceDbQueries.scala 96.69% <100.00%> (+0.37%) ⬆️
...h/leonardo/http/service/RuntimeServiceInterp.scala 88.56% <100.00%> (+0.02%) ⬆️
...leonardo/http/service/RuntimeV2ServiceInterp.scala 92.22% <100.00%> (-0.87%) ⬇️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 109a9a7...aab279b. Read the comment docs.

@marctalbott marctalbott force-pushed the mtalbott-sam-list-runtimes branch from 85895eb to d95c38b Compare December 10, 2024 20:46
marctalbott
marctalbott commented Dec 10, 2024
View reviewed changes
...ala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeV2ServiceInterpSpec.scala Outdated
@@ -2179,6 +2017,7 @@ class RuntimeV2ServiceInterpSpec extends AnyFlatSpec with LeonardoTestSuite with
.save()
)

// todo: Don't really understand this scenario. If I don't have permission then I shouldn't be able to see it even if I created it
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is an outdated scenario in the new permissions model, but would love if someone could confirm that for me.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see "Creator Hack"

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah this is mainly a use case for Azure runtimes governed by WSM

...ala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeV2ServiceInterpSpec.scala
@@ -1740,171 +1781,6 @@ class RuntimeV2ServiceInterpSpec extends AnyFlatSpec with LeonardoTestSuite with
res.unsafeRunSync()(cats.effect.unsafe.IORuntime.global)
}

it should "list runtimes, omitting runtimes for workspaces and projects user cannot read" in isolatedDbTest {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is out of date IMO. If Sam says the user has access to a runtime, then the user has access to the runtime. There is no need for Leo to check workspace and project access anymore.

...ala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeV2ServiceInterpSpec.scala
res.unsafeRunSync()(cats.effect.unsafe.IORuntime.global)
}

it should "list runtimes given different user permissions" in isolatedDbTest {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of date. As I said above, if Sam says the user has access to a runtime, then they have access to that runtime. There's no need for Leo to test or check workspace and project permissions for the user.

@marctalbott marctalbott changed the title [WIP] Move listRuntimes over to new Sam permissions model [CORE-182] Move listRuntimes over to new Sam permissions model Dec 10, 2024
@marctalbott marctalbott marked this pull request as ready for review December 10, 2024 21:07
@marctalbott marctalbott requested a review from dvoet December 10, 2024 21:07
@lucymcnatt lucymcnatt self-requested a review December 10, 2024 21:11
lucymcnatt
lucymcnatt reviewed Dec 13, 2024
View reviewed changes
http/src/main/scala/org/broadinstitute/dsde/workbench/leonardo/db/RuntimeServiceDbQueries.scala
val runtimesFiltered = runtimesAuthorized
// Filter by params
val runtimes = clusterQuery
.filter(_.internalId inSetBind runtimeIds.map(_.asString))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wow this is a huge improvement, thanks!

...ala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeV2ServiceInterpSpec.scala Outdated
@@ -2179,6 +2017,7 @@ class RuntimeV2ServiceInterpSpec extends AnyFlatSpec with LeonardoTestSuite with
.save()
)

// todo: Don't really understand this scenario. If I don't have permission then I shouldn't be able to see it even if I created it
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah this is mainly a use case for Azure runtimes governed by WSM

lucymcnatt
lucymcnatt approved these changes Dec 13, 2024
View reviewed changes
Copy link
Collaborator

@lucymcnatt lucymcnatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also tested a bit on a BEE, looks good

@marctalbott marctalbott requested a review from a team as a code owner December 18, 2024 20:39
@marctalbott marctalbott merged commit 1030a2c into develop Jan 2, 2025
23 checks passed
@marctalbott marctalbott deleted the mtalbott-sam-list-runtimes branch January 2, 2025 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dvoet dvoet dvoet approved these changes

@lucymcnatt lucymcnatt lucymcnatt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marctalbott @dvoet @lucymcnatt