update to use new event handling #109
Conversation
mikemrm
force-pushed
the
update-events
branch
2 times, most recently
from
ba0f621
to
0dea11d
Compare
This adds the new x/events handling. Note: There are some issues with detecting Ack/Nack's on messages. Which has resulted in some tests not being able to be done that check for Nacked messages. Signed-off-by: Mike Mason <[email protected]>
mikemrm
force-pushed
the
update-events
branch
3 times, most recently
from
66cd0da
to
d010173
Compare
| } | ||
|
|
||
| func (c *Client) createRelationships(ctx context.Context, msg *nats.Msg, resource types.Resource, fields map[string]string) error { | ||
| func (s *Subscriber) createRelationships(ctx context.Context, msg *message.Message, resource types.Resource, additionalSubjectIDs []gidx.PrefixedID) error { |
There was a problem hiding this comment.
So additionalSbjectIDs isn't the abstraction we want here - that's more of a generic "things that are related to this thing" list. I'm pretty sure what we actually want is a map[string]gidx.PrefixedID or something similar, where that map is built from (events.ChangeMessage).SubjectFields or (events.ChangeMessage).Changes as follows:
- For the given resource, look up its type in the engine schema
- For each field in the map, check to see if a relation exists with that name
- If it does, look up the target types for the relation
- If it does, ensure the prefix in the ID matches at least one prefix in the target types
As a concrete example, say we have a payload that look like so:
{
"subjectID": "loadbal-abc123",
"subjectFields": {
"name": "my-cool-loadbalancer",
"owner": "tnntten-abc123"
}
}Then, assume a policy exists (in YAML) like so:
resourceTypes:
- name: tenant
idPrefix: tnntten
- name: loadbalancer
idPrefix: loadbal
relationships:
- relation: owner
targetTypeNames:
- tenantWhen we process the event, we should load the resource type definition from the schema. From there, we can see owner is a relation on the authorization policy for a loadbalancer resource, but name is not. Thus, we should persist anything called owner as a relationship in SpiceDB, and check that its ID prefix is tnntten before we do.
There was a problem hiding this comment.
This makes sense. Right now the services aren't using the SubjectFields attribute and is something I think we need to discuss further. I believe once we've figured that out, this will be an easy transition. For now I've published a few changes to handle the AdditionalSubjectIDs better.
Signed-off-by: Mike Mason <[email protected]>
This enables us to run all tests which check for specific acks. Signed-off-by: Mike Mason <[email protected]>
Signed-off-by: Mike Mason <[email protected]>
This ignores unrelated ids instead of failing if an id is found that isn't part of the schema. Signed-off-by: Mike Mason <[email protected]>
Signed-off-by: Mike Mason <[email protected]>
Signed-off-by: Mike Mason <[email protected]>
internal/pubsub/subscriber.go
Outdated
| case events.DeleteChangeType: | ||
| err = s.handleDeleteEvent(ctx, msg, changeMsg) | ||
| default: | ||
| s.logger.Warnw("ignoring msg, not a create, update or delete event", zap.String("event-type", changeMsg.EventType)) |
There was a problem hiding this comment.
IMO we should be structuring these with . notation instead of -, although I haven't looked around to see what's being done elsewhere so feel free to ignore if there's an established pattern.
There was a problem hiding this comment.
I believe in most places we actually use _ which I can update this to use.
| var rType *types.ResourceType | ||
|
|
||
| if e.schema == nil { | ||
| e.schema = iapl.DefaultPolicy().Schema() |
There was a problem hiding this comment.
Feels like the schema should be preloaded and this should be an error?
There was a problem hiding this comment.
This is just for the mock. Most tests just define an empty mock Engine. So this simplifies to use the default schema if we aren't testing something specific.
Signed-off-by: Mike Mason <[email protected]>
Signed-off-by: Mike Mason <[email protected]>
This adds the new x/events handling.
Note:
There are some issues with detecting Ack/Nack's on messages. Which has resulted in some tests not being able to be done that check for Nacked messages.