Skip to content
This repository has been archived by the owner on Aug 2, 2023. It is now read-only.

Add User/Domain/Group models #148

Closed
16 of 17 tasks
adrysn opened this issue Apr 30, 2019 · 1 comment
Closed
16 of 17 tasks

Add User/Domain/Group models #148

adrysn opened this issue Apr 30, 2019 · 1 comment
Assignees
@achimnol @gofeel @adrysn
Labels
API db-migration-required feature
Milestone
19.09

Comments

@adrysn
Copy link
Member

adrysn commented Apr 30, 2019
edited
Loading

Create User model

  • Create user.py file in models/ folder.
  • Create User table. User:KeyPair = 1:N.
    • id
    • username: str (optional)
    • email: str
    • password: hashed str
    • need_password_change: bool
    • first_name: str (optional)
    • last_name: str (optional)
    • description: str (optional)
    • role: str (one of admin, user, monitor)
    • is_active: bool
    • created_at: datetime
    • domain_name: FK to domain's name field (one user cannot be associated with other domains)

User APIs

  • Create / update by admin
    • There should be a way to change user's password.
  • List users by admin
  • Detailed information by admin or user
  • Delete user

Create Domain model

  • name: slug field
  • description: str
  • is_active: bool
  • total_resource_slots: ResourceSlotColumn
    • This field may be expanded into domain-level resource policy in the future if needed.

Domain APIs

  • Create / update by global admin (whose role is admin not belonging any domain)
  • Domain admins cannot CUD domain
  • List/detail domain(s) by global admin
  • Domain admins or regular users can only see their domain information.

Create Group model

  • id: uuid
  • name: slug field
  • description: str
  • is_active: bool
  • domain_name: FK to domain's name field

Create Group-User association table (M2M)

  • user_id
  • group_id
  • user_id and group_id should be unique together

Group APIs

  • Create / update by global/domain admin
  • Domain admins cannot CUD groups in other domain
  • List/detail domain(s) by global/domain admin
  • Domain admins or regular users can only see group information in their domain.
  • Mutation API should provide a way to add/remove users to/from group.

Associations

  • KeyPair's user_id field will be used to fill in auto-created user's email field. Change user_id values with user's uuid field. (or just keep user_id for legacy?)
  • Transfer the ownership of vfolder from keypair to user. vfolder's belong_to field should be replaced with user's id. -> will be dealt in a separate issue (Transfer ownership of vfolders from keypair to user or group #149).
@adrysn adrysn added this to the 19.06 milestone Apr 30, 2019
adrysn added a commit that referenced this issue Apr 30, 2019
@adrysn
Add bcrypt & passlib as dependencies (#148)
b33f596 
* To store User's password safely.
adrysn added a commit that referenced this issue Apr 30, 2019
@adrysn
Add user model skeleton (#148)
4aaa1ad
adrysn added a commit that referenced this issue May 1, 2019
@adrysn
Elaborate User model (#148)
09de47a 
* Added 'role' field (possible values are admin, user, or monitor.
* Add 'user' foreignkey field in keypairs, which links to users.uuid (keypairs.user_id will be deprecated in the future).
* Auth middleware provides request user's uuid by request['user']['uuid'].
* Updated migration script.
@adrysn
Copy link
Member Author

adrysn commented May 5, 2019

Mis-referenced commits:

adrysn added a commit that referenced this issue May 5, 2019
@adrysn
Add user's info in auth middleware (#148)
eaab87f
adrysn added a commit that referenced this issue May 6, 2019
@adrysn
Add Domain & Group model skeletons (#148)
b652465
adrysn added a commit that referenced this issue May 8, 2019
@adrysn
Add migration for domains table (#148)
61fc7e3 
* User.domain_name is not nullable.
adrysn added a commit that referenced this issue May 9, 2019
@adrysn
Add CRUD endpoint for domain (#148)
9540008 
* Add test cases for domain.
adrysn added a commit that referenced this issue May 9, 2019
@adrysn
Let domain can be queried without name (#148)
c8db593 
* It will return requester's domain.
* UserQuery does not allow query by name.
adrysn added a commit that referenced this issue May 13, 2019
@adrysn
Make users.domain_name nullable (#148)
0d0c5f8 
* We will treat users with (role=admin & domain_name=null) are global admins.
adrysn added a commit that referenced this issue May 13, 2019
@adrysn
Prevent domain admin querying other domains (#148)
60e4bee
adrysn added a commit that referenced this issue May 13, 2019
@adrysn
Prevent domain admin from mutating domain (#148)
3e5e02e 
* Domain mutation should only be allowed to global admins.
adrysn added a commit that referenced this issue May 13, 2019
@adrysn
Add group mutation endpoint (#148)
e881e3b
adrysn added a commit that referenced this issue May 13, 2019
@adrysn
Add feature to add/remove users to/from group (#148)
b931cf4 
* Through association_groups_users table.
@adrysn adrysn changed the title Add User model in database Add User/Domain/Group models May 13, 2019
@adrysn adrysn mentioned this issue May 15, 2019
Closed
11 tasks
adrysn added a commit that referenced this issue May 22, 2019
@adrysn
Merge first_/last_name into full_name (#148)
2f6e27f
adrysn added a commit that referenced this issue May 22, 2019
@adrysn
Fix missed trails of first_/last_name (#148)
e13fd1c
achimnol pushed a commit that referenced this issue May 22, 2019
@adrysn @achimnol
feature/#148: Add domain, group, user models (#150)
7ba6bad 
* User model
  - Add table def, GQL CRUD, and test cases.
  - Make it in a 1:1 relationship with the keypair table.
  - 'role' field (possible values may be one of: "admin", "user", or "monitor".
  - Add bcrypt & passlib as dependencies for hashing user passwords safely.
  - Add an API endpoint to check user's password (both for admin and users).
* Keypair model
  - Currently, user keypair can query other user's keypairs (even admin) by executing "backend.ai admin keypairs -u [email protected]".
  - Make "backend.ai admin keypairs" return user's keypairs instead of raising permission error.
  - NOTE: 'user_id' field will be deprecated in the future.
* Update the auth middleware
  - Add user's info to the request context (e.g., request['user']['uuid'].)
* Domain model
  - Add table def, GQL CRUD, and test cases.
  - Treat users with (role=admin & domain_name=null) are global admins.
  - Mutation of domains is only be allowed to global admins.
* Group (project) model
  - Add table def, GQL CRUD, and test cases.
  - Add a m2m relationship with the user table via the association_groups_users table.
adrysn added a commit that referenced this issue May 25, 2019
@adrysn
Bugfix - cannot reference new domain name when not updated (#148)
0ac1e6b
adrysn added a commit that referenced this issue May 25, 2019
@adrysn
Bugfix - prevent domain-admin querying groups in other domain (#148)
9069c1e 
* Minor fix not to raise KeyError.
adrysn added a commit that referenced this issue May 26, 2019
@adrysn
Permission control for user model (#148)
be0a7ff 
* Domain admin cannot query user/users in other domain.
* Prevent domain admins to mutate any users, for now.
adrysn added a commit that referenced this issue May 28, 2019
@adrysn
Add domain_name, group_id, user_uuid fields in kernels (#148)
9701c88 
Migration:
* 'default' group in the 'default' domain will be created.
* Those fields are automatically filled in migration with values of
(domain_name = 'default', group_id=<gid of the default group>,
 user_uuid = user's uuid whose access_key is used to run a container>)
* Every user is automatically associated with the 'default' group.
adrysn added a commit that referenced this issue May 28, 2019
@adrysn
Prevent domain-admin list(s) agent information (#148)
28ca72e 
* Only global admin can list agent resources.
adrysn added a commit that referenced this issue May 29, 2019
@adrysn
Admin query with domain_name and group_id for compute sessions(#148)
8872a0b
adrysn added a commit that referenced this issue May 29, 2019
@adrysn
Implicit global admin is now explicitly endowed superadmin role (#148)
0586e22 
Previously, we consider an admin as global admin if the admin's domain is None, so an admin with domain name automatically recognized as domain admin.

After that, we introduced domain_name and group_id as required fields to kernels table to list kernels per domain or per group basis. This leads to the broken code execution for superadmin since kernel's domain_name field cannot be set.

To avoid this bug, and to explicitly recognize global admin, we added "superadmin" role to UserRole.

* Migration scripts append "superadmin" role to DB, and give default superadmin ([email protected]) a default domain name and superadmin role.
* Global admin checking code is changed to inspect user's role instead of the emptiness of domain_name.
* For request handlers, request['is_superadmin'] is introduced in auth middleware.
* group_id field can be delivered by user when creating compute kernel.
adrysn added a commit that referenced this issue May 30, 2019
@adrysn
Spawn container with group_id parameter (#148)
6a2cbf0 
* Requester should be associated with the specified group.
* Update superadmin perm check in user, domain, and group model.
adrysn added a commit that referenced this issue May 30, 2019
@adrysn
Let superadmin can spawn session in any group (#148)
07a74e5
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Add user-group relationships in example-keypairs.json (#148)
57902cc 
* One-shot schema migration in install-dev.sh does not follow alembic's migration history, to add users to the default group, the information should be specified in example-keypairs.json.
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Add domain_name for superadmin in example fixture (#148)
ab5bb4e
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Add password in example-keypairs.json (#148)
89feeb7 
* Password is set to be the first 8 characters of secret key.
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Associate user with groups if group_ids exist (#148)
bedb7dc
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Querying user(s) return user's group information (#148)
278e3ad 
* TODO: Merging user's multiple groups' information is dirty. More elegant way of joined query?
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Group name is now mandatory to launch a kernel (#148)
6efb6b0 
* Domain name is guessed from requester's user information.
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Resolve domain and groups without domain_name parameter (#148)
68a1419 
* domain -> return information of requester's domain.
* groups -> return group list in requester's domain.
adrysn added a commit that referenced this issue May 31, 2019
@adrysn
Add group_name when querying kernels (#148)
707ef1a
adrysn added a commit that referenced this issue Jun 2, 2019
@adrysn
Enable query user by uuid as well as email (#148)
3231141
adrysn added a commit that referenced this issue Jun 2, 2019
@adrysn
Create a keypair when user created (#148)
bcfbb95 
* Bugfix - Superadmin was not able to query sessions in other domain.
adrysn added a commit that referenced this issue Jun 2, 2019
@adrysn
Add superadmin account in example-keypairs (#148)
8396809
adrysn added a commit that referenced this issue Jun 4, 2019
@adrysn
Add comments for name field in compute session (#148)
0f73471
adrysn added a commit that referenced this issue Jun 5, 2019
@adrysn
Fix broken test cases (#148)
c70d9f5
@achimnol achimnol mentioned this issue Jun 11, 2019
Closed
adrysn added a commit that referenced this issue Jun 20, 2019
@adrysn
Prevent session creation when domain/group quota is exceeded (#148)
2faef78
adrysn added a commit that referenced this issue Jun 21, 2019
@adrysn
Add option to list all groups across domains for superadmin (#148)
db3ed7a
adrysn added a commit that referenced this issue Jun 21, 2019
@adrysn
Bugfix - default password from migration should be hashed (#148)
0d2f074
adrysn added a commit that referenced this issue Jun 23, 2019
@adrysn
Bugfix - missing second parameter (#148)
9bda0a5
adrysn added a commit that referenced this issue Jun 23, 2019
@adrysn
Block kernel creation if either target domain or group is inactive (#148
d35e5a0 
)

* Fix broken test cases.
adrysn added a commit that referenced this issue Jun 23, 2019
@adrysn
Add allowed_vfolder_types option (#148)
d1c8ae5 
* It is assumed that the option can be retrieved from config server.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@achimnol achimnol

@gofeel gofeel

@adrysn adrysn

Labels
API db-migration-required feature
Projects
None yet
Milestone
19.09
Development

No branches or pull requests
3 participants
@achimnol @gofeel @adrysn