Prepare RepositoryMetadata role Updates for #1060 Compatibility #1061
Conversation
Motivation To ensure smooth compatibility with line#1060, the `PerRolePermissions` and `RepositoryMetadata` structure need an update to support changes. Modifications: - Enhanced the `PerRolePermissions` and `RepositoryMetadata` deserializers to accept both an array or permissions and a permission. - Added `REPO_ADMIN` `Permission`. - Removed `MetadataApiService.updateSpecificUserPermission` and `updateSpecificTokenPermission`. - They are not used in the UI and we don't even have test cases for that. - Will add those APIs later when we need it. Result: - The `PerRolePermissions` and `RepositoryMetadata` structures now support the upcoming changes in line#1060.
| import com.linecorp.centraldogma.internal.Jackson; | ||
| import com.linecorp.centraldogma.server.QuotaConfig; | ||
|
|
||
| final class RepositoryMetadataDeserializer extends StdDeserializer<RepositoryMetadata> { |
There was a problem hiding this comment.
I understood these custom deserializers will be removed once migration is complete
minwoox
changed the title
minwoox
changed the title
minwoox
changed the title
| * Returns the {@link ProjectRoles} of the repository. | ||
| */ | ||
| @JsonProperty("projects") | ||
| public ProjectRoles projectRoles() { |
There was a problem hiding this comment.
I understood this property as: the default RepositoryRole that will be assigned to project members that aren't explicitly set by users and tokens.
There was a problem hiding this comment.
the default RepositoryRole that will be assigned to project members
That's correct. 👍
that aren't explicitly set by users and tokens.
That is not correct. A RepositoryRole can still be assigned to a user. The RepositoryRole, which operates at a higher level, will be applied in such situation. https://github.com/line/centraldogma/pull/1060/files#diff-dc8a031ec8b91f16d76b42e152e9c3be8dd07b6f77bea922030074acc78ce78eR800-R823
| throws IOException { | ||
| final JsonNode jsonNode = p.readValueAsTree(); | ||
| final String name = jsonNode.get("name").textValue(); | ||
| final JsonNode perRolePermissionsNode = jsonNode.get("perRolePermissions"); |
There was a problem hiding this comment.
Note: I understood that if both perRolePermissions and roles is in the json node, then perRolePermissions (the legacy format) has higher priority.
There was a problem hiding this comment.
I understood that if both perRolePermissions and roles is in the json node
They cannot be. Let me add an assertion logic. 😉
| */ | ||
| WRITE, | ||
| /** | ||
| * Able to manage a repository. |
There was a problem hiding this comment.
Compared with the current permission scheme, I understood the difference is:
- the ability to set ADMIN for a repository
- repository settings can't change project admin roles.
|
This PR will be ready after #1069 is merged. |
| .thenApply(CommitResult::revision) | ||
| .exceptionally(cause -> { | ||
| final Throwable peeled = Exceptions.peel(cause); | ||
| if (peeled instanceof RedundantChangeException) { |
There was a problem hiding this comment.
I've realized that we don't need this logic anymore after introducing the transformer in #1069 because it will raise an IllegalArgumentException if there's no change.
There was a problem hiding this comment.
I'm not sure IllegalArgumentException is a proper exception to understand the context.
| final RepositoryMetadata repositoryMetadata = projectMetadata.repo(repoName); | ||
| assert repositoryMetadata.name().equals(repoName); | ||
| if (repositoryMetadata.perRolePermissions().equals(perRolePermissions)) { | ||
| throw new IllegalArgumentException( |
There was a problem hiding this comment.
What do you think of raising RedundantChangeException instead?
There was a problem hiding this comment.
That's a good suggestion! How about the following approach:
- Introduce
UserNotFoundException- This exception would be used exclusively on the server side, similar to
TokenNotFoundException.
- This exception would be used exclusively on the server side, similar to
- Raise
UserNotFoundExceptionandTokenNotFoundException- These exceptions would be triggered when attempting to update an entity that doesn't exist.
- Raise
RedundantChangeException- This exception would be raised when an update is attempted with the same content as the existing one.
- The
RedundantChangeExceptionwould be swallowed, and the system would simply return the head revision. In other words, users wouldn’t encounter this exception."
server/src/main/java/com/linecorp/centraldogma/server/metadata/ProjectRoles.java
Show resolved
Hide resolved
| .thenApply(CommitResult::revision) | ||
| .exceptionally(cause -> { | ||
| final Throwable peeled = Exceptions.peel(cause); | ||
| if (peeled instanceof RedundantChangeException) { |
There was a problem hiding this comment.
I'm not sure IllegalArgumentException is a proper exception to understand the context.
| final String commitSummary = | ||
| "Update the role permission of the '" + repoName + "' in the project '" + projectName + '\''; | ||
| return metadataRepo.push(projectName, Project.REPO_DOGMA, author, commitSummary, change); | ||
| final ContentTransformer<JsonNode> transformer = new ContentTransformer<>( | ||
| METADATA_JSON, EntryType.JSON, node -> { |
There was a problem hiding this comment.
Optional) I could see some code similar to this in other places. How about creating RepositoryMetadataTransformer and duplicating them?
private static class RepositoryMetadataTransformer extends ContentTransformer {
RepositoryMetadataTransformer(Function<RepositoryMetadata, RepositoryMetadata>) {
...
}
}There was a problem hiding this comment.
That's a good suggestion. 👍
RepositoryMetadataTransformer, ProjectMetadataTransformer and TokensTransformer are added. 😉
Motivation
To ensure smooth compatibility with #1060, the
RepositoryMetadatastructure needs an update to support changes.AS-IS:
{ "name": "minu-test", "perRolePermissions": { "owner": [ "READ", "WRITE" ], "member": ["READ"], "guest": [] }, "perUserPermissions": { "foo@dogma.com": [ "READ" ], "bar@dogma.com": [ "READ", "WRITE" ] }, "perTokenPermissions": { "goodman": [ "READ" ] }, "creation": { "user": "minu.song@dogma.com", "timestamp": "2024-08-19T02:47:23.370762417Z" } }TO-BE:
{ "name": "minu-test", "roles": { "projects": { "member": "READ", "guest": null } "users": { "foo@dogma.com": "READ", "bar@dogma.com": "WRITE" }, "tokens": { "goodman": "READ" } }, "creation": { "user": "minu.song@dogma.com", "timestamp": "2024-08-19T02:47:23.370762417Z" } }Modifications:
RepositoryMetadatadeserializers to accept both legacy and new formats.RepositoryRole.Permission.MetadataApiService.updateSpecificUserPermissionandupdateSpecificTokenPermission.Result:
RepositoryMetadatastructure now supports the upcoming changes in [WIP] Introduce Role-Based Authentication for Repository Management #1060.