feat: add resource class id in session launcher #249
Conversation
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
|
You can access the deployment of this PR at https://renku-ci-ds-249.dev.renku.ch |
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
5bb41c8 to
60e7448
Compare
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
60e7448 to
c4eb800
Compare
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
c4eb800 to
93d2dfa
Compare
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
93d2dfa to
19540e0
Compare
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
19540e0 to
f15c97f
Compare
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
f15c97f to
0971091
Compare
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
0971091 to
79f8d84
Compare
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
79f8d84 to
5c02a77
Compare
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
5c02a77 to
310b5b1
Compare
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
310b5b1 to
0445579
Compare
There was a problem hiding this comment.
Thank you, this is really nice. I have some comments, but that's mostly things that were already wrong before you started, so nothing you did wrong and we need to clean this up during cooldown. But we should still address them in the newly added code at least. Ping me if there's questions of I can help 🙂
| @@ -318,7 +318,7 @@ def get_no_pool(self) -> BlueprintFactoryResponse: | |||
| @authenticate(self.authenticator) | |||
| @validate_db_ids | |||
| async def _get_no_pool(_: Request, user: base_models.APIUser, class_id: int) -> HTTPResponse: | |||
| res = await self.repo.get_classes(api_user=user, id=class_id) | |||
| res = await self.repo.get_classes(api_user=None, id=class_id) | |||
There was a problem hiding this comment.
nitpick: if the user is not used in this method at all, you can just remove the @authenticate decorator above
There was a problem hiding this comment.
Sure, included in the latest commit.
| resource_class_id = new_launcher.resource_class_id | ||
| if resource_class_id is not None: | ||
| res = await session.scalars( | ||
| select(schemas.ResourceClassORM).where(schemas.ResourceClassORM.id == resource_class_id) | ||
| ) | ||
| resource_class = res.one_or_none() | ||
| if resource_class is None: | ||
| raise errors.MissingResourceError( | ||
| message=f"Resource class with id '{resource_class_id}' does not exist or you do not have access to it." # noqa: E501 | ||
| ) | ||
|
|
There was a problem hiding this comment.
issue: we should use get_classes with the user here. doing DB queries in the session db on things owned by the crc DB doesn't separate concerns properly and despite the error saying or you do not have access to it, this does not actually check permissions.
So here we should call ResourcePoolRepository.get_classes. For this to work, we need to inject the ResourcePoolRepository into the SessionRepository. similar to line 47 for project_authz.
To be clear, this is not something you did wrong, but something this whole file is guilty of and that we need to address in the future. But at least for new code we should do it properly.
There was a problem hiding this comment.
Sure, included in the latest commit.
| resource_class_id = kwargs.get("resource_class_id") | ||
| if resource_class_id is not None: | ||
| res = await session.scalars( | ||
| select(schemas.ResourceClassORM).where(schemas.ResourceClassORM.id == resource_class_id) | ||
| ) | ||
| resource_class = res.one_or_none() | ||
| if resource_class is None: | ||
| raise errors.MissingResourceError( | ||
| message=f"Resource class with id '{resource_class_id}' does not exist or you do not have access to it." # noqa: E501 | ||
| ) |
There was a problem hiding this comment.
issue: same here, we need to properly validate that a user actually has access to the class.
| @@ -139,6 +150,7 @@ def dump(self) -> models.SessionLauncher: | |||
| description=self.description, | |||
| environment_kind=self.environment_kind, | |||
| environment_id=self.environment_id if self.environment_id is not None else None, | |||
| resource_class_id=self.resource_class_id if self.resource_class_id is not None else None, | |||
There was a problem hiding this comment.
nitpick: I don't think this if actually does something, same for the line above. we can just assign directly.
| @@ -277,6 +277,7 @@ async def test_post_session_launcher(sanic_client: SanicASGITestClient, user_hea | |||
| assert res.json.get("environment_kind") == "container_image" | |||
| assert res.json.get("container_image") == "some_image:some_tag" | |||
| assert res.json.get("environment_id") is None | |||
| assert res.json.get("resource_class_id") is None | |||
There was a problem hiding this comment.
suggestion: it would be nice to test that setting this to a value also works, though that's a bit more difficult as we don't have a fixture to have a pool/class available.
It'd be nice to have something like https://github.com/SwissDataScienceCenter/renku-data-services/blob/main/test/bases/renku_data_services/data_api/test_resource_pools.py#L68-L74 as a fixture that you can depend on. Let me know if you need help with that.
There was a problem hiding this comment.
sure, I added the fixture to create a resource pool and the test to validate if the user has access to the resource class when creating or updating a launcher.
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
had a problem deploying
to
renku-ci-ds-249
GitHub Actions
Failure
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
|
Thank you, @Panaetius and @leafty, for your review. I have incorporated your suggestions, and the changes are ready for your review again. |
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
Pull Request Test Coverage Report for Build 9659135346Details
💛 - Coveralls |
| @@ -217,15 +222,22 @@ async def insert_launcher( | |||
| resource_class = res.one_or_none() | |||
| if resource_class is None: | |||
| raise errors.MissingResourceError( | |||
| message=f"Resource class with id '{resource_class_id}' does not exist or you do not have access to it." # noqa: E501 | |||
| message=f"Resource class with id '{resource_class_id}' does not exist." # noqa: E501 | |||
There was a problem hiding this comment.
nitpick: I think now the noqa: E501 is not necessary anymore, as the line is not too long.
With pre-commit hooks installed, yesqa should catch this
| @@ -269,7 +281,14 @@ async def update_launcher( | |||
| resource_class = res.one_or_none() | |||
| if resource_class is None: | |||
| raise errors.MissingResourceError( | |||
| message=f"Resource class with id '{resource_class_id}' does not exist or you do not have access to it." # noqa: E501 | |||
| message=f"Resource class with id '{resource_class_id}' does not exist." # noqa: E501 | |||
| ) | |||
…update; include tests for unauthorized resource_class_id
… session launcher
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
826850b to
149d71e
Compare
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
andre-code
force-pushed
the
andrea/add-launcher-resource-class
branch
from
149d71e to
b8b8464
Compare
andre-code
temporarily deployed
to
renku-ci-ds-249
GitHub Actions
Inactive
|
|
||
| # Recreate the foreign key with ON DELETE SET NULL |
There was a problem hiding this comment.
non-blocking: I think this comment can be removed here.
| # Recreate the foreign key with ON DELETE SET NULL |
Pull Request Test Coverage Report for Build 9696088375Details
💛 - Coveralls |
|
Tearing down the temporary RenkuLab deplyoment for this PR. |
PR to support resource class in session launcher.
/deploy