feat(HMS-1246): Use permission checks in statuser

[avitova]

This adds permission logging in case of missing permissions. Caching should also be done for this. I feel like the source result should not be flagged as Unavailable or with Error in case of missing permission, as this is neither of these. Therefore, I thought adding the MissingPermission parameter might be suitable, but let me know, what you think.
For testing the missing permission in statuser, you could change iam_client hardcoded struct.

[lzap]

I feel like the source result should not be flagged as Unavailable or with Error in case of missing permission, as this is neither of these.

That is correct, I think a warning in logs is enough. We should not see many of these, only old sources would experience this.

[lzap]

Test failure seems relevant (timeout)?

[lzap]

Looks great, there is a failure can you take a look?

[lzap]

Please do not send error messages to messages because of Sentry.

#488

[lzap]

This does not seem correct. CheckPermissions either returns nil result and error, or something in the result. You reported the error above, here I would simply issue a warning with the list. Also can you add a field so we can easily find all records in Kibana, for example:

logger.Warn().Bool("missing_permission", true).Msgf("No sufficient permissions: %s", permissions)

[lzap]

Ditto.

[mshriver]

/retest

[akhil-jha]

/retest

[lzap]

For the record, @avitova might not get to working on this PR. This is not high-priority so let’s keep it opened.

[lzap]

Let me know when this is ready for re-review.

[avitova]

@lzap The statuser shows the error during the permission check and the array of missing permissions. Ready for review:)

[lzap]

Small nitpicks, looks great. Please rebase tests are failing for some reason, they were broken I think.

[lzap]

Perhaps "insufficient" is better wording.

Also you can use strings.Join to join string slice by comma, but this works too.

Finally, when CheckPermission returns nil it likely returns an error too, can you squash this into just a single warning message? You can stuff everything into one log record, me as someone who is debugging this issue would be interested in:

• source id (already present in the context logger)
• account number (could be added in the processMessage too as it is in the identity but perhaps out of scope of this PR)
• error message (via Err function)
• missing permissions

So basically this line contains it all, perhaps just delete the 167 and move this into the if statement above or something like that.

[avitova]

This is a very good point. The CheckPermission function returned only missing permissions when something was missing, and the error value was returned only when something else failed. We should return an error for missing permissions, so I changed it in this PR. I hope this now makes more sense.

[ezr-ondrej]

The AWS account used in the pr_check doesn't seem to have permissions to check assigned policies

1:24PM DBG Listing attached role policies client=ec2 hostname=provisioning-backend-statuser-654d6c7dd-r4blm version=60e5
1:24PM TRC request failed with unretryable error https response error StatusCode: 403, RequestID: fe4b8847-33fe-48ee-aaf7-e6f9f05056db, api error AccessDenied: User: arn:aws:sts::093942615996:assumed-role/redhat-provisioning-arn-role/name is not authorized to perform: iam:ListAttachedRolePolicies on resource: role redhat-provisioning-arn-role because no identity-based policy allows the iam:ListAttachedRolePolicies action client=ec2 hostname=provisioning-backend-statuser-654d6c7dd-r4blm version=60e5
1:24PM WRN AWS permission check failed error="cannot list attached role policies: operation error IAM: ListAttachedRolePolicies, https response error StatusCode: 403, RequestID: fe4b8847-33fe-48ee-aaf7-e6f9f05056db, api error AccessDenied: User: arn:aws:sts::093942615996:assumed-role/redhat-provisioning-arn-role/name is not authorized to perform: iam:ListAttachedRolePolicies on resource: role redhat-provisioning-arn-role because no identity-based policy allows the iam:ListAttachedRolePolicies action" hostname=provisioning-backend-statuser-654d6c7dd-r4blm missing_permissions=true source_id=5 version=60e5
1:24PM TRC Sending 1 source availability status messages (tick) hostname=provisioning-backend-statuser-654d6c7dd-r4blm messages=1 version=60e5

Update: the policy of the AWS account had been updated and necessary permissions added, THANK YOU @akhil-jha 🧡

[ezr-ondrej]

/retest

[ezr-ondrej]

/retest

[ezr-ondrej]

/retest

[ezr-ondrej]

Different failure now xD that one definitelly does not sound related, but let see :)

[ezr-ondrej]

🎉 ... no idea what was the failure before, but now it works 😏

[ezr-ondrej]

I'm good here, thanks! 🧡

[lzap]

One detail - the error length is unlimited and in case user actually forgot to add any permission this gets rendered to screen as something very long (covering whole screen or something).

In another PR, I suggest to limit the list to some reasonable length and in these cases add and more to the error.