-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harness not modelling permission denied for user secrets #1229
Comments
Extra information: According to |
@IronCore864 @tonyandrewmeyer It makes sense to me to make the testing exception the same as the real one. So I think we just change the |
I do agree with this in general.
However, I don't think this is the right fix here. I think this is a Juju bug. All of the other permission errors (like trying to do a So, in my opinion, we should open a Juju bug instead. |
Checked with the Juju team and they agree that it should be consistent in Juju, so I opened a Juju bug. |
Opened #1231 to make this explicit in the docs. |
Actually, I got this wrong. Charm secrets do return "permission denied" as well as user ones, so there must be an ops issue here. |
Juju 3.4.2, Microk8s, I get this behaviour:
For the "delayed" cases, the hook tool returns successfully, and then when the hook finishes (after ops is done) the charm goes into error state with something like this in the debug-log:
Also discussing this with @barrettj12 who is working on the Juju ticket. |
Adjust Harness so that the errors match what Juju does in practice (I tested each case - the results are in a table in a comment in canonical#1229). * When Juju responds with a message including "not found", we raise `SecretNotFoundError` * When Juju responds with any other message (such as "permission denied"), we raise `ModelError` * When Juju succeeds and only fails at the completion of the hook, we raise `RuntimeError` - in production, the charm cannot catch this, but we do want to surface this error, so `RuntimeError` seems most approprate In addition: * Update the documentation to clarify when secret content is cached (this was a request from the discussion with the data platform team in Madrid) * Correct the documentation regarding when `ModelError` and when `SecretNotFoundError` will be raised with the secret methods * Don't clear the `Secret` object local cache of the secret content on `set_contents`. The contents won't change until `refresh` is used, so there's no point forcing the next call to get the content from Juju. Juju may change the responses so that there is increased consistency (probably via [this bug](https://bugs.launchpad.net/juju/+bug/2067336)) but it seems best if we fix the behaviour to match now, and then if Juju changes in the future, we can update ops then (also deciding at that time how to handle the issue that different Juju versions will have different behaviour). Fixes canonical#1229.
Adjust Harness so that the errors match what Juju does in practice (I tested each case - the results are in a table in a comment in canonical#1229). * When Juju responds with a message including "not found", we raise `SecretNotFoundError` * When Juju responds with any other message (such as "permission denied"), we raise `ModelError` * When Juju succeeds and only fails at the completion of the hook, we raise `RuntimeError` - in production, the charm cannot catch this, but we do want to surface this error, so `RuntimeError` seems most approprate In addition: * Update the documentation to clarify when secret content is cached (this was a request from the discussion with the data platform team in Madrid) * Correct the documentation regarding when `ModelError` and when `SecretNotFoundError` will be raised with the secret methods * Don't clear the `Secret` object local cache of the secret content on `set_contents`. The contents won't change until `refresh` is used, so there's no point forcing the next call to get the content from Juju. Juju may change the responses so that there is increased consistency (probably via [this bug](https://bugs.launchpad.net/juju/+bug/2067336)) but it seems best if we fix the behaviour to match now, and then if Juju changes in the future, we can update ops then (also deciding at that time how to handle the issue that different Juju versions will have different behaviour). Fixes canonical#1229.
#1176 introduced support for user secrets in Harness, but it looks like it is not modelling the actual Juju behaviour when a user secret hasn't been granted to a charm and it tries to get a secret with
self.model.get_secret(id=<id-from-config>)
.On an actual model, if the charm config gets updated with a secret ID, but the charm hasn't been granted access to the secret,
ops.model.ModelError: ERROR permission denied
will be raised, but it seems that when testing, harness makes the charm to raise a different exceptionops.model.SecretNotFoundError: Secret 'secret:16320250-1b76-4552-94d9-10ff484f88cb' not granted access to 'istio-pilot
when calling the exact same piece of code.Steps to reproduce
juju config <charm-name> my-secret=secret:some-id
ModelError
but aSecretNotFoundError
exception is raised instead:The text was updated successfully, but these errors were encountered: