Migration for actor_keys_access global group.

omnibus/files/private-chef-upgrades/001/030_actor_keys_access_group.rb

@@ -0,0 +1,19 @@
+define_upgrade do
+  if Partybus.config.bootstrap_server
+    must_be_data_master
+    # Make sure API is down
+    stop_services(["nginx", "opscode-erchef"])
+
+    start_services(["oc_bifrost", "postgresql"])
+    force_restart_service("opscode-chef-mover")
+    log "Creating global read_access_group for each existing organization"
+
+    run_command("/opt/opscode/embedded/bin/escript " +
+                "/opt/opscode/embedded/service/opscode-chef-mover/scripts/migrate " +
+                "mover_actor_keys_access_group_callback " +
+                "normal " +
+                "mover_transient_queue_batch_migrator")
+
+    stop_services(["opscode-chef-mover"])
+  end
+end

src/chef-mover/src/mover_actor_keys_access_group_callback.erl

@@ -0,0 +1,149 @@
+%% -*- erlang-indent-level: 4;indent-tabs-mode: nil; fill-column: 92 -*-
+%% ex: ts=4 sw=4 et
+%% @author Tyler Cloke <[email protected]>
+%% @copyright 2016 Chef Software, Inc.
+%%
+
+-module(mover_actor_keys_access_group_callback).
+
+-export([
+         migration_init/0,
+         migration_complete/0,
+         migration_type/0,
+         supervisor/0,
+         migration_start_worker_args/2,
+         migration_action/2,
+         next_object/0,
+         error_halts_migration/0,
+         reconfigure_object/2,
+         needs_account_dets/0
+        ]).
+
+-record(org, {name, id, authz_id}).
+-record(group, {name, id, authz_id}).
+-define(GLOBAL_PLACEHOLDER_ORG_ID, <<"00000000000000000000000000000000">>).
+
+migration_init() ->
+    mv_oc_chef_authz_http:create_pool(),
+    mover_transient_migration_queue:initialize_queue(?MODULE, all_orgs()).
+
+migration_action(#org{name = OrgName} = Org, _) ->
+    AccessGroupName = iolist_to_binary([OrgName, <<"_actor_keys_access_group">>]),
+    AccessGroupAuthzId = create_global_group(AccessGroupName),
+    UserGroup = user_group(Org),
+    ClientGroup = client_group(Org),
+    case process_group(UserGroup, AccessGroupAuthzId, OrgName) of
+	{error, Error} ->
+	    Error;
+	ok ->
+	    process_group(ClientGroup, AccessGroupAuthzId, OrgName)
+    end.
+
+process_group(Group, AccessGroupAuthzId, OrgName) ->
+    case add_group_to_group(Group, AccessGroupAuthzId) of
+        ok ->
+            ok;
+        {error, failure_creating_global_group} ->
+            lager:info("Failed to create keys access group for Organization ~p so cannot be migrated", [OrgName]),
+            ok;
+        {error, no_user_group} ->
+            lager:info("Organization ~p has no user group and cannot be migrated.", [OrgName]),
+            ok;
+        {error, no_client_group} ->
+            lager:info("Organization ~p has no client group and cannot be migrated.", [OrgName]),
+            ok;
+        {error, not_found} ->
+            lager:info("Organization ~p is missing bifrost data for either the users or global_admins group and cannot be migrated.", [OrgName]),
+            ok;
+        {error, Error} ->
+            lager:error("Organization ~p failed during group addition.", [OrgName]),
+            Error
+    end.
+
+users_group_query() ->
+    <<"SELECT name, id, authz_id FROM groups WHERE name = 'users' AND org_id = $1">>.
+
+clients_group_query() ->
+    <<"SELECT name, id, authz_id FROM groups WHERE name = 'clients' AND org_id = $1">>.
+
+global_group_create_query() ->
+    <<"INSERT INTO groups (org_id, authz_id, name, last_updated_by, created_at, updated_at) VALUES ($1, $2, $3, $4, $5, $6)">>.
+
+user_group(#org{id = OrgId}) ->
+    case sqerl:select(users_group_query(), [OrgId], rows_as_records, [group, record_info(fields, group)]) of
+        {ok, [Group]} ->
+            Group;
+        {ok, none} ->
+            {error, no_user_group}
+    end.
+
+client_group(#org{id = OrgId}) ->
+    case sqerl:select(clients_group_query(), [OrgId], rows_as_records, [group, record_info(fields, group)]) of
+        {ok, [Group]} ->
+            Group;
+        {ok, none} ->
+            {error, no_client_group}
+    end.
+
+add_group_to_group({error, no_user_group} = Error, _AccessGroup) ->
+    Error;
+add_group_to_group({error, no_client_group} = Error, _AccessGroup) ->
+    Error;
+add_group_to_group(_UserGroup, {error, failure_creating_global_group} = Error) ->
+    Error;
+add_group_to_group(#group{authz_id = IdToAdd}, TargetId) ->
+    mv_oc_chef_authz:add_to_group(TargetId, group, IdToAdd, superuser).
+
+create_global_group(Name) ->
+    Now = os:timestamp(),
+    SuperuserId = mv_oc_chef_authz:superuser_id(),
+    {ok, AuthzId} = mv_oc_chef_authz:create_resource(SuperuserId, group),
+    case sqerl:execute(global_group_create_query(), [
+						     ?GLOBAL_PLACEHOLDER_ORG_ID,
+						     AuthzId,
+						     Name,
+						     SuperuserId,
+						     Now,
+						     Now
+						    ]) of
+        {ok, _} ->
+            AuthzId;
+        {error, _} ->
+            {error, failure_creating_global_group}
+    end.
+
+all_orgs_query() ->
+    <<"SELECT name, id, authz_id FROM orgs">>.
+
+all_orgs() ->
+    %% TODO: Will this be Bad(TM) in Hosted?
+    {ok, Orgs} = sqerl:select(all_orgs_query(), [], rows_as_records, [org, record_info(fields, org)]),
+    Orgs.
+
+%%
+%% Generic mover callback functions for
+%% a transient queue migration
+%%
+migration_complete() ->
+    mv_oc_chef_authz_http:delete_pool().
+
+needs_account_dets() ->
+    false.
+
+migration_start_worker_args(Object, AcctInfo) ->
+    [Object, AcctInfo].
+
+next_object() ->
+    mover_transient_migration_queue:next(?MODULE).
+
+migration_type() ->
+    <<"actor_keys_access_group">>.
+
+supervisor() ->
+    mover_transient_worker_sup.
+
+error_halts_migration() ->
+    false.
+
+reconfigure_object(_ObjectId, _AcctInfo) ->
+    ok.