[FOLIO-2665] folio-testing-backend Jenkins build broken today, permissions for email configuration Created: 30/Jun/20 Updated: 02/Jul/20 Resolved: 02/Jul/20 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P2 |
| Reporter: | David Crossley | Assignee: | David Crossley |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | DevOps: sprint 92 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| Description |
|
Following today's merge of branches related to
However folio-testing-backend/521 did fail at the task which posts mod-email configuration to mod-configuration: TASK [post-config-entries : post mod-email configuration]
failed: [10.36.1.78] (item=email_from.json.j2) => {"changed": false, "connection": "close",
"content": "Access requires permission: configuration.entries.item.post",
"content_type": "text/plain", "item": "email_from.json.j2",
"msg": "Status code was 403 and not [201, 422]:
...
Note that folio-testing-core-backend (and other builds) are successful at this task. Also note that yesterday's build of folio-testing-backend/520 (prior to today's merges) is successful at this task. |
| Comments |
| Comment by Ian Hardy [ 30/Jun/20 ] |
|
One difference in folio-testing is that it is importing the tenant-admin-permissions role again at the end: https://github.com/folio-org-priv/folio-infrastructure/blob/master/CI/ansible/folio-testing.yml#L76. I'm not sure what the history here is. It shouldn't hurt to run it again, but this is the one thats failing. The role runs successfully a few times before this time. |
| Comment by Ian Hardy [ 30/Jun/20 ] |
|
My above guess was wrong, so the problem is the obvious error (no permissions to post config entries), build passes when posting config entries is skipped: https://jenkins-aws.indexdata.com/job/Automation/job/folio-testing-test/92/. So need to find out why mod configuration perms aren't assigned on testing but are on snapshot. |
| Comment by Wayne Schneider [ 01/Jul/20 ] |
|
I think Ian Hardy figured it out, recording here for completeness: The issue does not occur when using Okapi 2.x, because module permissions do not create the special SYS# permissions with that version of Okapi. Okapi v3.x creates special SYS# permissions for module permissions associated with interface endpoints. Those permissions look like this:
{
"permissionName" : "SYS#mod-marccat-2.3.0-SNAPSHOT.380#/marccat/bibliographic/fields/mandatory#[GET]",
"displayName" : "System generated: SYS#mod-marccat-2.3.0-SNAPSHOT.380#/marccat/bibliographic/fields/mandatory#[GET]",
"id" : "41fe286e-8f52-43fe-aed7-37168b965a8c",
"description" : "System generated permission set",
"tags" : [ ],
"subPermissions" : [ "configuration.all" ],
"childOf" : [ ],
"grantedTo" : [ ],
"mutable" : false,
"visible" : false,
"dummy" : false
}
Note that a standard permissionSet (in this case, configuration.all) is a subPermission of the system-generated permission set. That means that the childOf property of configuration.all is no longer empty. The request that is used to pull in the top-level permissionSets to assign to the admin user (/perms/permissions?query=%28childOf%3D%3D%5B%5D%20not%20permissionName%3D%3Dokapi.%2A%20not%20permissionName%3D%3DSYS%23%2A%29&length=5000) therefore excludes any formerly top-level permissionSets that are used as module permissions by any module enabled for the tenant. |
| Comment by Wayne Schneider [ 01/Jul/20 ] |
|
The problem with post-config-entries occurs on testing but not snapshot because the UI permissions are already created and granted to the tenant admin on snapshot before post-config-entries runs – and several UI permissionSets contain configuration.all as a subPermission. On testing, the UI permissions are created and granted in a separate step, as part of the frontend build, after post-config-entries runs. |
| Comment by David Crossley [ 02/Jul/20 ] |
|
Wayne developed an improved CQL query, in conjunction with a followup ansible json_query, to handle the new system permissions of Okapi v3. |