Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

changes to onboarding token api to include role in body #2669

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

changes to onboarding token api to include role in body #2669

wants to merge 1 commit into from

Conversation

rewantsoni
Copy link
Member

@rewantsoni rewantsoni commented Jun 19, 2024
edited
Loading

Update the onboarding Ticket to include an OnboardingSubjectRole - ocs-client, ocs-peer

  1. ocs-client will be used to onboard a Client
  2. ocs-peer role will be used to onboard a StorageCluster

Add a new endpoint to generate the peer onboarding token.

Part of RHSTOR-4886

@rewantsoni
Copy link
Member Author

/cc @nb-ohad

@openshift-ci openshift-ci bot requested a review from nb-ohad June 19, 2024 09:13
@rewantsoni rewantsoni mentioned this pull request Jun 25, 2024
Open
@rewantsoni rewantsoni force-pushed the onboarding-ticket branch 3 times, most recently from 252d888 to e768114 Compare July 3, 2024 06:55
@rchikatw
Copy link
Contributor

rchikatw commented Jul 8, 2024

PR looks good to me.

@rewantsoni rewantsoni force-pushed the onboarding-ticket branch 3 times, most recently from d7a8e4e to f9750a0 Compare July 11, 2024 09:12
@rewantsoni
Copy link
Member Author

/retest-required

@rewantsoni rewantsoni mentioned this pull request Jul 16, 2024
Open
nb-ohad
nb-ohad requested changes Aug 6, 2024
View reviewed changes
controllers/util/provider.go
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

services/types.go Outdated

const (
ClientRole Role = "client"
MirroringPeerRole Role = "mirroring-peer"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule is not related to mirroring.
As for the agreed architecture, there are 2 rules: ocs-client and ocs-peer,

Please align everything with the given terminology

services/types.go Outdated
type OnboardingTicket struct {
ID string `json:"id"`
ExpirationDate int64 `json:"expirationDate,string"`
StorageQuotaInGiB uint `json:"storageQuotaInGiB,omitempty"`
// Role can be either client or mirroring-peer
Role Role `json:"role,string"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule is not for the token, it is for the subject.

Suggested change
Role Role `json:"role,string"`
SubjectRole Role `json:"subjectRole,string"`

services/types.go Outdated
@@ -1,7 +1,16 @@
package services

type Role string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very generic name and might create collision or confusion.
Please rename to something more meaningful and more specific.

Suggested change
type Role string
type OnboardingSubjectRole string

services/ux-backend/handlers/onboardingtokens/handler.go Outdated
Comment on lines 53 to 69
if strings.ToLower(body.Role) == string(services.MirroringPeerRole) {
role = services.MirroringPeerRole
} else if strings.ToLower(body.Role) == string(services.ClientRole) || body.Role == "" {
// to ensure backward compatibility, if the role is empty, we assume it to be client
role = services.ClientRole
if body.Value == 0 || body.Value > math.MaxInt {
http.Error(w, fmt.Sprintf("invalid value sent in request body, value should be greater than 0 and less than %v: %v", math.MaxInt, body.Value), http.StatusBadRequest)
return
}
unitAsGiB, ok := unitToGib[body.Unit]
if !ok {
http.Error(w, fmt.Sprintf("invalid Unit type sent in request body, Valid types are [Gi,Ti,Pi]: %v", body.Unit), http.StatusBadRequest)
return
}
storageQuotaInGiB = ptr.To(unitAsGiB * body.Value)
} else {
http.Error(w, fmt.Sprintf("invalid Role sent in request body, Valid roles are [mirroring-peer,client]: %v", body.Role), http.StatusBadRequest)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not do that. This will allow anyone to generate a peer onboarding token.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 6, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rewantsoni
Once this PR has been reviewed and has the lgtm label, please ask for approval from nb-ohad. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

nb-ohad
nb-ohad requested changes Sep 8, 2024
View reviewed changes
services/types.go Outdated
type OnboardingTicket struct {
ID string `json:"id"`
ExpirationDate int64 `json:"expirationDate,string"`
StorageQuotaInGiB uint `json:"storageQuotaInGiB,omitempty"`
// OnboardingSubjectRole can be either ocs-client or ocs-peer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are adding a comment please separate using a blank line

Suggested change
// OnboardingSubjectRole can be either ocs-client or ocs-peer
// OnboardingSubjectRole can be either ocs-client or ocs-peer

services/ux-backend/handlers/onboardingtokens/handler.go Outdated
Comment on lines 46 to 48
SubjectRole string `json:"subjectRole"`
Value uint `json:"value"`
Unit string `json:"unit"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These does not belong on the same level

services/ux-backend/handlers/onboardingtokens/handler.go Outdated
Comment on lines 45 to 70
var body = struct {
SubjectRole string `json:"subjectRole"`
Value uint `json:"value"`
Unit string `json:"unit"`
}{}
if err = json.NewDecoder(r.Body).Decode(&quota); err != nil {
if err = json.NewDecoder(r.Body).Decode(&body); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}

if quota.Value == 0 || quota.Value > math.MaxInt {
http.Error(w, fmt.Sprintf("invalid value sent in request body, value should be greater than 0 and less than %v: %v", math.MaxInt, quota.Value), http.StatusBadRequest)
if strings.ToLower(body.SubjectRole) == string(services.PeerRole) {
role = services.PeerRole
} else if strings.ToLower(body.SubjectRole) == string(services.ClientRole) || body.SubjectRole == "" {
// to ensure backward compatibility, if the role is empty, we assume it to be client
role = services.ClientRole
if body.Value == 0 || body.Value > math.MaxInt {
http.Error(w, fmt.Sprintf("invalid value sent in request body, value should be greater than 0 and less than %v: %v", math.MaxInt, body.Value), http.StatusBadRequest)
return
}
unitAsGiB, ok := unitToGib[body.Unit]
if !ok {
http.Error(w, fmt.Sprintf("invalid Unit type sent in request body, Valid types are [Gi,Ti,Pi]: %v", body.Unit), http.StatusBadRequest)
return
}
storageQuotaInGiB = ptr.To(unitAsGiB * body.Value)
} else {
http.Error(w, fmt.Sprintf("invalid OnboardingSubjectRole sent in request body, Valid roles are [mirroring-peer,client]: %v", body.SubjectRole), http.StatusBadRequest)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flow is structured incorrectly. The current structure allows sending peer role with quota fields and the quota fields are just ignored. This is the wrong behavior. I would expect a bad request response instead.

I would suggest using a switch case based on the role and delegate each of the 2 cases into separate functions. In addition, you could use the "default" case to return an error for an unsupported role

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@rewantsoni rewantsoni force-pushed the onboarding-ticket branch 5 times, most recently from 0b57dbe to 1c07f07 Compare September 9, 2024 07:01
@rewantsoni
Copy link
Member Author

/retest-required

@rewantsoni rewantsoni force-pushed the onboarding-ticket branch 2 times, most recently from 3852dd1 to 8942fc3 Compare September 16, 2024 11:10
@rewantsoni
add new endpoint for onboarding peers
a73be38 
The PR does the following:
1. add role to the onboarding ticket
2. add a new endpoint for peer-onboarding-tokens

Signed-off-by: Rewant Soni <resoni@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rchikatw rchikatw rchikatw left review comments

@nb-ohad nb-ohad Awaiting requested review from nb-ohad

Requested changes must be addressed to merge this pull request.

Assignees

@nb-ohad nb-ohad

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rewantsoni @rchikatw @nb-ohad