Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable support for read-only mode on APIs #1219

Merged
merged 3 commits into from
Oct 3, 2024
Merged

Enable support for read-only mode on APIs #1219

merged 3 commits into from
Oct 3, 2024

Conversation

coderbydesign
Copy link
Contributor

Link(s) to Jira

Description of Intent of Change(s)

This adds an optional READ_ONLY_API_MODE environment variable consumed in settings, which defaults to False. It can be configured via params in the deploy template to enable/disable with config per environment.

This is used in a new ReadOnlyApiMiddleware middleware for all RBAC requests, which checks the request method and the configuration setting to determine whether or not to process the request.

In the event of a write method + read-only mode being enabled, we'll return a 405 with a message explaining we're in read-only mode, to be used during migration/maintenance windows for the service.

Another option would be to use 503, though since we're still accepting GET requests a 405 with explicit message may be the best approach.

Local Testing

By default, you should not be prevented from any write API requests.
Update your .env to set READ_ONLY_API_MODE=True and note that you receive a 405 on anything but GET requests.

TODO:

  • Update API specs?

Checklist

  • if API spec changes are required, is the spec updated?
  • are there any pre/post merge actions required? if so, document here.
  • are theses changes covered by unit tests?
  • if warranted, are documentation changes accounted for?
  • does this require migration changes?
    • if yes, are they backwards compatible?
  • is there known, direct impact to dependent teams/components?
    • if yes, how will this be handled?

Secure Coding Practices Checklist Link

Secure Coding Practices Checklist

  • Input Validation
  • Output Encoding
  • Authentication and Password Management
  • Session Management
  • Access Control
  • Cryptographic Practices
  • Error Handling and Logging
  • Data Protection
  • Communication Security
  • System Configuration
  • Database Security
  • File Management
  • Memory Management
  • General Coding Practices

astrozzc
astrozzc approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@astrozzc astrozzc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

rbac/rbac/middleware.py
"""Process request ReadOnlyApiMiddleware."""
if settings.READ_ONLY_API_MODE and request.method in ["POST", "PUT", "PATCH", "DELETE"]:
return HttpResponse(
json.dumps({"error": "This API is currently in read-only mode. Please try again later."}),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering what message would pop up in customer's console, they might be confused with API.
Maybe something like the system is currently under maintenance and in read-only mode......

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I was going to ping platex to see how a 405 might be handled right now to see if they'd render their own message or need to use the API message.

@astrozzc
Copy link
Contributor

astrozzc commented Oct 2, 2024

/retest

@coderbydesign
Enable support for read-only mode on APIs
d33af41 
This adds an optional `READ_ONLY_API_MODE` environment variable consumed in settings,
which defaults to `False`. It can be configured via params in the deploy template
to enable/disable with config per environment.

This is used in a new `ReadOnlyApiMiddleware` middleware for all RBAC requests,
which checks the request method and the configuration setting to determine whether
or not to process the request.

In the event of a write method + read-only mode being enabled, we'll return a 405
with a message explaining we're in read-only mode, to be used during migration/maintenance
windows for the service.

Another option would be to use 503, though since we're still accepting GET requests
a 405 with explicit message may be the best approach.
@coderbydesign
Move env for read only to correct service
623c101
@coderbydesign coderbydesign merged commit ba9ce37 into RedHatInsights:master Oct 3, 2024
9 checks passed
@coderbydesign coderbydesign deleted the read-only-mode branch October 3, 2024 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lpichler lpichler lpichler approved these changes

@astrozzc astrozzc astrozzc approved these changes

@alechenninger alechenninger Awaiting requested review from alechenninger

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@coderbydesign @astrozzc @lpichler