-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show actionable errors for collaborative deployment scenarios #1386
base: main
Are you sure you want to change the base?
Conversation
dc33b28
to
c46ecde
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1386 +/- ##
==========================================
+ Coverage 52.25% 53.75% +1.50%
==========================================
Files 317 352 +35
Lines 18004 20410 +2406
==========================================
+ Hits 9408 10972 +1564
- Misses 7903 8636 +733
- Partials 693 802 +109 ☔ View full report in Codecov by Sentry. |
8d26485
to
16b80ea
Compare
16b80ea
to
7fff4bc
Compare
737f02f
to
3c20dec
Compare
3c20dec
to
b384b36
Compare
@pietern could you take another look? |
|
||
assistance := "For assistance, contact the owners of this project." | ||
if len(managersSlice) > 0 { | ||
assistance = fmt.Sprintf("For assistance, users or groups with appropriate permissions may include: %s.", strings.Join(managersSlice, ", ")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ping.
} | ||
|
||
func ReportPermissionDenied(ctx context.Context, b *bundle.Bundle, path string) diag.Diagnostics { | ||
log.Errorf(ctx, "Failed to update %v", path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ping. If this is not the case, please include a comment stating why this log statement shouldn't be removed.
@shreyas-goenka Can you take a pass as this as well? |
Missed the ping, taking a look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this work end to end? Can Bob collaborate on a DAB deployed by Alice if he has CAN_MANAGE
?
I recall there being some validation on the Terraform provider side that would fail even if Bob has CAN_MANAGE
permissions set.
@@ -166,11 +166,21 @@ func (w *WorkspaceFilesClient) Write(ctx context.Context, name string, reader io | |||
// Create parent directory. | |||
err = w.workspaceClient.Workspace.MkdirsByPath(ctx, path.Dir(absPath)) | |||
if err != nil { | |||
if errors.As(err, &aerr) && aerr.StatusCode == http.StatusForbidden { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can move it out of the err != nil
closure. errors.As automatically asserts that error is not nil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pleas note the errors.As()
is a special case: the larger if err != nil
also reports an error for non-Forbidden errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant we could reduce a level of indentation, like:
if errors.As(err, &aerr) && aerr.StatusCode == http.StatusForbidden {
return PermissionError{absPath}
}
if err != nil {
return fmt.Errorf("unable to mkdir to write file %s: %w", absPath, err)
}
Yes, though that scenario requires the use of an explicit "OWNER: Alice" permission. Which is supported via #1387. |
Based on reviewer feedback we want to minimize assumptions about API behavior
48057a5
to
26c3b42
Compare
## Changes This updates the templates to include a `permissions` section. Having a permissions section is a best practice, is helpful to understand the notion of permissions, and helps diagnose permission errors (#1386). This is a cherry-pick from #1387. This change was verified to work both in dev and prod. Existing unit tests validate the validity of the templates in these modes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the plan for the diagnostic IDs after this PR?
Right now they're included in the error string but not in the rendered list of diags.
// | ||
// Note that since the workspace API doesn't always distinguish between permission denied and path errors, | ||
// we must treat this as a "possible permission error". See acquire.go for more about this. | ||
func ReportPossiblePermissionDenied(ctx context.Context, b *bundle.Bundle, path string) diag.Diagnostics { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a helper unrelated to the mutator. Please move it to a dedicated file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure.
// Note that since the workspace API doesn't always distinguish between permission denied and path errors, | ||
// we must treat this as a "possible permission error". See acquire.go for more about this. | ||
func ReportPossiblePermissionDenied(ctx context.Context, b *bundle.Bundle, path string) diag.Diagnostics { | ||
log.Errorf(ctx, "Failed to update, encountered possible permission error: %v", path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unclear if there was an update; we don't have access to the error or the intent here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't "possible permission" error cover what we know? The intent is just logging so maintainers can determine what's going on.
// But we're still seeing permission errors. So someone else will need | ||
// to redeploy the bundle with the right set of permissions. | ||
return diag.Diagnostics{{ | ||
Summary: fmt.Sprintf("access denied while updating deployment permissions as %s.\n"+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error above is more apt here: unable to deploy to %s as %s.
.
We cannot assert if the intent is to update deployment permissions here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated!
We discussed this a while back; I'd like to get integration test coverage for the permission errors on the filer. It's implemented only for the workspace files client now, not for the others (for ex the files API). |
Didn't we conclude that we would just not change the logic of the filer? I reverted that change. |
@pietern Updated the PR, processing all the new comments. I'd really like to get this merged. |
This was working a bit better before 26c3b42
user := b.Config.Workspace.CurrentUser.DisplayName | ||
if user == "" { | ||
user = b.Config.Workspace.CurrentUser.UserName | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because of the other PR today, I now look at this and see it will show the display name for regular users.
It will affect the error message shown. I think for regular users we better show the email address.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed it to just show the email address in errors.
fbf3c9d
to
bde209c
Compare
if otherManagers.Size() > 0 { | ||
assistance = fmt.Sprintf( | ||
"For assistance, users or groups with appropriate permissions may include: %s.", | ||
strings.Join(otherManagers.Values(), ", "), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not sorted and is the cause of the test assertion failure in the latest test run.
Changes
This adds diagnostics for collaborative (production) deployment scenarios, including:
/Users/Alice/.bundle
.Tests
Unit tests, manual testing.