CSS-5674 Replace database-stored access with OpenFGA

[babakks]

Description

This PR replaces remainings of JIMM.v1 access storage with OpenFGA; namely the following has been updated:

• Grant/revoke cloud access.

I've added a lot of test cases. To make the review easier here is the list tests:

GrantCloudAccess

• CloudNotFound
• Admin grants admin access
• Admin grants add-model access
• UserNotAuthorized
• DialError
• APIError

RevokeCloudAccess

• CloudNotFound
• Admin revokes 'admin' from another admin
• Admin revokes 'add-model' from another admin
• Admin revokes 'add-model' from a user with 'add-model' access
• Admin revokes 'add-model' from a user with no access
• Admin revokes 'admin' from a user with no access
• Admin revokes 'add-model' access from a user who has separate tuples for all accesses (add-model/admin)
• Admin revokes 'admin' access from a user who has separate tuples for all accesses (add-model/admin)
• UserNotAuthorized
• DialError
• APIError

GrantModelAccess

• ModelNotFound
• Admin grants 'admin' access to a user with no access
• Admin grants 'write' access to a user with no access
• Admin grants 'read' access to a user with no access
• Admin grants 'write' access to a user who already has 'write' access
• Admin grants 'read' access to a user who already has 'write' access
• Admin grants 'admin' access to themselves
• Admin grants 'write' access to themselves
• Admin grants 'read' access to themselves
• UserNotAuthorized
• DialError
• APIError

RevokeModelAccess

• Admin revokes 'admin' access from another admin
• Admin revokes 'write' access from another admin
• Admin revokes 'read' access from another admin
• Admin revokes 'admin' access from a user who has 'write' access
• Admin revokes 'write' access from a user who has 'write' access
• Admin revokes 'read' access from a user who has 'write' access
• Admin revokes 'admin' access from a user who has 'read' access
• Admin revokes 'write' access from a user who has 'read' access
• Admin revokes 'read' access from a user who has 'read' access
• Admin revokes 'admin' access from themselves
• Admin revokes 'write' access from themselves
• Admin revokes 'read' access from themselves
• Writer revokes 'admin' access from themselves
• Writer revokes 'write' access from themselves
• Writer revokes 'read' access from themselves
• Reader revokes 'admin' access from themselves
• Reader revokes 'write' access from themselves
• Reader revokes 'read' access from themselves
• Admin revokes 'admin' access from a user who has separate tuples for all accesses (read/write/admin)
• Admin revokes 'write' access from a user who has separate tuples for all accesses (read/write/admin)
• Admin revokes 'read' access from a user who has separate tuples for all accesses (read/write/admin)
• UserNotAuthorized
• DialError
• APIError

Fixes CSS-5674

Change of behavior: ModifyCloudAccess

Note that there is a change in behavior for when revoking a users's access to a cloud. In the old implementation, if we revoked the admin access, the user would be granted with the add-model access:

switch access {
case "admin":
	uca.Access = "add-model" // <- Here 
default:
	uca.Access = ""
}

But in the new implementation, we just drop the admin relation and do not create a separate tuple to grant add-model access.

Change of behavior: ModifyModelAccess

In the old implementation when we're revoking a user's model access, we'd do it like this (i.e., demoting user access by one level):

switch access {
case "admin":
	uma.Access = "write"
case "write":
	uma.Access = "read"
default:
	uma.Access = ""
}

But in the new implementation, we don't add new relations to lower accesses. We just drop the relation together with all higher accesses. For example, when revoking read access, we drop read, write and admin all together.

Engineering checklist

Check only items that apply

• Documentation updated
• Covered by unit tests
• Covered by integration tests

[kian99]

Might this be better as a switch statement?

[kian99]

Do we need to do this? This is assigning access on the Juju side I believe, but Juju won't be checking it's own access permissions, it will just rely on whatever is in the JWT.

[kian99]

Yeah looking at

jimm/internal/jimm/cloud.go

Line 488 in 5e85687

// TODO (alesstimec) This will no longer be needed.

I'm pretty sure this isn't needed.

[alesstimec]

agreed.. this should no longer be needed..

[kian99]

As above, I don't think we need these calls anymore.

[kian99]

Shouldn't this come before we range over tts?

[kian99]

Also what do you think about in a future PR if we create an abstraction over this to have a cleaner way of getting all the results?

[babakks]

As I checked this is the only place we're iterating using continuation tokens. So, at the moment, there's no need to split this part away. But you're right. If we're going to do the pagination again, we should do it in a reusable way.

[ale8k]

Some questions and potential changes

[ale8k]

The callback still takes dbmodel.Cloud, is this needed now? I'd presume not right?

[ale8k]

Isn't the error more a tuple issue just from ofga?

[alesstimec]

also, please include op in the error

[babakks]

Since there's no Juju API call anymore, I changed the error message to failed to set cloud access.

[ale8k]

Don't think this is needed either, api typically hits the controller/model, we wanna keep this purely in JIMM

[ale8k]

Sometime we do err := p(); err != nil, and sometimes two lines, let's try keep it inline if's with errs where we can

[ale8k]

Like doCloud, doCloudAdmin, doModelAdmin, we don't need the model passing in anymore do we?

[ale8k]

We aren't transactional ATM are we? So this may remove some but not all?

[babakks]

No, at last we decided to go with the transactional approach. To be precise, if we're removing a few tuples, all-or-none will be deleted.

[ale8k]

Honestly I'm a bit lost with ct and tts, tts is targetTuples I'm presuming? and CT is convertTag? Would prefer something like lastCT for lastConvertTag and just be explicit so it's easier on the brain initially

[babakks]

No. CT stands for continuation token and TT(s) is timestamped-tuple(s). But you're right. I've improved the namings.

[ale8k]

I think honestly just call it "lastContinuationToken", as I'll probably forget in another 3 months

[babakks]

I've already changed it to just token and lastToken. But can change it to continuationToken and lastContinuationToken if you think so.

[ale8k]

I know it's not the "go" way, but we have a lot of context and I feel personally I'll just forget what last token is :D

[babakks]

Will sort it now.

[alesstimec]

LGTM, but please add logging so that we have an easier time debugging issues in the future..

[alesstimec]

could we, please log the access? might be useful for debugging purposes

[babakks]

Do you think it should be a debug entry? or error? If it's for debugging I think debug should suffice.

[alesstimec]

please log this error

[alesstimec]

please log this error

[alesstimec]

please the log this error

[alesstimec]

please log this error

[ale8k]

lgtm bar ales' request for log lines

[babakks]

lgtm bar ales' request for log lines

I've already added them.