[automate-2914] force-upgrade integration scenario: v1 -> v2 with migrated legacy policies #2935
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bcmdarroch
force-pushed
the
bhd/2914/force-upgrade-v1-v2
branch
2 times, most recently
from
7159417 to
3412013
Compare
bcmdarroch
force-pushed
the
bhd/2914/force-upgrade-v1-v2
branch
from
3412013 to
48b2412
Compare
bcmdarroch
changed the title
bcmdarroch
added
testing
bcmdarroch
force-pushed
the
bhd/2914/force-upgrade-v1-v2
branch
13 times, most recently
from
d9fd560 to
510a772
Compare
blakestier
force-pushed
the
bhd/2914/force-upgrade-v1-v2
branch
2 times, most recently
from
1dcb69e to
8f2aa0a
Compare
bcmdarroch
force-pushed
the
bhd/2914/force-upgrade-v1-v2
branch
6 times, most recently
from
2dee49a to
cc6530f
Compare
iam_v2.sh will be replaced by a new script that tests a v2 force-upgrade with no legacy policies Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
ingest tokens must now be added to the chef-managed ingest policy to work (on v1 there was a default policy that automatically gave them permission) also some rebase fixes Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
need to create a v2 policy now Signed-off-by: Brenna Hewer-Darroch <[email protected]>
in v1->v2 force upgrade scenarios, the projects and roles diagnostics are skipped so we need to keep track of whether or not they were skipped so we can cancel verify/cleanup on non-existent data Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Brenna Hewer-Darroch <[email protected]>
can verify migrated v1 policy Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
wrong name for inspec suite Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
oops lost a name change along the way Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Co-Authored-By: M Sorens <[email protected]> Co-Authored-By: Blake Johnson <[email protected]> Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
bcmdarroch
force-pushed
the
bhd/2914/force-upgrade-v1-v2
branch
from
d8f99da to
54482ed
Compare
This was referenced Mar 13, 2020
susanev
added a commit
that referenced
this pull request
Mar 26, 2020
* Remove IAM V1 conditionals from the UI and Cypress (#2753) * UI unit test cleanup post-merge of master Signed-off-by: michael sorens <[email protected]> * UI unit test cleanup post-merge of master Signed-off-by: michael sorens <[email protected]> * [Automate-1890] gateway v1 scrub (#2796) * [automate-2857] Update user service to teams v2 client (#2860) * Add method for proto parity Adding PurgeUserMembership to allow replacing the v1 team client with a v2 version. Signed-off-by: michael sorens <[email protected]> * Switch v1 team client to v2 team client Signed-off-by: michael sorens <[email protected]> * Implement necessary method for the revised interface Signed-off-by: michael sorens <[email protected]> * Update bldr.toml Removed dependency required rerunning `generate_bldr_config` Signed-off-by: michael sorens <[email protected]> * Correct admins team name per feedback Signed-off-by: michael sorens <[email protected]> * [automate-2720] IAM force upgrade migrations 🎉 (#2793) * Added general structure and TODOs for how to migrate up to the point of force upgrade Copied over code from migrator.go because we can't use the generic version anymore. Migrating up to the last SQL schema migration before we want to force upgrade. Started porting MigrateToV2 GRPC function over to the migration code. Signed-off-by: Tyler Cloke <[email protected]> * Remove ApplyV2DataMigrations db function and finish applying any data_migrations as part of the post-force-upgrade process Signed-off-by: Tyler Cloke <[email protected]> * Ported creation of default roles for v1 force upgrade Signed-off-by: Tyler Cloke <[email protected]> * Port defaultPolicies Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Port CreatePolicy Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Port code we might need for legacy migration Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * WIP Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Everything is compiling Signed-off-by: Tyler Cloke <[email protected]> * Added force_upgrade_status to only run force upgrade once Signed-off-by: Tyler Cloke <[email protected]> * Remove UpgradeToV2 from cli/gateway Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove auto-upgrade from studio Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Record migration status for versioning Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Rename constant Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove unused migration Signed-off-by: Tyler Cloke <[email protected]> * Use migration status to control migration logic Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Do TODOs Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove migration-related server code Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Updated our use of migration_status and cleaned up file layout Signed-off-by: Tyler Cloke <[email protected]> * Fixed variable name Signed-off-by: Tyler Cloke <[email protected]> * It working Signed-off-by: Tyler Cloke <[email protected]> * Initial porting work for tests Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Working on db tests Signed-off-by: Tyler Cloke <[email protected]> * It's passsssing Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Legacy Policy test Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Does not migrate legacy pols w/o subjs Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Legacy policies Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Migrates only valid v1 policies Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Simply log unmigrated policies These were already invalid in v1. No big deal if they aren't migrated. Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Add comment Signed-off-by: Tyler Cloke <[email protected]> * Renames/cleanup Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove ResetToV1 from gateway Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Updates bldr.toml Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Compilation errors from server change Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * remove resettov1 Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Fix :allthethings: Signed-off-by: Tyler Cloke <[email protected]> * Linting Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Trying to get CI happy Signed-off-by: Tyler Cloke <[email protected]> * Remove upgrade-to-v2 cmd Signed-off-by: Tyler Cloke <[email protected]> * Remove upgrade-to-v2 Signed-off-by: Tyler Cloke <[email protected]> * No longer have PreconditionFailed to tell v1 requests the gateway is in v2 mode. Just always use v2. Signed-off-by: Tyler Cloke <[email protected]> * Hopefully tests pass now Signed-off-by: Tyler Cloke <[email protected]> * Bldr config Signed-off-by: Tyler Cloke <[email protected]> * Add deny for infra:ingest:* to default policy migration Signed-off-by: Tyler Cloke <[email protected]> * Delete extra comment Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * add clarity to func Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Only migrate v1 policies on upgrade Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Review comments Signed-off-by: Tyler Cloke <[email protected]> * Update components/authz-service/storage/postgres/postgres.go Co-Authored-By: M Sorens <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Update components/authz-service/storage/postgres/migration/migration.go Co-Authored-By: M Sorens <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Update components/authz-service/storage/postgres/migration/migration.go Co-Authored-By: M Sorens <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Last review comments Signed-off-by: Tyler Cloke <[email protected]> Co-authored-by: Tyler Cloke <[email protected]> Co-authored-by: M Sorens <[email protected]> * [automate-2930] Fix NATS gateway test errors related to v2 force upgrade (#2933) * Add some logging around forced migration (#2938) * [automate-2861] Update authn service to teams v2 client (#2875) * [automate-2876] Update automate-deployment to teams v2 client (#2877) * Change IAM docs to focus on IAM v2 (#2715) * combine iamv1 pages into 1 Signed-off-by: susanev <[email protected]> * change users, teams, api tokens to iam v2 Signed-off-by: susanev <[email protected]> * added pages for policies, projects, roles Signed-off-by: susanev <[email protected]> * Copyedits and edits for clarity Signed-off-by: Mary Jinglewski <[email protected]> Co-authored-by: mjingle <[email protected]> Co-authored-by: susanev <[email protected]> * Auth 2926/teams v2 migrations (#2934) * Move operator team rename into schema migs Signed-off-by: Blake Johnson <[email protected]> * Integrate cli migration into schema migration Signed-off-by: Blake Johnson <[email protected]> * Remove datamigrations Signed-off-by: Blake Johnson <[email protected]> * Rename migration Signed-off-by: Blake Johnson <[email protected]> * Remove refs to datamigration Signed-off-by: Blake Johnson <[email protected]> * Remove refs to upgrade/reset iam * Cleanup after merge-from-master * Regenerate from protos after merge-from-master compile_go_protobuf_component automate-gateway && compile_go_protobuf_component api Signed-off-by: michael sorens <[email protected]> * Auth 2867/remove v1 tokens gateway apis (#2970) * remove tokens (v1) proto Signed-off-by: Blake Johnson <[email protected]> * Remove v1 tokens client Signed-off-by: Blake Johnson <[email protected]> * Modify UI to only use tokens v2 path Signed-off-by: Blake Johnson <[email protected]> * Update docs Signed-off-by: Blake Johnson <[email protected]> * Bright more files up to v2 for tokens Signed-off-by: Blake Johnson <[email protected]> * Update dev helper Signed-off-by: Blake Johnson <[email protected]> * Update docs Signed-off-by: Blake Johnson <[email protected]> * Remove v1 handler Signed-off-by: Blake Johnson <[email protected]> * Update bldr config Signed-off-by: Blake Johnson <[email protected]> * Remove v1 mock Signed-off-by: Blake Johnson <[email protected]> * remove v2 allusions Signed-off-by: Blake Johnson <[email protected]> * Revert docs change Signed-off-by: Blake Johnson <[email protected]> * [AUTOMATE-2866] Remove v1 users APIs from gateway (#2922) Signed-off-by: Tyler Cloke <[email protected]> * Fix force-upgrade merge conflicts (#2981) * Regenerate from protos after merge hab studio: compile_all_protobuf_components components/automate-chef-io: make sync_swagger_files Signed-off-by: michael sorens <[email protected]> * [automate-2868] Remove v1 policies (#2988) * [Automate-2950] Port introspection from v1 to v2 (#3032) * Relocate introspection protos to v2 Signed-off-by: michael sorens <[email protected]> * Rewire proto files together Signed-off-by: michael sorens <[email protected]> * Change exposed endpoints to v2 Signed-off-by: michael sorens <[email protected]> * Regenerate from protos Signed-off-by: michael sorens <[email protected]> * Relocate introspection endpoints to v2 Signed-off-by: michael sorens <[email protected]> * Rewire go files together Signed-off-by: michael sorens <[email protected]> * Change UI calls to v2 Signed-off-by: michael sorens <[email protected]> * Convert v1 integration test to v2 Signed-off-by: michael sorens <[email protected]> * Resolve path changes in cli component Starting with ` rebuild components/automate-cli/`, the error was: build github.com/chef/automate/components/automate-gateway/api/authz: cannot load github.com/chef/automate/components/automate-gateway/api/authz: no Go source files Traced that back to the same failure with just `make build` in the automate-cli directory, then to the same failure with just this: go build github.com/chef/automate/components/automate-cli/cmd/chef-automate Searching for api/authz in the cli directory led me to the files in this commit. Signed-off-by: michael sorens <[email protected]> * Regenerate bldr.toml The "repo health" task in buildkite failed saying: ``` The bldr config appears to be out of date! To fix this, run: hab studio run "source .studiorc && generate_bldr_config" ``` Ran the fix: # install_if_missing core/go go # generate_bldr_config Signed-off-by: michael sorens <[email protected]> * Delete v1 auth URL in UI Signed-off-by: michael sorens <[email protected]> * Replace auth_v2_url with iam_url in UI Signed-off-by: michael sorens <[email protected]> * Apply assorted review feedback Signed-off-by: michael sorens <[email protected]> * remove v1 team APIs from gateway & update dependent integration tests (#2952) * gateway: delete v1 team protos * gateway: drop v1 team stuff wherever it's imported * cli: use v2 teams client everywhere Signed-off-by: Brenna Hewer-Darroch <[email protected]> * [automate-2914] force-upgrade integration scenario: v1 -> v2 with migrated legacy policies (#2935) * v1 to force-upgrade v2 integration test reorganized all the IAM inspec tests Signed-off-by: Brenna Hewer-Darroch <[email protected]> Co-authored-by: Blake Johnson <[email protected]> Co-authored-by: M Sorens <[email protected]> * [Automate-2987] legacy ingest policy fix (#3044) * migration: any "{infra:ingest:*}" action is now "{ingest:*}" * update force-upgrade delete the "deny users infra:ingest" statement in infra legacy policy swap "infra:ingest:*" for "ingest:*" in ingest legacy policy * legacy policy migration testing Co-authored-by: Blake Johnson <[email protected]> Co-authored-by: Brenna Hewer-Darroch <[email protected]> * Resync bldr.toml generate_bldr_config Signed-off-by: michael sorens <[email protected]> * [automate-2916] v2 with no legacy policies -> force-upgrade to latest v2 integration test (#3009) * add v2 with no legacy force-upgrade to v2 we want to make sure that customers currently using v2 without v1 legacy policies are not disrupted by the force-upgrade. v1 legacy policies should not reappear. Signed-off-by: Brenna Hewer-Darroch <[email protected]> * [automate-2917] v2 with legacy policies -> force-upgrade to latest v2 integration test (#3008) * add force-upgrade v2 from v2 with legacy integration test we want to ensure that customers currently using IAM v2 are not disrupted by the force-upgrade Signed-off-by: Brenna Hewer-Darroch <[email protected]> * Vanished teams on force-upgrade (#3102) * Robust Deprecation of IAM v1 (#3104) * Robust Deprecation of v1 Signed-off-by: kagarmoe <[email protected]> * Deprecation on nav * Deprecation on nav Signed-off-by: kagarmoe <[email protected]> * Incorporates feedback Signed-off-by: kagarmoe <[email protected]> * Use feature branch iam-v2-overview.md Signed-off-by: kagarmoe <[email protected]> * Improve verb tense in IAM v2 Overview doc (#3033) * Improve verb tense in IAM v2 Overview doc Signed-off-by: Mary Jinglewski <[email protected]> * Edit progress so far Signed-off-by: Mary Jinglewski <[email protected]> * Incorporate Feedback Signed-off-by: Mary Jinglewski <[email protected]> * Active tense polishing Signed-off-by: Mary Jinglewski <[email protected]> * removes iam v2 from body Signed-off-by: kagarmoe <[email protected]> * Fix spaces Signed-off-by: kagarmoe <[email protected]> Co-authored-by: kagarmoe <[email protected]> * Revert "Improve verb tense in IAM v2 Overview doc (#3033)" (#3134) This reverts commit 746d6ea. * [automate-3065] Remove v1 authz storage (#3111) * fixes bad link Signed-off-by: kagarmoe <[email protected]> * Fix iam db migration tests to work locally (#3155) Signed-off-by: Tyler Cloke <[email protected]> * Revert "Revert "Improve verb tense in IAM v2 Overview doc (#303… (#3145) * Merge fix Signed-off-by: michael sorens <[email protected]> * [automate-3066] Delete authz v1 server code (#3146) * [automate-1886] farewell chef-automate admin-token (#3188) * chef-automate admin-token is no more Co-authored-by: Brenna Hewer-Darroch <[email protected]> Co-authored-by: Mary Jinglewski <[email protected]> * [automate-2710] Remove system:* perms, modify infra:* perms (#3148) * Update roles to have infra:nodes/nodeManagers over infra:* Signed-off-by: Blake Johnson <[email protected]> * Update roles to not have system access Signed-off-by: Blake Johnson <[email protected]> * Update docs with system change Signed-off-by: Blake Johnson <[email protected]> * update sql readme Signed-off-by: Blake Johnson <[email protected]> * Refactor query to work w/o policy Signed-off-by: Blake Johnson <[email protected]> * Add telemetry perms into default system policies Signed-off-by: Blake Johnson <[email protected]> * Update tests Signed-off-by: Blake Johnson <[email protected]> * Remove non-existent action for telemetry Signed-off-by: Blake Johnson <[email protected]> * remove (in tests) permission to request license to roles Signed-off-by: Blake Johnson <[email protected]> * Modify integration script Signed-off-by: Blake Johnson <[email protected]> * Add comments Signed-off-by: Blake Johnson <[email protected]> * Adds applications to roles Signed-off-by: Blake Johnson <[email protected]> * [Automate-2950] port introspection, wave two (#3050) * Update proto generation for v2-only Signed-off-by: michael sorens <[email protected]> * Remove v2 distinction in the generated code Signed-off-by: michael sorens <[email protected]> * Remove v1 protoc generation Signed-off-by: michael sorens <[email protected]> * Remove v2 from the generated pb file name Signed-off-by: michael sorens <[email protected]> * Correct path * Manual cleanup to get things building Not sure why these were not covered by the regeneration but was getting this error until I found and removed these: $ make build build github.com/chef/automate/components/automate-gateway/cmd/automate-gateway: cannot load github.com/chef/automate/components/automate-gateway/authz/policy_v2: open /Users/msorens/code/go/src/github.com/chef/automate/components/automate-gateway/authz/policy_v2: no such file or directory Signed-off-by: michael sorens <[email protected]> * Regenerate bldr.toml Signed-off-by: michael sorens <[email protected]> * Relocate pairs and policy under iam dir Signed-off-by: michael sorens <[email protected]> * Minor cleanup Signed-off-by: michael sorens <[email protected]> * Apply review feedback Signed-off-by: michael sorens <[email protected]> * Regenerate v2-only pb files compile_all_protobuf_components Signed-off-by: michael sorens <[email protected]> * Regenerate docs from protos make sync_swagger_files Signed-off-by: michael sorens <[email protected]> * Empty commit to add missing DCO. Signed-off-by: michael sorens <[email protected]> Co-authored-by: michael sorens <[email protected]> Co-authored-by: Brenna Hewer-Darroch <[email protected]> Co-authored-by: M Sorens <[email protected]> Co-authored-by: Blake Johnson <[email protected]> Co-authored-by: susan evans <[email protected]> Co-authored-by: mjingle <[email protected]> Co-authored-by: Kimberly Garmoe <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔩 Description: What code changed, and why?
This PR adds integration testing for the following scenario:
♻️ For the force-upgrade, we have removed the following v2-specific integration tests scripts:
These scripts all used
upgrade-to-v2andreset-to-v1, commands which will be deprecated by the force-upgrade.🎉 Now we have the following integration tests, all prefixed by
iam:The inspec test suites have also been reorganized:
a2-api-integrationtests API behavior. This now includes all IAM v2 APIs. To distinguish from the iam inspec suites, these tests all assume admin-level access.a2-iam-v1-integrationtests permissions on APIs specific to v1 (default policies)a2-iam-no-legacy-integrationtests permissions on APIs on a fresh system without v1 legacy policiesa2-iam-legacy-integrationtests permissions on APIs on a system with v1 legacy policies⛓️ Related Resources
follow-ups:
v2 force-upgrade to v2 with legacy policies: #3008
v2 force-upgrade to v2 with no legacy policies: #3009
👍 Definition of Done
👟 How to Build and Test the Change
when you check out this branch and start in a fresh studio, you can mimic the force-upgrade integration scenario following these steps:
inspec:
diagnostics:
✅ Checklist