Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get rid of the condition modifier. #16213

Merged
merged 2 commits into from
Aug 30, 2018
Merged

Get rid of the condition modifier. #16213

merged 2 commits into from
Aug 30, 2018

Conversation

lfu
Copy link
Member

@lfu lfu commented Oct 16, 2017
edited
Loading

Get rid of the condition modifier which is confusing and not necessary.

Control and compliance policy actions can be set basing on condition success, failure or both.

However, the action for built in policies is defined only for a true condition and is executed when condition is met. But the old logic would invoke actions only upon false condition result. So the old logic uses condition modifier 'deny' to force a true condition result into false and vice versa.
This flipping around seems not necessary and should be avoid to make a simple person's life easier and happier.

If a control policy has condition modifier set as 'deny', the actions for false condition would be invoked when the condition is actually met and vice versa.

There is no way to specify the condition modifier when adding a policy via UI. It can be done only via yaml file.

I won't be surprised if you find this confusing :)

Depends on ManageIQ/manageiq-schema#95

cc @gtanzillo @moolitayer
@miq-bot assign @gmcculloug
@miq-bot add_label bug, fine/yes

https://bugzilla.redhat.com/show_bug.cgi?id=1499161

@lfu lfu mentioned this pull request Oct 16, 2017
Merged
@gmcculloug
Copy link
Member

@lfu Does the import logic need to be modified to handle older policy imports that would still contain the modifier key?

@gtanzillo
Copy link
Member

Does this change require the logic in existing policy conditions to be flipped around to ensure same outcome as was with the modifier?

@lfu
Copy link
Member Author

lfu commented Oct 17, 2017

@gtanzillo Depends on how the condition is specified.
If it is in the format as in built in policies, the condition doesn't need to change.
If it is in the format as in miq_policy_set and has modifier: deny, the condition needs to be flipped around to ensure the same outcome as was with the modifier.

@moolitayer Can you verify this for OpenSCAP profile?

@lfu lfu force-pushed the policy_condition_1499161 branch from 7e68a66 to 26e30bd Compare October 17, 2017 18:22
@lfu
Copy link
Member Author

lfu commented Oct 17, 2017

@gmcculloug Condition modifier is really meant for built in policies only.

Control and compliance policies can set up actions for both success and failure conditions. There is no need to use the condition modifier. And there is no way to set the condition modifier when adding a policy via UI.

In short, I think we don't need to touch the policy import/export logic.

@moolitayer
Copy link

@moolitayer Can you verify this for OpenSCAP profile?

Yes @lfu , tomorrow hopefully

@moolitayer
Copy link

I've downloaded this PR @lfu and prepared to test it after upgrade (attach policy in master then checkout your branch and test if that works)

I'm afraid I haven't been able to run bin/setup since that (probably not related to the PR)
I'm getting

You don't have bcrypt installed in your application. Please add it to your Gemfile and run bundle install
rails aborted!
LoadError: cannot load such file -- bcrypt

@lfu
Copy link
Member Author

lfu commented Oct 18, 2017

@moolitayer I hit the same issue when reviewing another PR :)
I added this line to Gemfile.dev.rbfor now so the server may come up running.

gem 'bcrypt', git: 'https://github.com/codahale/bcrypt-ruby.git', :require => 'bcrypt'

@lfu
Copy link
Member Author

lfu commented Oct 24, 2017

@gtanzillo @dclarizio Please review.

@lfu
Copy link
Member Author

lfu commented Oct 24, 2017

@moolitayer Do we need to negate the condition for OpenSCAP?

@moolitayer
Copy link

I'm sorry @lfu I still haven't been able to run refresh @cben @enoodle can one of you maybe help test this

I've been stuck on ManageIQ/manageiq-providers-kubernetes#136 for a few days now for testing this, but it seems like a local problem

See:
#16213 (comment)

@enoodle
Copy link

enoodle commented Oct 29, 2017
edited
Loading

@lfu I tested this for OpenSCAP and the conditions should be negated. (except the one with the empty condition).

@moolitayer
Copy link

moolitayer commented Oct 29, 2017
edited
Loading

@lfu I was finally able to test this. The behavior now is not as expected[1]

We could negate the conditions for modifier=deny (or update failure|success_sequence and failure|success_synchronous).

Unfortunately users can copy policies (In the user guide we are even suggesting users copy the OpenSCAP policy in order to modify it)

I love the simplification done here, AFAIU we will need a different migration

[1]
MASTER:
[----] I, [2017-10-29T14:00:27.422206 #12506:880f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [centos/ruby-22-centos7]
[----] I, [2017-10-29T14:00:27.430269 #12506:880f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(policy-enforce_policy): Resolving policy [OpenSCAP]...
[----] I, [2017-10-29T14:00:27.447797 #12506:880f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(condition-eval): Name: Has high severity OpenSCAP rule results, Expression evaluation result: [false]
[----] I, [2017-10-29T14:00:37.691756 #12506:880f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(policy-enforce_policy): Event: [containerimage_compliance_passed], To: [centos/ruby-22-centos7]

pull/16213:
[----] I, [2017-10-29T14:11:03.779232 #19567:4a2f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [centos/ruby-22-centos7]
[----] I, [2017-10-29T14:11:03.800644 #19567:4a2f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(policy-enforce_policy): Resolving policy [OpenSCAP]...
[----] I, [2017-10-29T14:11:03.823525 #19567:4a2f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(condition-eval): Name: Has high severity OpenSCAP rule results, Expression evaluation result: [false]
[----] I, [2017-10-29T14:11:03.828767 #19567:4a2f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(action-invoke) Invoking action [Mark as Non-Compliant] for failed policy [OpenSCAP], event: [Container Image Compli
ance Check], entity name: [centos/ruby-22-centos7], entity type: [ManageIQ::Providers::Openshift::ContainerManager::ContainerImage], sequence: [1], synchronous? [true]
[----] I, [2017-10-29T14:11:03.828822 #19567:4a2f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(action_compliance_failed): Now executing [Mark as Non-Compliant] of ManageIQ::Providers::Openshift::ContainerManage
r::ContainerImage [centos/ruby-22-centos7]
[----] I, [2017-10-29T14:11:13.735953 #19576:4a2f7c] INFO -- : Q-task_id([job_dispatcher]) MIQ(policy-enforce_policy): Event: [containerimage_compliance_failed], To: [centos/ruby-22-centos7]

@enoodle enoodle mentioned this pull request Oct 29, 2017
Merged
@miq-bot
Copy link
Member

miq-bot commented Oct 31, 2017

This pull request is not mergeable. Please rebase and repush.

@lfu lfu force-pushed the policy_condition_1499161 branch from 26e30bd to a48165c Compare November 1, 2017 12:58
@moolitayer
Copy link

@lfu let me know if you want me to test how the new version works with the OpenSCAP policy.
I think the test should be: copy the build in policy, attach the copy to one provider and the original to another. run the associated migration[1], make sure both policies work as expected.

[1] I haven't run a migration from manageiq-schema lately, is defining manageiq-schema as a local plugin and running db:migrate from the root ManageIQ enough?

@cben
Copy link
Contributor

cben commented Nov 2, 2017 via email

@lfu lfu force-pushed the policy_condition_1499161 branch from a48165c to 9938c08 Compare November 29, 2017 16:36
@lfu
Copy link
Member Author

lfu commented Jan 15, 2018

@gtanzillo @dclarizio @gmcculloug Anything to update?

@miq-bot
Copy link
Member

miq-bot commented Jun 15, 2018

Checked commits lfu/manageiq@4a05784~...9938c08 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
6 files checked, 1 offense detected

app/models/miq_policy.rb

gtanzillo
gtanzillo approved these changes Aug 30, 2018
View reviewed changes
Copy link
Member

@gtanzillo gtanzillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@gtanzillo gtanzillo added this to the Sprint 94 Ending Sept 10, 2018 milestone Aug 30, 2018
@gtanzillo gtanzillo closed this Aug 30, 2018
@gtanzillo gtanzillo reopened this Aug 30, 2018
@gtanzillo gtanzillo merged commit eaef4fb into ManageIQ:master Aug 30, 2018
h-kataria added a commit to h-kataria/manageiq-ui-classic that referenced this pull request Sep 27, 2018
@h-kataria
Removed reference to condition modifier
94d6a95 
condition modifier was removed from models in ManageIQ/manageiq#16213

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1633606
@h-kataria h-kataria mentioned this pull request Sep 27, 2018
Merged
@lfu lfu deleted the policy_condition_1499161 branch September 29, 2018 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gtanzillo gtanzillo gtanzillo approved these changes

@dclarizio dclarizio Awaiting requested review from dclarizio

Assignees

@gmcculloug gmcculloug

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@lfu @gmcculloug @gtanzillo @moolitayer @enoodle @miq-bot @cben