Start implementing S-expr Auth templates #386
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This also allows us to choose between `let` and `let*`.
Implement parsing of s-exprs; this will be useful for the editor.
This requires R2 classes, which for now we have to create via a v1 dump by relying on load order. The v2 dump format needs to handle this better.
We mustn't create it here, this causes rank conflicts.
We need to be able to create (R1) classes via the `objects` key, which v1 dumps do not allow. Eventually v2 dumps want to be able to resolve loaded objects in any order; for now we are relying on the load order, which means relying on key order preservation in JS and YAML. Version 2 dumps will always be authoritative about the information they contain. There will not be the option to choose not to overwrite existing information. The /v1/load endpoint on the ConfigDB will continue to accept the parameter for compatibility; the new /load endpoint will not.
For now I am developing this as an entirely new service; this means the old Auth will still be running, which will be needed to keep the ConfigDB working.
This gives the opportunity to see logs for a pod which won't start. It also ensures the old pods are all entirely gone before we restart.
We need to perform static analysis on the set of templates to determine which templates affect which consuming services. For now perform the whole analysis from scratch every time; template changes are not going to be a common event.
For now the DB library will insist on this being present.
This is a service requirement group, as usual, so the actual service account can have a per-deployment UUID.
The initial expression analysis still accumulates results in mutable Sets.
When we have a config entry containing an array we mustn't sort it.
Change the `objects` key to an object-of-objects so we can give more detail about object creation. We will need this to specify subclass and membership information. For now just use this to accept a `name` key which we patch into _General info_. There is too much duplication in the existing dumps just setting names.
The old v1/load endpoint will deliberately only accept version 1 dumps.
* Update v2 dumps to use the new format. * Promote _Permission group_ to rank 2. Its members are groups of permissions. * Rename the existing _Permission_ class to _Legacy permission_. Leave the existing permissions in this class for now. * Create a new class to be _Permission_. We can't set up subclass relations from dump files yet.
We can't re-rank objects yet, so make sure _Permission group_ is not created by a v1 dump. I'm not updating the main dump files to v2; they want to be migrated to service-setup instead. Move the git service dumps over entirely.
This means loading the schema file from the acs-configdb directory.
I don't like to do this but I don't see any option for now. The git server is crashing because it doesn't have permission to register itself with the Directory, and this is preventing service-setup from running.
I am having problems with service-setup not running because Pods won't start cleanly.
There is no reason to ever stop trying.
For now at least I am storing ACL grants in a database belonging to the Auth service.
I need to reconcile these multiple sources of s-expr-parsing code; I also need to find a way to unify the name-to-UUID mappings. Perhaps the OID-style names need to go in _General info_?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is incomplete, but I don't want the work to disappear.
Some of these commits have been rebased into #385 . If this is picked up again they will need removing.