Skip to content

refactor(coderd): fetch owner information when authorizing workspace agent #9123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Aug 21, 2023
Merged

refactor(coderd): fetch owner information when authorizing workspace agent #9123

merged 19 commits into from
Aug 21, 2023

Conversation

johnstcn
Copy link
Member

@johnstcn johnstcn commented Aug 16, 2023
edited
Loading

When authorizing a workspace agent, we currently perform a number of queries to

  • Fetch the workspace agent by its auth token
  • Fetch the workspace owner (which involves fetching the workspace)
  • Fetch the workspace owner's roles

See TODO comment in getAgentSubject():

// TODO: make a different query that gets the workspace owner and roles along with the agent.

This PR:

  • Refactors the existing httpmw tests to use dbtestutil so that we can test them against a real database if desired,
  • Modifies the GetWorkspaceAgentByAuthToken to return the owner and associated roles, removing the need for additional queries.

Fixes #8065

@johnstcn johnstcn self-assigned this Aug 16, 2023
@johnstcn johnstcn force-pushed the cj/GetWorkspaceAgentAndOwnerByAuthToken branch 2 times, most recently from ae20c36 to cee1af8 Compare August 18, 2023 12:36
@johnstcn johnstcn force-pushed the cj/GetWorkspaceAgentAndOwnerByAuthToken branch from cee1af8 to e6ce0f5 Compare August 18, 2023 16:26
@johnstcn johnstcn marked this pull request as ready for review August 18, 2023 18:25
@johnstcn johnstcn requested review from Emyrk, mafredri and mtojek August 18, 2023 18:25
mafredri
mafredri approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks alright to me, but would love for @Emyrk to give his stamp as well.

mtojek
mtojek reviewed Aug 21, 2023
View reviewed changes
coderd/database/queries/workspaceagents.sql
ON
group_members.user_id = users.id
WHERE
-- TODO: we can add more conditions here, such as:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: out of curiosity, why is it left for later improvement?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would change the existing behaviour; right now we just get the agent by the token without further restrictions.

coderd/database/queries/workspaceagents.sql
ON
workspace_agents.resource_id = workspace_resources.id
INNER JOIN -- every user is a member of some org
organization_members
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious if we should start testing users being part of 2 organizations.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH I'd honestly defer it until we start having multiple organizations. I'm not sure if we expose multi-orgs at a higher level, or plan to?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My comment was rather preventing the accumulation of technical debt, but we can leave it for now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtojek we have quite a bit of the 1 org assumption.

Emyrk
Emyrk approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

System rbac calls are OP 😄

@johnstcn johnstcn merged commit 5d4a177 into main Aug 21, 2023
@johnstcn johnstcn deleted the cj/GetWorkspaceAgentAndOwnerByAuthToken branch August 21, 2023 14:49
@github-actions github-actions bot locked and limited conversation to collaborators Aug 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mtojek mtojek mtojek left review comments

@mafredri mafredri mafredri approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@johnstcn johnstcn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

improve performance of workspace agent authorization
4 participants
@johnstcn @mafredri @Emyrk @mtojek