-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(HMS-1246): Use permission checks in statuser #504
Conversation
1f8ce2e
to
33a1f72
Compare
That is correct, I think a warning in logs is enough. We should not see many of these, only old sources would experience this. |
Test failure seems relevant (timeout)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, there is a failure can you take a look?
cmd/pbstatuser/main.go
Outdated
if err != nil { | ||
sr.Status = kafka.StatusUnavailable | ||
sr.Err = err | ||
logger.Warn().Err(err).Msg("Could not get aws assumed client") | ||
chSend <- sr | ||
logger.Warn().Err(err).Msgf("Could not get aws assumed client %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not send error messages to messages because of Sentry.
cmd/pbstatuser/main.go
Outdated
} | ||
sr.MissingPermissions = permissions | ||
if len(permissions) != 0 { | ||
logger.Warn().Err(err).Msgf("No sufficient permissions: %s", permissions) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not seem correct. CheckPermissions either returns nil result and error, or something in the result. You reported the error above, here I would simply issue a warning with the list. Also can you add a field so we can easily find all records in Kibana, for example:
logger.Warn().Bool("missing_permission", true).Msgf("No sufficient permissions: %s", permissions)
cmd/pbstatuser/main.go
Outdated
permissions, err := ec2Client.CheckPermission(ctx, &s.Authentication) | ||
if err != nil { | ||
sr.Err = err | ||
logger.Warn().Err(err).Msgf("Could not check aws permissions %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
/retest |
1 similar comment
/retest |
For the record, @avitova might not get to working on this PR. This is not high-priority so let’s keep it opened. |
33a1f72
to
9ee7144
Compare
Let me know when this is ready for re-review. |
@lzap The statuser shows the error during the permission check and the array of missing permissions. Ready for review:) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nitpicks, looks great. Please rebase tests are failing for some reason, they were broken I think.
cmd/pbackend/statuser.go
Outdated
} | ||
sr.MissingPermissions = permissions | ||
if permissions != nil { | ||
logger.Warn().Bool("missing_permission", true).Msgf("No sufficient permissions: %s", permissions) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps "insufficient" is better wording.
Also you can use strings.Join
to join string slice by comma, but this works too.
Finally, when CheckPermission
returns nil
it likely returns an error too, can you squash this into just a single warning message? You can stuff everything into one log record, me as someone who is debugging this issue would be interested in:
- source id (already present in the context logger)
- account number (could be added in the
processMessage
too as it is in the identity but perhaps out of scope of this PR) - error message (via Err function)
- missing permissions
So basically this line contains it all, perhaps just delete the 167 and move this into the if statement above or something like that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a very good point. The CheckPermission function returned only missing permissions when something was missing, and the error value was returned only when something else failed. We should return an error for missing permissions, so I changed it in this PR. I hope this now makes more sense.
57034d4
to
df277f2
Compare
The AWS account used in the pr_check doesn't seem to have permissions to check assigned policies
Update: the policy of the AWS account had been updated and necessary permissions added, THANK YOU @akhil-jha 🧡 |
/retest |
2 similar comments
/retest |
/retest |
Different failure now xD that one definitelly does not sound related, but let see :) |
🎉 ... no idea what was the failure before, but now it works 😏 |
369487c
to
fa863a1
Compare
fa863a1
to
2b4ac15
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good here, thanks! 🧡
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One detail - the error length is unlimited and in case user actually forgot to add any permission this gets rendered to screen as something very long (covering whole screen or something).
In another PR, I suggest to limit the list to some reasonable length and in these cases add and more
to the error.
This adds permission logging in case of missing permissions. Caching should also be done for this. I feel like the source result should not be flagged as Unavailable or with Error in case of missing permission, as this is neither of these. Therefore, I thought adding the MissingPermission parameter might be suitable, but let me know, what you think.
For testing the missing permission in statuser, you could change iam_client hardcoded struct.