Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v10] Connect: Fetch correct role set when listing db users (#13790) #13877

Merged

Conversation

ravicious
Copy link
Member

Backport #13790. Needs #13625 to be merged first.

* Move fetchRoleSet from tsh/db to lib/services as FetchAllClusterRoles.

* Connect: Fetch correct role set when listing db users

* Add tests for FetchAllClusterRoles
@github-actions github-actions bot requested review from GavinFrazar and zmb3 June 27, 2022 09:27
@github-actions github-actions bot added the tsh tsh - Teleport's command line tool for logging into nodes running Teleport. label Jun 27, 2022
@ravicious ravicious requested review from atburke and codingllama and removed request for zmb3 and GavinFrazar June 27, 2022 09:28
@ravicious ravicious changed the title Connect: Fetch correct role set when listing db users (#13790) [v10] Connect: Fetch correct role set when listing db users (#13790) Jun 27, 2022
@@ -32,7 +32,7 @@ type Config struct {
// InsecureSkipVerify is an option to skip TLS cert check
InsecureSkipVerify bool
// Log is a component logger
Log logrus.FieldLogger
Log *logrus.Entry
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's wrong with using FieldLogger here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, that was because initially I was passing log to the new function (see #13790 (comment)). Then I removed it in favor of using just the default logger but left this change here. Without it the type system didn't let me pass Log as logrus.Entry and from what I remember this is the type that we typically use when passing a logger around.

})
if err != nil {
return nil, trace.Wrap(err)
}

defer authClient.Close()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a nil check here, or is authClient guaranteed to be initialized if we got this far?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is guaranteed to be initialized? If the function passed to addMetadataToRetryableError returns an error, the execution stops at line 173. The only way for that function to return nil is after the execution has succeeded and authClient is equal to the return value of proxyClient.ConnectToCluster.

@@ -80,7 +78,7 @@ func onListDatabases(cf *CLIConf) error {
return trace.Wrap(err)
}

roleSet, err := fetchRoleSet(cf.Context, cluster, profile)
roleSet, err := services.FetchAllClusterRoles(cf.Context, cluster, profile.Roles, profile.Traits)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rosstimothy do you foresee any performance issues with this approach?

@@ -735,6 +735,38 @@ func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]strin
return NewRoleSet(roles...), nil
}

// CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by FetchClusterRoles.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by FetchClusterRoles.
// CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by FetchAllClusterRoles.

nit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I'll push a PR for that tomorrow.

@ravicious ravicious merged commit bbe9827 into bot/backport-13617-branch/v10 Jun 27, 2022
@ravicious ravicious deleted the ravicious/v10/backport-13790 branch June 27, 2022 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants