feat: CLI command to list the members of a Workspace [RM-388]

[ShreyaLnuHpe]

Ticket

RM-388

Description

We don't have a command that lists users/user-groups members of a Workspace and their permissions).
For details, visit original ask- DFR-462

Created a new CLI command to list user/group members of a Workspace

% det -u admin workspace --help
usage: det workspace [-h] subcommand ...

positional arguments:
  subcommand
    help         show help for this command
    archive      archive workspace
    create       create workspace
    delete       delete workspace
    describe     describe workspace
    edit         edit workspace
    list (ls)    list all workspaces
    list-members
                 list users/user-groups members of a workspace and their roles
    list-pools   list the resource pools available to a workspace
    list-projects
                 list the projects associated with a workspace
    unarchive    unarchive workspace

New CLI command:

% det -u admin workspace list-members <workspace_name> #default: tabular
% det -u admin workspace list-members <workspace_name> --json
% det -u admin workspace list-members <workspace_name> --csv
% det -u admin workspace list-members <workspace_name> --yaml

Test Plan

No more tests needed

Test Done

Manually Tested
E2E Test completed

Created Workspace, UserGroup, User and given Roles (though CLI/WebUI)

% det -u admin workspace list-members ws1
 User/Group Name   | User/Group   | Role Name
-------------------+-------+------------------
 admin             | U            | WorkspaceAdmin
 ug1               | G            | Editor
 u1                | U            | EditorRestricted

Similar to the Members tab in WebUI

Output in PGAdmin:

SELECT u.id AS user_id, u.username, r.role_name, u.active, u.admin
FROM users u
JOIN user_group_membership ugm ON u.id = ugm.user_id
JOIN role_assignments ra ON ugm.group_id = ra.group_id
JOIN roles r ON ra.role_id = r.id;

data-1721352684733.csv

Checklist

• Changes have been manually QA'd
• New features have been approved by the corresponding PM
• User-facing API changes have the "User-facing API Change" label
• Release notes have been added as a separate file under docs/release-notes/
  See Release Note for details.
• Licenses have been included for new code which was copied and/or modified from any external code

[netlify]

✅ Deploy Preview for determined-ui canceled.

Name	Link
🔨 Latest commit	97062b6
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/66a3f88373d5d70008f85b85

[hamidzr]

mostly lgtm thanks for working on this. i added some quick comments + a question in the slack thread.

[codecov]

Codecov Report

Attention: Patch coverage is 7.14286% with 26 lines in your changes missing coverage. Please review.

Project coverage is 53.43%. Comparing base (7260f04) to head (97062b6).
Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9686      +/-   ##
==========================================
- Coverage   53.44%   53.43%   -0.01%     
==========================================
  Files        1257     1257              
  Lines      154350   154378      +28     
  Branches     3298     3298              
==========================================
+ Hits        82494    82495       +1     
- Misses      71706    71733      +27     
  Partials      150      150              

Flag	Coverage Δ
backend	44.86% <ø> (-0.01%)	⬇️
harness	72.62% <7.14%> (-0.07%)	⬇️
web	51.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
harness/determined/cli/workspace.py	15.41% <7.14%> (-1.10%)	⬇️

... and 4 files with indirect coverage changes

[hamidzr]

I'd check the way we mark users and groups with product in case they have a preference otherwise the functionality lgtm. maybe the header could be full User/Group to make it more clear.

Also, would we want to trim the user and permission objects from the json/yaml outputs? Is that something we do with any of our other CLIs? Let's skip this unless we get confirmation we want this.

.usersAssignedDirectly[]
.groups[].users[]
.assignments[].role.permissions[]


  role:
    name: WorkspaceAdmin
    permissions:
        # just keep the ids?
        - id: PERMISSION_TYPE_VIEW_TEMPLATES
          name: view templates
          scopeTypeMask:
            cluster: true
            workspace: true
    roleId: 2
    scopeTypeMask:
      cluster: true
      workspace: true



- active: true
  admin: false
  agentUserGroup: null
  displayName: ''
  id: 2
  lastAuthAt: null
  modifiedAt: '2024-07-22T16:02:07.363788Z'
  remote: false
  # just keep the username?
  username: determined

[ShreyaLnuHpe]

Do we have some enum defined or a better way to access them? I couldn't find.

[hamidzr]

not that I know of. but another suggestion around here would be to use this utility instead which directly uses our apis to set up (i think) what you're tying to set up

determined/e2e_tests/tests/cluster/test_rbac.py

Line 25 in 769d600

def create_workspaces_with_users(

[ShreyaLnuHpe]

I would prefer keeping the code same to maintain the consistency while creating the group, their roles and assigning to the workspace.
Thanks for suggesting though.

[hamidzr]

not that I know of. but another suggestion around here would be to use this utility instead which directly uses our apis to set up (i think) what you're tying to set up

determined/e2e_tests/tests/cluster/test_rbac.py

Line 25 in 769d600

def create_workspaces_with_users(

[azhou-determined]

let's not include "--table", it's the default and not a "real" format

[azhou-determined]

one comment that's not necessarily blocking, but otherwise LGTM!