Added transport layer classes for getting and deleting the workflow #835
Conversation
|
|
||
| val searchRequest = SearchRequest() | ||
| .indices(ScheduledJob.SCHEDULED_JOBS_INDEX) | ||
| .source(SearchSourceBuilder().query(queryBuilder).fetchSource(true)) |
There was a problem hiding this comment.
do we need fetch source as true?
| .indices(ScheduledJob.SCHEDULED_JOBS_INDEX) | ||
| .source(SearchSourceBuilder().query(queryBuilder).fetchSource(true)) | ||
|
|
||
| val searchResponse: SearchResponse = client.suspendUntil { search(searchRequest, it) } |
There was a problem hiding this comment.
plz add a try catch for search response failure. Log error that validation failed and re-throw the error as required
| if (searchResponse.hits.totalHits?.value == 0L) { | ||
| return true | ||
| } | ||
| return false |
There was a problem hiding this comment.
add validation failure reason as info or error log
There was a problem hiding this comment.
how are we returning this infromation to user in delete failed response?
There was a problem hiding this comment.
it can't tailgate on 403 security error
There was a problem hiding this comment.
You can see here - if the canDelete is false, user is getting the message that the monitor can't be deleted. The question is should we be more descriptive or it's enough to say that user is not allowed to do deleting.
Now I just saw Ashish comment - where he said that we should tell to end user that the monitor can't be deleted because it is a part of the workflow
| if (searchResponse.hits.totalHits?.value == 0L) { | ||
| return true | ||
| } | ||
| return false |
There was a problem hiding this comment.
how are we returning this infromation to user in delete failed response?
| if (searchResponse.hits.totalHits?.value == 0L) { | ||
| return true | ||
| } | ||
| return false |
There was a problem hiding this comment.
it can't tailgate on 403 security error
| return client.suspendUntil { delete(deleteRequest, it) } | ||
| } | ||
|
|
||
| private suspend fun deleteMetadata(workflow: Workflow) { |
There was a problem hiding this comment.
plz add debug logs like "deleting metadata",
There was a problem hiding this comment.
Ok this part is copy pasted - even we don't have workflow metada. will comment out the call and add TODO - since we are going to introduce the metadata with workflow execution. Tnx!
|
|
||
| private suspend fun deleteMetadata(workflow: Workflow) { | ||
| val deleteRequest = DeleteRequest(ScheduledJob.SCHEDULED_JOBS_INDEX, "${workflow.id}-metadata") | ||
| val deleteResponse: DeleteResponse = client.suspendUntil { delete(deleteRequest, it) } |
There was a problem hiding this comment.
add try catch for failure in deletion and log error and re-throw wrapped exception
| getRequest, | ||
| object : ActionListener<GetResponse> { | ||
| override fun onResponse(response: GetResponse) { | ||
| if (!response.isExists) { |
| } | ||
|
|
||
| override fun onFailure(t: Exception) { | ||
| if (t is IndexNotFoundException) { |
| val canDelete = user == null || | ||
| !doFilterForUser(user) || | ||
| checkUserPermissionsWithResource(user, monitor.user, actionListener, "monitor", monitorId) | ||
| val canDelete = monitorIsNotInWorkflows(monitor.id) && ( |
There was a problem hiding this comment.
If the monitor cannot be deleted if it is part of a workflow, we need to mention it is part of a workflow and that is why it cannot be deleted.
| .indices(ScheduledJob.SCHEDULED_JOBS_INDEX) | ||
| .source(SearchSourceBuilder().query(queryBuilder).fetchSource(true)) | ||
|
|
||
| val searchResponse: SearchResponse = client.suspendUntil { search(searchRequest, it) } |
There was a problem hiding this comment.
We need to stash the context since the user would not have permissions to search the alerting config index directly.
reference: https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetMonitorAction.kt#L66-L72
There was a problem hiding this comment.
got it good point!
| */ | ||
| private suspend fun getDeletableDelegates(workflowIdToBeDeleted: String, monitorIds: List<String>): List<String> { | ||
| // Retrieve monitors belonging to another workflows | ||
| val queryBuilder = QueryBuilders.boolQuery().mustNot(QueryBuilders.termQuery("_id", workflowIdToBeDeleted)).filter( |
There was a problem hiding this comment.
We need to check if the user has permissions to these monitor with the backend roles too as the monitors could get modified later and the user might not have the backend roles to access those monitors.
There was a problem hiding this comment.
Aaahh got it! Good point
| // Check if user can access the monitors (since the monitors could get modified later and the user might not have the backend roles to access the monitors) | ||
| if (user != null && filterByEnabled) { | ||
| addFilter(user, searchRequest.source(), "monitor.user.backend_roles.keyword") | ||
| } |
There was a problem hiding this comment.
can we add a SecureWorkflowMonitorIT test case to test this part of code (both with & without) backend roles.
|
|
||
| val user = readUserFromThreadContext(client) | ||
| val deleteRequest = DeleteRequest(ScheduledJob.SCHEDULED_JOBS_INDEX, transformedRequest.workflowId) | ||
| .setRefreshPolicy(RefreshPolicy.IMMEDIATE) |
There was a problem hiding this comment.
can we receiverefresh policy from transport request like this https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportDeleteMonitorAction.kt#L85?
| transformedRequest.deleteDelegateMonitors, | ||
| user, | ||
| transformedRequest.workflowId | ||
| ).resolveUserAndStart() |
There was a problem hiding this comment.
do we need make resolveUserAndStart a suspend function? is there any advantage? i see TransportIndexMonitorAction not doing it. https://github.com/opensearch-project/alerting/blob/main/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexMonitorAction.kt#L247
There was a problem hiding this comment.
deleteMonitors and deleteWorkflow are suspend functions - both are called by resolveUserAndStart
| actionListener, | ||
| "workflow", | ||
| getWorkflowRequest.workflowId | ||
| ) |
There was a problem hiding this comment.
Lets add a SecureWorkflowMonitorIT test case for TransportGetWorkflowAction also.
Signed-off-by: Stevan Buzejic <[email protected]>
Signed-off-by: Stevan Buzejic <[email protected]>
Signed-off-by: Stevan Buzejic <[email protected]>
stevanbz
force-pushed
the
feature/composite-monitors-get-delete-workflow
branch
from
e571313 to
0ab964a
Compare
| @@ -126,10 +127,11 @@ class TransportDeleteWorkflowAction @Inject constructor( | |||
|
|
|||
| if (canDelete) { | |||
| val deleteResponse = deleteWorkflow(workflow) | |||
There was a problem hiding this comment.
Should we attempt to delete monitors first and then delete the workflow? And only delete everything if the user has permission to delete everything?
| .indices(ScheduledJob.SCHEDULED_JOBS_INDEX) | ||
| .source(SearchSourceBuilder().query(queryBuilder)) | ||
|
|
||
| // Check if user can access the monitors (since the monitors could get modified later and the user might not have the backend roles to access the monitors) |
There was a problem hiding this comment.
Nitpick: remove extra space ( ) between Check and if
ci - alerting/Dockerfile
Outdated
ci - alerting/docker_build.sh
Outdated
…specified when deleting the workflow Signed-off-by: Stevan Buzejic <[email protected]>
Signed-off-by: Stevan Buzejic <[email protected]>
Signed-off-by: Stevan Buzejic <[email protected]>
| ) { | ||
| actionListener.onFailure( | ||
| AlertingException( | ||
| "Not allowed to delete ${delegateMonitorIds.joinToString()} monitors", |
There was a problem hiding this comment.
Lets remove the monitors from this list that can be deleted from monitorIdsToBeDeleted
…nitors Signed-off-by: Stevan Buzejic <[email protected]>
…835) * Added transport layer classes for getting and deleting the workflow Signed-off-by: Stevan Buzejic <[email protected]>
Issue #, if available:
#834
Description of changes:
Added classes for getting and deleting the workflows.
CheckList:
[ ] Commits are signed per the DCO using --signoff
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.