Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(server): Argo Server. Closes #1331 #1882

Merged
merged 485 commits into from
Jan 15, 2020
Merged

feat(server): Argo Server. Closes #1331 #1882

merged 485 commits into from
Jan 15, 2020

Conversation

alexec
Copy link
Contributor

@alexec alexec commented Dec 19, 2019
edited
Loading

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR is (a) conventional, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234". Why? for the release notes.
  • Optional. I've added My organization is added to the README.
  • I've signed the CLA and required builds are green.

See #1331 and #1879

@alexec alexec changed the title feat(server): Argo Server feat(server): Argo Server. Closes #1331 Dec 27, 2019
alexec
alexec commented Jan 3, 2020
View reviewed changes
test/e2e/cli_test.go Outdated Show resolved Hide resolved
alexec and others added 22 commits January 3, 2020 16:32
@alexec alexec requested a review from jessesuen January 14, 2020 03:03
@simster7 simster7 mentioned this pull request Jan 14, 2020
Closed
@alexec alexec dismissed jessesuen’s stale review January 14, 2020 18:07

change made I believe

jessesuen
jessesuen reviewed Jan 15, 2020
View reviewed changes
Copy link
Member

@jessesuen jessesuen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm continuing the review but submitting to save progress and communicate feedback. Nothing yet is gating merge to master, but are fast follow items.

.gitignore
.envrc
/.vendor-new
/workflow-controller
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're right. I think the dist is excluded in the .dockerignore and so I had to put it under SRCROOT. Ignore this.

cmd/server/workflowarchive/archived_workflow_server.go
allowed, err := authorizer.CanI("get", "workflow", wf.Namespace, wf.Name)
if err != nil {
return nil, err
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theres a subtle bug/usability issue here:

If I request to list archived workflows with a small page size (lets say size 1), and the first workflow in the list, happens to be in a namespace which I have permissions to, then this call will return successfully.

On the other hand, if I make the same exact request, and the first workflow in the list is in a namespace which I do not have access to, then the API will return 403.

This means the API is inconsistent depending on how the order in which the database is returning values.

This could be simplified to:

  1. is the request asking to list workflows at the cluster scope? If yes, perform the equivalent of:
    kubectl auth can-i get wf --all-namespaces up front

  2. otherwise perform the equivalent of:
    ``kubectl auth can-i get wf --namespace NAMESPACE` up front

Both cases we can return earlier and perform authentication up front, instead of inline.

@jessesuen jessesuen mentioned this pull request Jan 15, 2020
Closed
4 tasks
jessesuen
jessesuen reviewed Jan 15, 2020
View reviewed changes
hack/generate-proto.sh Show resolved Hide resolved
manifests/base/argo-server/argo-server-deployment.yaml Outdated Show resolved Hide resolved
manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml Outdated Show resolved Hide resolved
cmd/server/artifacts/artifact_server.go Show resolved Hide resolved
cmd/server/artifacts/artifact_server.go

wf, err := a.getWorkflowByUID(ctx, uid)
if err != nil {
a.serverInternalError(err, w)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are clobbering the authz 403 error and always returning 500.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. I have an issue to revisit security for artifacts.

jessesuen
jessesuen approved these changes Jan 15, 2020
View reviewed changes
Copy link
Member

@jessesuen jessesuen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome job! I think everything else can be implemented as fast follows, which I should have filed issues for.

@sarabala1979 sarabala1979 merged commit 14d5803 into master Jan 15, 2020
@simster7 simster7 mentioned this pull request Jan 16, 2020
Closed
@simster7 simster7 deleted the apiserverimpl branch January 27, 2020 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@golangcibot golangcibot golangcibot left review comments

@jessesuen jessesuen jessesuen approved these changes

Assignees

@alexmt alexmt

@jessesuen jessesuen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@alexec @jessesuen @golangcibot @alexmt @sarabala1979 @whynowy @simster7