|
Oleksii Kuzminov Marc Johnson Kateryna Senchenko Could you review the above and try to identify which module (and therefore which team) should deal with this? P1 problem since all ref envs are failing.
|
|
Core-platform,
MODPERMS-115
Closed
mod-inventory and mod-pubsub declares inventory.events.post it in permissionSets.
since mod-inventory is the one that requires it as well. It is the "owner".
This is a bug in mod-pubsub but is now seen after mod-permissions checks for duplicate permissions.
There are many ways that this can be fixed..
mod-permissions can "relax" its check
okapi could do checks too so that it would not even be possible to create a module with a permission set that is declared anywhere else than for "this" module.
mod-pubsub could be fixed.
https://github.com/folio-org/mod-pubsub/blob/cbffe888452c82a36b68eca7fd230535061ee19a/descriptors/ModuleDescriptor-template.json#L292
It looks its just the list in mod-pubsub without the pubsub. lead
|
|
MODPUBSUB-144
Closed
https://github.com/folio-org/mod-pubsub/pull/123
|
|
Kateryna Senchenko Please make sure that
MODPUBSUB-144
Closed
is included in the PubSub release next sprint. Thank you!
|
|
Unfortunately, I can see other duplicated permission names. Here's what I did to find them..
Get all "latest" okapi modules.. /_/proxy/modules?latest=1&full=true and put them in a file, say modules.json
Now run cat modules.json |jq '.[].permissionSets[].permissionName' |sort and the first one in the list is audit.all listed twice.
This permission is defined both by mod-audit:1.1.0-SNAPSHOT.75 and folioci/mod-audit-storage:0.0.1-SNAPSHOT.5 . This is a combo definition consisting of several sub permissions.. However, they are NOT identical, so that's quite serious.. We (so far) have been used an undefined definition of that bit.
|
|
Looks like Firebird manages mod-audit. Does someone from that team need to review? cc: Stephanie Buck
|
|
Adam Dickmeiss Craig McNally Jakub Skoczen
Is this caused by the change to make permissions defined by the system immutable and hence cannot be redefined by another module?
|
|
Siarhei Charniak and Viachaslau Khandramai, can you take a look at this please?
cc: Former user
|
|
Ended up making a utility in Okapi to check this fully. See below.
In these cases we need to determine what modules should ultimately define it. I have attached that file as folio-2989-problems.txt.
Permission ui-inventory.instance.view-staff-suppressed-records defined for modules: folio_inventory-5.0.10001133 folio_inventory-5.0.10001133
Permission vendor-storage.emails.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission audit.item.post defined for modules: mod-audit-1.1.0-SNAPSHOT.75 mod-audit-storage-0.0.1-SNAPSHOT.5
Permission vendor-storage.vendor-types.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.urls.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.emails.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendor-types.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.categories.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission audit.all defined for modules: mod-audit-1.1.0-SNAPSHOT.75 mod-audit-storage-0.0.1-SNAPSHOT.5
Permission vendor-storage.aliases.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.phone-numbers.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendors.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.module.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.interfaces.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendor-types.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.contacts.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission inventory.events.post defined for modules: mod-inventory-16.2.0-SNAPSHOT.321 mod-pubsub-1.4.0-SNAPSHOT.121
Permission vendor-storage.urls.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.urls.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.phone-numbers.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission marccat.fixed-fields-code-groups.collection.get defined for modules: mod-marccat-2.3.0-SNAPSHOT.404 mod-marccat-2.3.0-SNAPSHOT.404
Permission vendor-storage.addresses.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.accounts.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.urls.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendors.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.phone-numbers.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendor-types.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.emails.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.emails.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.addresses.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.addresses.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.aliases.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.contacts.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.aliases.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendors.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.agreements.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendors.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.categories.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission audit.item.put defined for modules: mod-audit-1.1.0-SNAPSHOT.75 mod-audit-storage-0.0.1-SNAPSHOT.5
Permission vendor-storage.agreements.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission patron-blocks.events.post defined for modules: mod-patron-blocks-1.2.0-SNAPSHOT.43 mod-pubsub-1.4.0-SNAPSHOT.121
Permission vendor-storage.interfaces.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.interfaces.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.urls.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendor-types.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.accounts.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.agreements.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.aliases.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.interfaces.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.accounts.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendors.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.aliases.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.addresses.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.interfaces.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.urls.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendors.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.contacts.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.categories.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.agreements.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.categories.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.phone-numbers.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission audit.item.get defined for modules: mod-audit-1.1.0-SNAPSHOT.75 mod-audit-storage-0.0.1-SNAPSHOT.5
Permission vendor-storage.accounts.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.categories.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.phone-numbers.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.agreements.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission licenses.licenseLinks.collection.get defined for modules: mod-licenses-3.1.0-SNAPSHOT.154 mod-licenses-3.1.0-SNAPSHOT.154
Permission finc-select.all defined for modules: folio_finc-select-2.0.1000193 mod-finc-config-4.1.0-SNAPSHOT.116
Permission vendor-storage.contacts.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission licenses.licenseLinks.item.get defined for modules: mod-licenses-3.1.0-SNAPSHOT.154 mod-licenses-3.1.0-SNAPSHOT.154
Permission vendor-storage.agreements.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.addresses.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission circulation.events.post defined for modules: mod-circulation-19.3.0-SNAPSHOT.796 mod-pubsub-1.4.0-SNAPSHOT.121
Permission vendor-storage.aliases.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission finc-config.all defined for modules: folio_finc-config-2.0.1000221 mod-finc-config-4.1.0-SNAPSHOT.116
Permission audit.collection.get defined for modules: mod-audit-1.1.0-SNAPSHOT.75 mod-audit-storage-0.0.1-SNAPSHOT.5
Permission vendor-storage.addresses.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.emails.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.categories.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.vendor-types.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.phone-numbers.item.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.contacts.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.emails.item.delete defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission audit.item.delete defined for modules: mod-audit-1.1.0-SNAPSHOT.75 mod-audit-storage-0.0.1-SNAPSHOT.5
Permission vendor-storage.accounts.all defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.accounts.collection.get defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.interfaces.item.post defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Permission vendor-storage.contacts.item.put defined for modules: folio_vendors-1.5.1000142 mod-vendors-2.2.0-SNAPSHOT.47
Module folio_inventory-5.0.10001133 could have problems
Module mod-vendors-2.2.0-SNAPSHOT.47 could have problems
Module mod-inventory-16.2.0-SNAPSHOT.321 could have problems
Module mod-audit-storage-0.0.1-SNAPSHOT.5 could have problems
Module mod-marccat-2.3.0-SNAPSHOT.404 could have problems
Module mod-circulation-19.3.0-SNAPSHOT.796 could have problems
Module folio_vendors-1.5.1000142 could have problems
Module folio_finc-config-2.0.1000221 could have problems
Module folio_finc-select-2.0.1000193 could have problems
Module mod-pubsub-1.4.0-SNAPSHOT.121 could have problems
Module mod-inventory-storage-19.5.0-SNAPSHOT.528 could have problems
Module mod-finc-config-4.1.0-SNAPSHOT.116 could have problems
Module mod-audit-1.1.0-SNAPSHOT.75 could have problems
Module mod-patron-blocks-1.2.0-SNAPSHOT.43 could have problems
Module mod-licenses-3.1.0-SNAPSHOT.154 could have problems
|
|
Hi everyone,
Pubsub declares a set of permissions that are also declared by other modules to allow pubsub user publish events on behalf of that modules. If removing those declarations from pubsub would fix the env builds - let's do so, but this might also break pubsub dependent business flows. We have the relogin for pubsub user and retry logic for delivering events, and maybe this will be enough, if not - we'll deal with it after the envs are brought back to life.
|
|
Adam Dickmeiss Jakub Skoczen Craig McNally Ann-Marie Breaux Stephanie Buck
Adam Dickmeiss thank you for producing the list of potentially affected modules.
There are many ways that this can be fixed..
mod-permissions can "relax" its check
okapi could do checks too so that it would not even be possible to create a module with a permission set that is declared anywhere else than for "this" module.
mod-pubsub could be fixed.
Given that this effectively makes the hosted reference environments unavailable until it is resolved, how are we intending to resolve this?
Are we going to wait for changes to all affected modules before the environments can be built or are we going to weaken the permissions check in mod-permissions temporarily?
As the list appears quite long and likely requires some effort to investigate. I suggest we timebox our efforts on that and have a back up plan for making the environments available again.
Upon further investigation, I think the mod-audit / mod-audit-storage is a false collision. mod-audit-storage in github redirects to mod-audit. I suspect the module was renamed and only mod-audit is actually a current module (the module responsibility wiki page does not list mod-audit-storage either). Viachaslau Khandramai Please could you confirm this?
I've written up a comment on
MODPUBSUB-144
Closed
. I think the resolution of that could be more complicated depending upon whether non-existent permissions can be granted to users.
|
|
I think the list is big enough for us to relax the check. It's a good exercise though. It has forced us to rethink how permissions are defined and declared.
|
|
I think the vendors warnings might also be false collisions. Both mod-vendors and ui-vendors have been archived. It seems they have been renamed to mod-organizations and ui-organizations
Andrei Makaranka Aliaksei Chumakou please could you confirm this.
Permission ui-inventory.instance.view-staff-suppressed-records defined for modules: folio_inventory-5.0.10001133 folio_inventory-5.0.10001133
Permission licenses.licenseLinks.collection.get defined for modules: mod-licenses-3.1.0-SNAPSHOT.154 mod-licenses-3.1.0-SNAPSHOT.154
Adam Dickmeiss these appear to be collisions with themselves. Have I interpreted that correctly?
|
|
Great that there are some false positives.. I'll remove those.. (Ideally I should have executed this against a real list for a tenand and not just the latest modules)
|
|
It's a much smaller list now.. In some trivial cases the permission is just defined twice in the same module.
|
Permission ui-inventory.instance.view-staff-suppressed-records defined for modules: folio_inventory-5.0.10001133 folio_inventory-5.0.10001133
Permission inventory.events.post defined for modules: mod-inventory-16.2.0-SNAPSHOT.321 mod-pubsub-1.4.0-SNAPSHOT.121
Permission patron-blocks.events.post defined for modules: mod-patron-blocks-1.2.0-SNAPSHOT.43 mod-pubsub-1.4.0-SNAPSHOT.121
Permission licenses.licenseLinks.collection.get defined for modules: mod-licenses-3.1.0-SNAPSHOT.154 mod-licenses-3.1.0-SNAPSHOT.154
Permission finc-select.all defined for modules: folio_finc-select-2.0.1000193 mod-finc-config-4.1.0-SNAPSHOT.116
Permission licenses.licenseLinks.item.get defined for modules: mod-licenses-3.1.0-SNAPSHOT.154 mod-licenses-3.1.0-SNAPSHOT.154
Permission circulation.events.post defined for modules: mod-circulation-19.3.0-SNAPSHOT.796 mod-pubsub-1.4.0-SNAPSHOT.121
Permission finc-config.all defined for modules: folio_finc-config-2.0.1000221 mod-finc-config-4.1.0-SNAPSHOT.116
Module folio_inventory-5.0.10001133 could have problems
Module mod-inventory-16.2.0-SNAPSHOT.321 could have problems
Module mod-circulation-19.3.0-SNAPSHOT.796 could have problems
Module folio_finc-config-2.0.1000221 could have problems
Module folio_finc-select-2.0.1000193 could have problems
Module mod-pubsub-1.4.0-SNAPSHOT.121 could have problems
Module mod-finc-config-4.1.0-SNAPSHOT.116 could have problems
Module mod-patron-blocks-1.2.0-SNAPSHOT.43 could have problems
Module mod-licenses-3.1.0-SNAPSHOT.154 could have problems
More deprecated modules left?
|
|
Marc Johnson I confirm regarding mod-vendors and ui-vendors - nowadays it's mod-organizations and ui-organizations
|
|
Created two PRs for the trivial case where a permission is defined twice..
https://github.com/folio-org/mod-licenses/pull/158
https://github.com/folio-org/ui-inventory/pull/1285
(the same permission in a module , it is not known whether mod-permissions would reject that, still it's a problem to declare things twice)
Besides mod-pubsub, there isn't much left - only finc stuff.
|
|
PRs for finc stuff: https://github.com/folio-org/ui-finc-config/pull/231 and https://github.com/folio-org/ui-finc-select/pull/198
|
|
Adam Dickmeiss
Besides mod-pubsub
I thought Kateryna Senchenko approved the pull request you issued for mod-pubsub? Does that not resolve the collisions (at the potential impact of other challenges)?
|
|
I think we're good to go for another refenv build.
Yes Marc Johnson.. that solves the collisions ..
|
|
Adam Dickmeiss
Thanks. I'll kick off a sequence of builds
|
|
Folio-testing is back up. I suggest folks test the modules / processes that have changed in case this has caused any unexpected impact.
|
|
Marc Johnson,
we support only mod-audit. + there are no any changes in the mod-audit at least since December last year.
|
|
Viachaslau Khandramai
we support only mod-audit.
Was mod-audit-storage renamed to mod-audit?
|
|
Initially, as I know, mod-audit contained DB, so we just continue implement this module with internal DB. Additional module, relating to audit, is https://github.com/folio-org/mod-audit-filter. But it is in place.
|
Generated at Thu Feb 08 23:24:46 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.