Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: enforce that provisioners can only acquire jobs in their own organization #12600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Mar 18, 2024
Merged

chore: enforce that provisioners can only acquire jobs in their own organization #12600

merged 14 commits into from
Mar 18, 2024

Conversation

@Emyrk
Copy link
Member

@Emyrk Emyrk commented Mar 14, 2024
edited
Loading

Closes: #11932

Organization ids were being correctly set on jobs already, just not used

@Emyrk Emyrk changed the title chore: enforce provisioners can only acquire jobs in their own own chore: enforce that provisioners can only acquire jobs in their own organization Mar 15, 2024
@Emyrk Emyrk requested a review from spikecurtis March 18, 2024 05:11
spikecurtis
spikecurtis approved these changes Mar 18, 2024
View reviewed changes
coderd/provisionerdserver/provisionerdserver_test.go
Provisioner: database.ProvisionerTypeEcho,
StorageMethod: database.ProvisionerStorageMethodFile,
Type: database.ProvisionerJobTypeTemplateVersionDryRun,
OrganizationID: pd.OrganizationID,
Copy link
Contributor

@spikecurtis spikecurtis Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a disturbingly large number of tests where we leave the OrgID unset while inserting a provisioner job, which seems like it should be forbidden by the foreign key constraint on the provisioner_jobs table. Unless, somehow, the all-zeros UUID "counts" as NULL by postgres when evaluating the foreign key, or there is an organization with all-zeros UUID being created in these tests.

I didn't see any instances of it not being set in product code, but it seems like database referential integrity is not working the way we want it to, which is worrying.

Copy link
Member Author

@Emyrk Emyrk Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was fixing these 1 by 1, but it was incredibly annoying. So I added this to the dbgen, which is mostly used to generate jobs in tests:

coder/coderd/database/dbgen/dbgen.go

Lines 391 to 394 in a9774df

if orig.OrganizationID == uuid.Nil {
defOrg, _ := db.GetDefaultOrganization(genCtx)
defOrgID = defOrg.ID
}

So by default, we use the org id

@Emyrk Emyrk merged commit f0f9569 into main Mar 18, 2024
@Emyrk Emyrk deleted the stevenmasley/org_scoped_acquire branch March 18, 2024 17:48
@github-actions github-actions bot locked and limited conversation to collaborators Mar 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@spikecurtis spikecurtis spikecurtis approved these changes

Assignees

@Emyrk Emyrk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Org scoped provision daemon jobs

3 participants

@Emyrk @spikecurtis