import offers during model import #1432
Conversation
| } | ||
| return nil | ||
| }) | ||
| if err != nil { |
There was a problem hiding this comment.
question: we run handleModelDeltas on L516, which will connect to the controller, create an all watcher and process a single set of deltas.. is that the intent?
There was a problem hiding this comment.
I can't say why it's like that, but that does seem intentional and has been that way for some time, the tests also verify the delta functionality.
The tests show that the deltas are used to update some properties of the model like the status fields, etc.
| return errors.E(op, err) | ||
| } | ||
| for _, offer := range offersToAdd { | ||
| var dbOffer dbmodel.ApplicationOffer |
There was a problem hiding this comment.
while this will add offers to JIMM's database, it will not grant anybody access to imported offers. At the very least, the user importing the model should be granted access.
this will require a bit of thought: each offer comes with a set of users that have access to the offer. If those are external users (those that JIMM cares about), they should be granted access to the offer when it is imported. But i guess in most cases these users would be local users - access to the offer will remain granted on the controller, but JIMM will not know/care about those rights. perhaps we should simply print this info and let the user importing the model handle it. e.g. we imported this model and these app offer and these are the users that have access to the app offer - handle it!
There was a problem hiding this comment.
True, I think we need to create an OpenFGA relation between the offers and the model. That way the model owner will automatically get access. Then they can grant access to other users. The users on the controller should never (at least with the new JIMM) be external users, because nowadays those are never stored on Juju's end (only in JIMM) so I think we can safely discard the users coming from the controller.
But yes printing a message would be helpful.
There was a problem hiding this comment.
+1, relation makes sense to me.
There was a problem hiding this comment.
Can do in a follow up PR @alesstimec
kian99
force-pushed
the
JUJU-7011-import-offers
branch
from
20f70d3
to
6bfb06d
Compare
internal/jimm/controller.go
Outdated
|
|
||
| if err := j.checkJimmAdmin(user); err != nil { | ||
| return err | ||
| func newModelImporter(jimm *JIMM) modelImporter { |
There was a problem hiding this comment.
pass in the new owner name so that you can immediately return an error if we fail to parse the owner tag or owner is a local user
func newModelImporter(jimm *JIMM, ownerTag names.UserTag) (error, *modelImporter)
internal/dbmodel/model.go
Outdated
| @@ -103,7 +103,7 @@ func (m *Model) SetTag(t names.ModelTag) { | |||
| m.UUID.Valid = true | |||
| } | |||
|
|
|||
| // FromModelUpdate updates the model from the given ModelUpdate. | |||
| // SwitchOwner updates the model owner. | |||
There was a problem hiding this comment.
nitpick: SetOwner seems a more appropriate name
|
|
||
| // TODO(CSS-5458): Remove the below section on cloud credentials once we no longer persist the relation between | ||
| // cloud credentials and models. | ||
| // Update: We need to investigate this further, if a user updates their cloud-credential it will update the credential |
There was a problem hiding this comment.
hm. this might be a bit confusing. if a user updates their cloud-credential, sure, jimm will try and update the cloud credential on the controller responsible for this model, but the actual credential used by the model will not be affected. the user would need to use the juju set-credential command to set credentials first and then update them to get the actual model cloud credentials updated.
There was a problem hiding this comment.
Yes this will need fixing I think. For a follow up PR.
internal/jimm/controller.go
Outdated
| }) | ||
| } | ||
|
|
||
| // ImportModel imports model with the specified UUID from the controller. |
There was a problem hiding this comment.
imports a model and the currently existing offers into JIMM. A new owner must be set to represent the external user who will own this model.
Something like this for the comment?
- drive by fix to openfga rebac test that incorrectly assumed ordering
- ensure model owner has access to the offer
kian99
force-pushed
the
JUJU-7011-import-offers
branch
from
6bfb06d
to
275eda1
Compare
- Rename SwitchOwner to SetOwner - Updated newModelImporter constructor - Updated godoc
kian99
force-pushed
the
JUJU-7011-import-offers
branch
from
275eda1
to
dd9588c
Compare
Description
This PR does two things:
Please Note: The first commit contains only the first change and the second commit contains the second change.
One issue that remains is how to handle offer URLs that already exist. This will be tackled in a separate PR.
Partially fixes JUJU-7011
Engineering checklist
Check only items that apply