Skip to content

Policy: detached SubjectConditionSets should be able to be pruned #1178

New issue
New issue
Closed
Closed
Policy: detached SubjectConditionSets should be able to be pruned#1178
#1732 (+2)
Assignees
jakedoublev
Labels
comp:policyPolicy Configuration ( attributes, subject mappings, resource mappings, kas registry)
@jakedoublev

Description

@jakedoublev
jakedoublev
opened on Jul 18, 2024

Background

The relation of Attribute Values to Subject Condition Sets (SCSs) is via Subject Mappings (SMs). While every Subject Mapping relates exactly one Attribute Value and one Subject Condition Sets, SCSs can be reused across multiple SMs and Attribute Values. This is by design.

With the new Unsafe service functionality, it is now evident that there is a use case for pruning Subject Condition Sets that are not related to any Subject Mappings in a platform. They are not cascadingly deleted like their potentially linked Subject Mappings because of the many to one relationship, and therefore can be left stored unnecessarily.

Acceptance Criteria

  1. new protos are added for a DeleteUnmapped RPC on Subject Condition Sets as a safe behavior
  2. logic is added to remove any SCSs that are stranded and not on SMs
  3. sqlc is utilized for the new DB queries now that it is unblocked (related to Explore using sqlc instead of squirrel for policy #864)
  4. integration tests are added to validate this change

Metadata

Metadata

Assignees

Labels

comp:policyPolicy Configuration ( attributes, subject mappings, resource mappings, kas registry)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions