Skip to content

convert disk, project, and organization lookups to new lookup API #844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

convert disk, project, and organization lookups to new lookup API #844

wants to merge 7 commits into from

Conversation

@davepacheco
Copy link
Collaborator

@davepacheco davepacheco commented Apr 1, 2022
edited
Loading

See #798. This change:

  • addresses all of the remaining resources in the existing Organization/Project/etc. hierarchy.
  • updates the Organization datastore interfaces to be consistent with other resources. (They now take an authz::Organization -- expecting the caller to have done the lookup -- rather than a name.)
  • updates disk_refetch() and instance_refetch() to use the new lookup API, rather than re-implementing their own by-id lookup

There are other resources not covered here but they're all harder to deal with. See #845.

davepacheco
davepacheco commented Apr 1, 2022
View reviewed changes
nexus/src/db/datastore.rs
/// authz checks are required. As a result, it should not be made
/// accessible outside the DataStore. It should always be wrapped by
/// something that does the appropriate authz check.
// TODO-security We should refactor things so that it's harder to
Copy link
Collaborator Author

@davepacheco davepacheco Apr 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\o/ We finally did this!

nexus/src/nexus.rs
.lookup_for(authz::Action::CreateChild)
.await?;

// TODO-security This may need to be revisited once we implement authz
Copy link
Collaborator Author

@davepacheco davepacheco Apr 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This TODO is no longer applicable. We did implement authz for saga actions. The pattern is: we do the authz check before creating the saga for a better user experience, and we also serialize the current authn context, rehydrate it inside the saga, and use that to check again when we run the saga action. So this TODO is resolved.

I suspect we're not actually authorizing the operations that this saga is doing, but that'll be caught when I sweep through DataStore looking for unprotected functions (which is tracked by #419).

The authorize check isn't removed -- it got moved into the lookup now.

nexus/src/nexus.rs
.lookup_for(authz::Action::Delete)
.await?;

// TODO: We need to sort out the authorization checks.
Copy link
Collaborator Author

@davepacheco davepacheco Apr 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

@davepacheco davepacheco mentioned this pull request Apr 1, 2022
Closed
71 tasks
@davepacheco davepacheco changed the title convert disk, project, and organization lookups to new API convert disk, project, and organization lookups to new lookup API Apr 1, 2022
Base automatically changed from convert-new-lookup-instances to main April 1, 2022 03:56
@davepacheco davepacheco requested a review from david-crespo April 1, 2022 04:17
david-crespo
david-crespo approved these changes Apr 1, 2022
View reviewed changes
Copy link
Contributor

@david-crespo david-crespo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great!

@davepacheco
Copy link
Collaborator Author

davepacheco commented Apr 1, 2022

Thanks for the review!

@davepacheco davepacheco enabled auto-merge (squash) April 1, 2022 05:06
@davepacheco
Copy link
Collaborator Author

davepacheco commented Apr 1, 2022
edited
Loading

GitHub actions looks stuck on the Ubuntu and Mac builds after 10+ hours:
Screen Shot 2022-04-01 at 8 44 10 AM

I will try to push a noop commit to try again.

@davepacheco
Copy link
Collaborator Author

davepacheco commented Apr 1, 2022

I'm going to close and open a new PR to try to kick the GitHub Actions.

@davepacheco davepacheco closed this Apr 1, 2022
auto-merge was automatically disabled April 1, 2022 17:02

Pull request was closed

@davepacheco davepacheco deleted the convert-new-lookup-rest branch April 1, 2022 17:02
@davepacheco davepacheco mentioned this pull request Apr 1, 2022
Merged
leftwo pushed a commit that referenced this pull request Feb 10, 2025
Update Propolis and Crucible
5ddf2c2 
Crucible changes are:
Nexus notifications have different importance (#1621)

Propolis changes are:
lib: don't send CPUID settings in vCPU device state payload (#848)
server/lib: add generic hypervisor enlightenment interface (#846)
server: read host CPUID values if the spec has none (#844)

Added a new field to the Board struct that propolis requires.
@leftwo leftwo mentioned this pull request Feb 10, 2025
Merged
leftwo added a commit that referenced this pull request Feb 10, 2025
@leftwo
Update Propolis and Crucible (#7509)
5bab255 
Crucible changes are:
Nexus notifications have different importance (#1621)

Propolis changes are:
lib: don't send CPUID settings in vCPU device state payload (#848)
server/lib: add generic hypervisor enlightenment interface (#846)
server: read host CPUID values if the spec has none (#844)

Added a new field to the Board struct that propolis requires.

Co-authored-by: Alan Hanson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@david-crespo david-crespo david-crespo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@davepacheco @david-crespo