-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FLI Issue 3222: Import issue when --address and --drop is used #3530
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: devumesh <umeshbalamurugan@gmail.com>
Signed-off-by: devumesh <umeshbalamurugan@gmail.com>
Signed-off-by: devumesh <umeshbalamurugan@gmail.com>
Signed-off-by: devumesh <umeshbalamurugan@gmail.com>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3530 +/- ##
==========================================
- Coverage 65.76% 65.75% -0.02%
==========================================
Files 169 169
Lines 13651 13676 +25
==========================================
+ Hits 8977 8992 +15
- Misses 3989 3997 +8
- Partials 685 687 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: devumesh <umeshbalamurugan@gmail.com>
@devumesh Thank you for your contribution! Please be patient as it will take some discussion. @GeorgeMac @markphelps could you please take a look on this? As it's a new API endpoint I would like to hear your thoughts on it. I believe the RBAC, audit and observability could be affected by this. Maybe we could do it differently and allow force wdyt? |
Hey @devumesh thanks for taking this on! Great points raised @erka too!
That is right. We will need to implement the Line 502 in d05a775
Example: Lines 112 to 114 in d05a775
Effectively, we would need to add to this file ☝️ something like: func (req *DeleteAllNamespacesRequest) Request() []Request {
return []Request{NewRequest(ResourceNamespace, ActionDelete)}
} Here I have said the requester needs to be able to delete any namespace in order for this to be authorized (notice there is no resource key). I believe by implementing this one function that
Could you speak to this a bit more @erka ? I am not sure I quite follow yet. As in like, support deleting protected namespaces? Or maybe like... dropping the contents, not deleting? (
If this API exists, I don't think it is necessarily a bad thing to have it in the OpenAPI spec. I understand the concern though that most folks shouldn't be triggering this and we don't want folks dropping everything by mistake. Maybe there is more we can do from an authz perspective (feels like an authz problem). |
Currently you can't delete the namespace with |
@GeorgeMac is correct above about what's required for authz/auditing to work, we should just need to create that requester method to fulfil the interface here: Lines 3 to 5 in 81ec576
Re: @erka 's comments, I tend to agree that protected may not mean much anymore, it wasn't ever exposed publicly from a UI/API perspective (although it is exposed in the
IMO if users are messing around in the database then all bets are off, there is only so much we can guard against
I agree it is a bit weird that we would create the Perhaps, instead on Flipt startup, it could check to see if there is a default namespace and if not create one? That way we could keep this deleteAllNamespaces as is and remove the creation of the default one at the end? Just throwing it out there. We could then get rid of the notion of a If user calls deleteAllNamespace then it will do just that, mostly it should only ever be used for import which as the initial intent of this PR. Just my thoughts |
I am also going to throw a variation of what I mentioned before into the mix: When WDYT? |
Linked Issue: #3222
Approach:
default
.DELETE /api/v1/namespaces
--drop
is used with--address
, delete all namespaces API is called using SDK client before starting the actual import