Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decouple user email from role name #18966

Merged
merged 26 commits into from
Nov 19, 2024
Merged

Decouple user email from role name #18966

merged 26 commits into from
Nov 19, 2024

Conversation

jdavcs
Copy link
Member

@jdavcs jdavcs commented Oct 9, 2024
edited
Loading

The idea is to decouple emails from role names. In this approach, we remove the unique constraint from the role.name field in the database, which allows the creation of generic roles like "private role" or "sharing role", which do not depend on a user's email and are identified by their type and a relationship stored in the user_role_association table. However, when an admin user manually creates a role in the admin UI, they will be required to pick a unique role name. Otherwise, an admin may accidentally create duplicate roles with names that are intended to distinguish them from other roles (e.g. we don't want multiple role names like "Foo lab").

Notes:
This adds a new API endpoint for retrieving user roles (currently used to retrieve a user's private role, which is no longer possible by retrieving all roles and selecting the one with the name matching the user's email).

How to test the changes?

(Select all options that apply)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:
    1. [add testing steps and prerequisites here if you didn't write automated tests covering all your changes]

License

  • I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

@jdavcs jdavcs added kind/enhancement area/API area/admin area/database Galaxy's database or data access layer labels Oct 9, 2024
@jdavcs jdavcs force-pushed the dev_private_roles2 branch 2 times, most recently from 4e35f14 to 84a30a2 Compare October 10, 2024 20:24
@jdavcs jdavcs force-pushed the dev_private_roles2 branch 8 times, most recently from 5f1502a to d06cf20 Compare October 30, 2024 03:38
@jdavcs jdavcs changed the title [WIP] Decoupling user email from role name Decouple user email from role name Oct 30, 2024
jdavcs added 15 commits October 30, 2024 15:28
@jdavcs
Remove unique constraint from role name, add not null constraint
6ea4934
@jdavcs
Add migration: remove unique constraint from role name, add not null …
4186c48 
…constraint
@jdavcs
Overwrite role name w/hybrid property
62a8b90
@jdavcs
Assign default role name based on role type
2fce86e 
Now that role name doesn't have to be unique, we don't want to pass args
like "private role" or "shared role" on role creation.
@jdavcs
Search by column name, not property
3e6191f
@jdavcs
Adjust unit test: role name == user's current email
f623ee8
@jdavcs
Factor out roles service from roles api
9291652
@jdavcs
Add users api endpoint for user-roles
6dace47
@jdavcs
Change how a populator gets a user's private role
98044ad 
Because we no longer can match role name to user email
@jdavcs
Add API test for new user-roles endpoint
af56338
@jdavcs
Modify make_role fixture to accommodate downgrading in migration tests
e255a38
@jdavcs
Move test fixture to conftest
0e51a52
@jdavcs
Do not use user's email in private role name, description
f8c751a 
Reason: decouple user email from private role naming: emails can be
changed or redacted; user id in user-role-association + role type is
sufficient to tie a user to a private role.

The description (i.e., "this is a private role for a user" is inferrable
from the role name ("private role"), which is assigned by default.
@jdavcs
Fix query to look up role by user email
a58c417
@jdavcs
Fix grammar typo in schema
bc3ed51
jdavcs added 3 commits October 30, 2024 15:28
@jdavcs
Update remote user private role bug fix from 2009
93b22b0
@jdavcs
Remove breakpoint() comment
1860e88
@jdavcs
Fix error in select, add test
16f1d3f 
We must use a union because when we retrieve roles with a query, we
check against:
1) role name
2) email of associated user for private roles

We factor out this select into a helper method, which we then test
extensively.
@jdavcs jdavcs force-pushed the dev_private_roles2 branch from d06cf20 to 16f1d3f Compare October 30, 2024 19:28
@jdavcs jdavcs marked this pull request as ready for review October 30, 2024 20:04
@github-actions github-actions bot added this to the 24.2 milestone Oct 30, 2024
@jdavcs
Copy link
Member Author

jdavcs commented Oct 30, 2024

This is ready for review.

@jdavcs jdavcs requested a review from a team October 30, 2024 21:34
davelopez
davelopez reviewed Oct 31, 2024
View reviewed changes
Copy link
Contributor

@davelopez davelopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good to me! Thanks!

I'll let others have a second review, especially about the query part, but it does look a lot cleaner to me.

test/unit/data/model/db/test_role.py Outdated Show resolved Hide resolved
lib/galaxy/model/security.py Outdated Show resolved Hide resolved
@jdavcs jdavcs mentioned this pull request Nov 1, 2024
Merged
4 tasks
@mvdbeek mvdbeek self-requested a review November 12, 2024 15:26
@mvdbeek
Copy link
Member

mvdbeek commented Nov 15, 2024

currently used to retrieve a user's private role, which is no longer possible by retrieving all roles and selecting the one with the name matching the user's email

not sure I understand this, I presume that's something we used to have a user interface for ? does that need to be added back ?

jdavcs and others added 2 commits November 18, 2024 10:36
@jdavcs @mvdbeek
Remove leftover debugging code
d2583bb 
Co-authored-by: Marius van den Beek <[email protected]>
@jdavcs @mvdbeek
Remove leftover debugging code (more)
85a94a8 
Co-authored-by: Marius van den Beek <[email protected]>
@jdavcs
Copy link
Member Author

jdavcs commented Nov 19, 2024

currently used to retrieve a user's private role, which is no longer possible by retrieving all roles and selecting the one with the name matching the user's email

not sure I understand this, I presume that's something we used to have a user interface for ? does that need to be added back ?

Sorry, this is confusing out of context! It's for the populator - see my previous response, I think it covers it.

@mvdbeek mvdbeek merged commit 6463f86 into galaxyproject:dev Nov 19, 2024
55 of 57 checks passed
@mvdbeek
Copy link
Member

mvdbeek commented Nov 19, 2024

Thanks @jdavcs!

@dannon
Copy link
Member

dannon commented Nov 19, 2024

This needed a migration rebase prior to merge, we have two heads now @jdavcs

@jdavcs
Copy link
Member Author

jdavcs commented Nov 19, 2024

Sorry! A new migration sneaked in. I'll handle this.

@jdavcs jdavcs mentioned this pull request Nov 19, 2024
Merged
4 tasks
@jdavcs jdavcs added the highlight/admin Included in admin/dev release notes label Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davelopez davelopez davelopez left review comments

@mvdbeek mvdbeek mvdbeek left review comments

Assignees
No one assigned
Labels
area/admin area/API area/database Galaxy's database or data access layer highlight/admin Included in admin/dev release notes kind/enhancement
Projects
None yet
Milestone
24.2
Development

Successfully merging this pull request may close these issues.
4 participants
@jdavcs @mvdbeek @dannon @davelopez