Add more filtering options to entry count/show and agent count/list #4714
Conversation
FedeNQ
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
There was a problem hiding this comment.
Thank you @FedeNQ for this contribution, and sorry for the delay in the review.
I left some comments.
cmd/spire-server/cli/agent/util.go
Outdated
| if len(s) > 10 { | ||
| return fmt.Errorf("date is too long") | ||
| } | ||
| _, err := time.Parse("2006-01-02", s) |
There was a problem hiding this comment.
Any reason to exclude the time here?
From a user experience perspective, I would probably consume this CLI with data that I got from other CLI commands. When the user list/shows agents, the output format of the Expiration time also includes the time (which I think it's useful). So when I'm filtering by expiration time, I would expect to use the same layout, like "2006-01-02 15:04:05 -0700 -07".
There was a problem hiding this comment.
I don't have a particular reason, so it could be changed.
Use time.Parse(time.RFC3339, s) it could be a good change?
cmd/spire-server/cli/agent/util.go
Outdated
| if len(s) < 10 { | ||
| return fmt.Errorf("date is too short") | ||
| } | ||
| if len(s) > 10 { | ||
| return fmt.Errorf("date is too long") | ||
| } |
There was a problem hiding this comment.
I'm not sure that we really need this validation, I would probably just leave the validation that is done by the time.Parse function. Were your intention to have more descriptive errors?
There was a problem hiding this comment.
Yes, it was expected to guide the user about the error.
| @@ -14,6 +14,14 @@ var ( | |||
| Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock") | |||
| ` | |||
| listUsage = `Usage of agent list: | |||
| -attestationType string | |||
| The SPIFFE ID of the nodes to list | |||
There was a problem hiding this comment.
The description doesn't match here. Since the name may not obviously indicate that this refers to the node attestor used, I would also probably include examples. Something like:
Filter by attestation type, like join_token or x509pop.
pkg/common/cli/flags.go
Outdated
|
|
||
| func (b *BoolFlag) Set(val string) error { | ||
| if val == "false" { | ||
| *b = 1 |
There was a problem hiding this comment.
We could probably define constants for the true, false and default values. Something like cli.BoolFlagTrue, cli.BoolFlagFalse and cli.BoolFlagDefault. Then, consumers of the package can refer to those instead of having to look at this code to figure out that the 1, 2, and 0 values are used for that.
| ByHint: req.ByHint, | ||
| ByDownstream: req.ByDownstream, | ||
| }) | ||
| return int32(len(resp.Entries)), err |
There was a problem hiding this comment.
This will retrieve all the records for the registration entries from the backend database, while we need to retrieve a single record with the count. Maybe we could reuse the SQL query used in the listRegistrationEntries and perform a SQL COUNT operation over it? That way we would get as a result a single record with the count.
There was a problem hiding this comment.
I think it could be a valid approach, will try to change it
cmd/spire-server/cli/agent/list.go
Outdated
| fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") | ||
| fs.StringVar(&c.attestationType, "attestationType", "", "The SPIFFE ID of the nodes to list") |
There was a problem hiding this comment.
The description doesn't match here.
cmd/spire-server/cli/agent/count.go
Outdated
| @@ -49,6 +123,12 @@ func (c *countCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient u | |||
| } | |||
|
|
|||
| func (c *countCommand) AppendFlags(fs *flag.FlagSet) { | |||
| fs.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") | |||
| fs.StringVar(&c.attestationType, "attestationType", "", "The SPIFFE ID of the nodes to count") | |||
There was a problem hiding this comment.
The description doesn't match here.
| @@ -40,8 +48,20 @@ var ( | |||
| The SPIFFE ID of the agent to evict (agent identity) | |||
| ` | |||
| countUsage = `Usage of agent count: | |||
| -attestationType string | |||
There was a problem hiding this comment.
The description doesn't match here.
doc/spire_server.md
Outdated
| | `-canReattest` | Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all | | | ||
| | `-banned` | Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all | | | ||
| | `-expiresBefore` | A date that indicates the time it should expired before. (format: YYYY-MM-DD)| | | ||
| | `-attestationType` | Filters agents to those matching the attestation type. | | |
There was a problem hiding this comment.
| | `-attestationType` | Filters agents to those matching the attestation type. | | | |
| | `-attestationType` | Filters agents to those matching the attestation type, like join_token or x509pop. | | |
cmd/spire-server/cli/agent/count.go
Outdated
| fs.StringVar(&c.attestationType, "attestationType", "", "The SPIFFE ID of the nodes to count") | ||
| fs.Var(&c.canReattest, "canReattest", "Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.") | ||
| fs.Var(&c.banned, "banned", "Filter based on string received, 'true': banned agents, 'false': not banned agents, other value will return all.") | ||
| fs.StringVar(&c.expiresBefore, "expiresBefore", "", "A date that indicates the time it should expired before, (format: YYYY-MM-DD)") |
There was a problem hiding this comment.
In the same way that we make it explicit in the description of other flags that the flag will apply a filter, I think that we should make it explicit here. Something like:
Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07").
I've commented about the format separately.
The same applies to other flags added that don't mention that a filter will be applied.
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: Federico Nahuel Quijada <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
pkg/server/api/agent/v1/service.go
Outdated
| countReq.ByAttestationType = filter.ByAttestationType | ||
| } | ||
|
|
||
| // err is verified previously |
There was a problem hiding this comment.
I'm not sure if this comment should really be here?
pkg/server/api/agent/v1/service.go
Outdated
| // err is verified previously | ||
| // countReq.ByExpiresBefore, _ = time.Parse("2006-01-02", filter.ByExpiresBefore) |
There was a problem hiding this comment.
Looks like we should remove this?
| func (ds *Plugin) CountAttestedNodes(ctx context.Context) (count int32, err error) { | ||
| func (ds *Plugin) CountAttestedNodes(ctx context.Context, req *datastore.CountAttestedNodesRequest) (count int32, err error) { | ||
| if countAttestedNodesHasFilters(req) { | ||
| resp, err := listAttestedNodes(ctx, ds.db, ds.log, &datastore.ListAttestedNodesRequest{ |
There was a problem hiding this comment.
I think that we need to make paginated requests here so we don't get all the records at once.
| FetchSelectors: req.FetchSelectors, | ||
| ByCanReattest: req.ByCanReattest, | ||
| }) | ||
| return int32(len(resp.Nodes)), err |
There was a problem hiding this comment.
Discussed this with @FedeNQ offline. Since the changes to avoid retrieving all the records are too complex, I suggest to keep it as is so we minimize the changes required in the datastore, which has a complex code already.
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
Signed-off-by: FedeNQ <[email protected]>
FedeNQ
force-pushed
the
add-filtering
branch
2 times, most recently
from
adec60c to
296a77f
Compare
Signed-off-by: Federico Nahuel Quijada <[email protected]>
There was a problem hiding this comment.
Thank you @FedeNQ for this contribution, and for the patience in the review!
…piffe#4714) * add filtering options to count command Signed-off-by: FedeNQ <[email protected]> * add more fields Signed-off-by: FedeNQ <[email protected]> * Add filtering to entry & agent count/show/list commands Signed-off-by: FedeNQ <[email protected]> * fix lint Signed-off-by: FedeNQ <[email protected]> * add more unit test Signed-off-by: FedeNQ <[email protected]> * Change count & list for entries Signed-off-by: FedeNQ <[email protected]> * rollback Signed-off-by: FedeNQ <[email protected]> * fix Signed-off-by: FedeNQ <[email protected]> * fix lint Signed-off-by: FedeNQ <[email protected]> * update go.mod & go.sum Signed-off-by: FedeNQ <[email protected]> * fix windows message Signed-off-by: FedeNQ <[email protected]> * update agent & entry message Signed-off-by: FedeNQ <[email protected]> * update agent message Signed-off-by: FedeNQ <[email protected]> * count entries & agent now uses pagination Signed-off-by: FedeNQ <[email protected]> * remove comment Signed-off-by: FedeNQ <[email protected]> * fix lint Signed-off-by: FedeNQ <[email protected]> * rollback Signed-off-by: FedeNQ <[email protected]> --------- Signed-off-by: FedeNQ <[email protected]> Signed-off-by: Federico Nahuel Quijada <[email protected]>
Pull Request check list
Affected functionality
Provides the possibility of add multiple flags to entry show, entry count, agent list and agent count commands.
Requires the approval of this PR in SPIRE-API-SDK
Description of change
Add the following flags:
Agent count/list:
Entry count:
Entry show:
Which issue this PR fixes
Fixes #2137