Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log warning of dropped updates to existing resources in policy POST #2944

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

john-odonnell
Copy link
Contributor

Desired Outcome

This PR reinstates changes committed in #2888 and reverted in #2940.

Additive policy loads (those that use POST) currently has unexpected behavior. If a policy POST attempts to update an existing resource, the attempted update is silently discarded.

From #2888:

[POSTing a policy that updates an existing annotation] does not add a new annotation - as expected - but the policy load operation succeeds, which could be misleading to a user. This is caused by how the different policy loader classes - Loader::ReplacePolicy (PUT), Loader::CreatePolicy (POST), and Loader::ModifyPolicy (PATCH) - use the Loader::Orchastrate methods eliminate_duplicates_exact, eliminate_duplicates_pk and update_changed.

  • eliminate_duplicates_exact is used to cull objects specified in the incoming policy file that already existing in the current policy. Incoming updated annotations are not culled by this method.
  • update_changed is used to persist updated objects from the incoming policy into the current policy.
  • eliminate_duplicates_pk is used to cull objects that exist in the current policy that may have been updated by the incoming policy. Incoming updated annotations are always culled by this method, regardless of whether they have been persisted.

The Loader::CreatePolicy (POST) loader is the only loader class that does not call update_changed - this means eliminate_duplicates_exact and eliminate_duplicates_pk are run in sequence, deleting all objects that appear in both the existing and incoming policy files, regardless of updates.

#2888 includes a new error, raised when the Loader::Orchastrate finds itself eliminating non-exact duplicates in additive policy operations.

#2940 reverts these changes to avoid:

  • Introducing breaking API changes without either a major version release or a versioned API.
  • New, ambiguous error messages blocking customer's previously-functional policy operations

Implemented Changes

  • Reinstate the changes made in Spike: adding/updating annotations via PUT/POST/PATCH #2888.

  • Log a descriptive warning instead of raising an error. Example message:

    WARNING: Updating existing resource disallowed in additive policy operations (POST). In a future release, loading this policy file will fail with a 422 error code. The following updates have not been applied, and have been discarded: {:annotations=>[{:resource_id=>"cucumber:host:hosts/annotated", :name=>"description", :diff=>{:value=>["Already annotated", "Success"]}}]}
    
  • Method Loader::Orchastrate.detect_duplicates_pk, which returns a hash of tables to updated resources, and is only invokes by additive policy operations.

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue ID: [insert issue ID]

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: [insert issue ID]
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@john-odonnell john-odonnell changed the title Reintroduce Log warning of dropped updates to existing resources in policy POST Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant