[FOLIO-2665] folio-testing-backend Jenkins build broken today, permissions for email configuration Created: 30/Jun/20  Updated: 02/Jul/20  Resolved: 02/Jul/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: David Crossley Assignee: David Crossley
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-2633 Jenkins builds broken when okapi-3 un... Closed
Sprint: DevOps: sprint 92
Development Team: FOLIO DevOps

 Description   

Following today's merge of branches related to FOLIO-2633 Closed and FOLIO-2660 Closed , all other daily reference environment builds were successful.

However folio-testing-backend/521 did fail at the task which posts mod-email configuration to mod-configuration:

TASK [post-config-entries : post mod-email configuration]
failed: [10.36.1.78] (item=email_from.json.j2) => {"changed": false, "connection": "close",
"content": "Access requires permission: configuration.entries.item.post",
"content_type": "text/plain", "item": "email_from.json.j2",
"msg": "Status code was 403 and not [201, 422]:
...

Note that folio-testing-core-backend (and other builds) are successful at this task.

Also note that yesterday's build of folio-testing-backend/520 (prior to today's merges) is successful at this task.



 Comments   
Comment by Ian Hardy [ 30/Jun/20 ]

One difference in folio-testing is that it is importing the tenant-admin-permissions role again at the end: https://github.com/folio-org-priv/folio-infrastructure/blob/master/CI/ansible/folio-testing.yml#L76. I'm not sure what the history here is. It shouldn't hurt to run it again, but this is the one thats failing. The role runs successfully a few times before this time.

Comment by Ian Hardy [ 30/Jun/20 ]

My above guess was wrong, so the problem is the obvious error (no permissions to post config entries), build passes when posting config entries is skipped: https://jenkins-aws.indexdata.com/job/Automation/job/folio-testing-test/92/. So need to find out why mod configuration perms aren't assigned on testing but are on snapshot.

Comment by Wayne Schneider [ 01/Jul/20 ]

I think Ian Hardy figured it out, recording here for completeness:

The issue does not occur when using Okapi 2.x, because module permissions do not create the special SYS# permissions with that version of Okapi.

Okapi v3.x creates special SYS# permissions for module permissions associated with interface endpoints. Those permissions look like this:

  {
    "permissionName" : "SYS#mod-marccat-2.3.0-SNAPSHOT.380#/marccat/bibliographic/fields/mandatory#[GET]",
    "displayName" : "System generated: SYS#mod-marccat-2.3.0-SNAPSHOT.380#/marccat/bibliographic/fields/mandatory#[GET]",
    "id" : "41fe286e-8f52-43fe-aed7-37168b965a8c",
    "description" : "System generated permission set",
    "tags" : [ ],
    "subPermissions" : [ "configuration.all" ],
    "childOf" : [ ],
    "grantedTo" : [ ],
    "mutable" : false,
    "visible" : false,
    "dummy" : false
  }

Note that a standard permissionSet (in this case, configuration.all) is a subPermission of the system-generated permission set. That means that the childOf property of configuration.all is no longer empty.

The request that is used to pull in the top-level permissionSets to assign to the admin user (/perms/permissions?query=%28childOf%3D%3D%5B%5D%20not%20permissionName%3D%3Dokapi.%2A%20not%20permissionName%3D%3DSYS%23%2A%29&length=5000) therefore excludes any formerly top-level permissionSets that are used as module permissions by any module enabled for the tenant.

Comment by Wayne Schneider [ 01/Jul/20 ]

The problem with post-config-entries occurs on testing but not snapshot because the UI permissions are already created and granted to the tenant admin on snapshot before post-config-entries runs – and several UI permissionSets contain configuration.all as a subPermission. On testing, the UI permissions are created and granted in a separate step, as part of the frontend build, after post-config-entries runs.

Comment by David Crossley [ 02/Jul/20 ]

Wayne developed an improved CQL query, in conjunction with a followup ansible json_query, to handle the new system permissions of Okapi v3.

See folio-ansible/pull/363

Generated at Thu Feb 08 23:22:21 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.