-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS STS Assume role feature support #5621
AWS STS Assume role feature support #5621
Conversation
Can you replace the default description with a descriptive one that follows the guidelines. |
Sure will do, once PR will not be WIP :) |
4a38fab
to
a56baaa
Compare
@agrare Adam, that's the second (UI) part of "assume role" story, I'm not sure who to ask to review it, can you please help? |
@martinpovolny @h-kataria can you review? |
5705643
to
17cb0e7
Compare
@agrare, @AlexanderZagaynov : The UI team is working on redoing the forms in the "spare" time. To get you a better insight into what is happening, here's a current list of API issues that need resolving before we can redo the forms on the client and get rid of this ugly code: ManageIQ/manageiq-api#579 |
@AlexanderZagaynov : Any updates? Do you need some help? Shall this be marked as "WIP"? |
be649fa
to
cfeda86
Compare
@martinpovolny @mzazrivec I've updated this PR, however please do not merge till I'll prepare PRs for core and Amazon repos. |
Those PRs should be merged first, and tests should be re-run after that: |
tests rerun |
@martinpovolny @mzazrivec both related PRs were merged, only this one left |
Travis failure seems relevant. |
app/assets/javascripts/controllers/ems_common/ems_common_form_controller.js
Outdated
Show resolved
Hide resolved
@AlexanderZagaynov To add that additional ARN field, we probably don't need changes in the credentials hamls at all. |
Assume role ARN (service_account) field IS credentials: https://github.com/ManageIQ/manageiq-providers-amazon/blob/caaa4e5eed895184f85c5e551bf3d3a128077477/app/models/manageiq/providers/amazon/manager_mixin.rb#L75 |
The patch that I sent you earlier has been attached below. It needs to be applied on top of this PR. Hopefully that helps. Not going to comment inline in your code because it is unnecessarily complicating things, when it should not. |
Ugh, sorry @AlexanderZagaynov but this is really not the right fix. If you need to set $valid or $invalid manually, it probably means you're doing something outside the angular change detection cycle, otherwise, the form validation should kick in and set the valid state of the form. You need to look into why angularForm is not valid, there should be an $errors field which will tell you which validation actually failed. |
app/views/layouts/angular-bootstrap/_auth_credentials_angular_bootstrap.html.haml
Outdated
Show resolved
Hide resolved
ca0d960
to
a292b63
Compare
@AparnaKarve @himdel done |
a292b63
to
fc9d55a
Compare
Checked commits AlexanderZagaynov/manageiq-ui-classic@1cf4616~...fc9d55a with ruby 2.4.6, rubocop 0.69.0, haml-lint 0.20.0, and yamllint 1.10.0 |
@@ -357,6 +366,10 @@ def ems_form_fields | |||
host_default_vnc_port_end = @ems.host_default_vnc_port_end.to_s | |||
end | |||
|
|||
if @ems.supports?(:assume_role) | |||
service_account = @ems.authentication_service_account |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will break if ManageIQ::Providers::Google::CloudManager
ever decides to supports :assume_role
Because GCE is already using service_account
to mean something else (see line 374)
If these 2 are the same concept, shouldn't they be treated the same? (and use layouts/angular/auth_service_account_angular
)
But it seems more likely that those 2 are not related at all, so I think you shouldn't be using the service_account
variable to mean 2 different things, maybe prefix this one with amazon_
or default_
or something like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those are different things, we discussed with @agrare and agreed to avoid new db field. GCE is not broken, because I didn't touch anything related to it. You can see it's lines above mine I've added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing to do with DB fields.
You have a local variable called service_account
in this ems_form_fields
function.
That gets sent as data.service_account
, but depending on the provider, the value comes from @ems.authentication_service_acount
or from @ems.authentication_token
.
This local variable ends up as data.service_account
in the angular JS controller, where it gets used 2 different ways, in 2 different unrelated fields.
@@ -158,6 +159,7 @@ ManageIQ.angular.app.controller('emsCommonFormController', ['$http', '$scope', ' | |||
$scope.emsCommonModel.ssh_keypair_userid = data.ssh_keypair_userid; | |||
|
|||
$scope.emsCommonModel.service_account = data.service_account; | |||
$scope.emsCommonModel.default_service_account = data.service_account; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and here (https://github.com/ManageIQ/manageiq-ui-classic/pull/5621/files#r322236441)
data.service_account
should not mean 2 different things
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the line above - it's for GCE. I was trying to stay with it, but you asked me to use default_
prefix - here you are.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That prefix is needed for any value in the Default authentication tab. It has nothing to do with how the value is named in the database.
My task is done, my work is over, this PR was only a goodwill gesture for UI team. |
@himdel is taking over. Can we get the RFE BZ, please? |
@martinpovolny https://bugzilla.redhat.com/show_bug.cgi?id=1631845 .. I have to re-open it |
This is support PR for AWS Security Token Service's "assume role" feature.
Basically, it's just a new field on form, and related validation and saving code changes.
Here is the primary PR with technical info: ManageIQ/manageiq-providers-amazon#538
Related core repo PR: ManageIQ/manageiq#18810
Pictures: