Fix issues with oc adm migrate authorization #18005

enj · 2018-01-05T20:13:23Z

This change handles a number of bugs with the migrate authorization command:

Rework MigrateAuthorizationOptions.checkParity to be a MigrateActionFunc instead of a MigrateVisitFunc. This allows us to take advantage of migrate's default retry handling.
Add proper retry logic to checkParity, and have all check* funcs return the appropriate TemporaryError based on the situation. This coupled with migrate's existing retry logic makes the command resilient against common errors such as the deletion of resources.
Remove the binding of the standard migrate flags from migrate authorization. This command supports no parameters, and exposing the standard migrate parameters allows the user to accidentally break how the command runs.
Fix GroupVersion constants used for discovery based gating. They were incorrectly set to the internal version instead of v1. This would cause the policy based gating to always think that the server did not support policy objects.
Force RBAC client to use v1beta1 since that is the only version supported by a 3.6 server. This allows you to use a 3.9 client against a 3.6 server.
Remove rate limiting from the RBAC client to fix BZ 1513139. Only a cluster admin can interact with RBAC resources on a 3.6 server, so this will quickly error out if run by a non-privileged user.

Bug 1513139

Signed-off-by: Monis Khan [email protected]

/kind bug
/assign @simo5 @smarterclayton @deads2k @mrogers950

cc @sdodson @jupierce

enj · 2018-01-05T20:15:38Z

/cherrypick release-3.8

openshift-cherrypick-robot · 2018-01-05T20:15:39Z

@enj: once the present PR merges, I will cherry-pick it on top of release-3.8 in a new PR and assign it to you.

In response to this:

/cherrypick release-3.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

enj · 2018-01-05T20:15:42Z

/cherrypick release-3.7

openshift-cherrypick-robot · 2018-01-05T20:15:42Z

@enj: once the present PR merges, I will cherry-pick it on top of release-3.7 in a new PR and assign it to you.

In response to this:

/cherrypick release-3.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

enj · 2018-01-05T20:15:44Z

/cherrypick release-3.6

openshift-cherrypick-robot · 2018-01-05T20:15:45Z

@enj: once the present PR merges, I will cherry-pick it on top of release-3.6 in a new PR and assign it to you.

In response to this:

/cherrypick release-3.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

simo5 · 2018-01-05T21:14:39Z

/retest

enj · 2018-01-17T13:27:35Z

@smarterclayton @deads2k this needs review.

smarterclayton · 2018-01-19T20:19:02Z

pkg/oc/admin/migrate/migrator.go

 }

 func (ErrNotRetriable) Temporary() bool { return false }

-type temporary interface {
+type TemporaryError interface {


smarterclayton · 2018-01-19T20:20:48Z

LGTM other than the one minor thing, feel free to self tag

This change handles a number of bugs with the migrate authorization command: 1. Rework MigrateAuthorizationOptions.checkParity to be a MigrateActionFunc instead of a MigrateVisitFunc. This allows us to take advantage of migrate's default retry handling. 2. Add proper retry logic to checkParity, and have all check* funcs return the appropriate TemporaryError based on the situation. This coupled with migrate's existing retry logic makes the command resilient against common errors such as the deletion of resources. 3. Remove the binding of the standard migrate flags from migrate authorization. This command supports no parameters, and exposing the standard migrate parameters allows the user to accidentally break how the command runs. 4. Fix GroupVersion constants used for discovery based gating. They were incorrectly set to the internal version instead of v1. This would cause the policy based gating to always think that the server did not support policy objects. 5. Force RBAC client to use v1beta1 since that is the only version supported by a 3.6 server. This allows you to use a 3.9 client against a 3.6 server. 6. Remove rate limiting from the RBAC client to fix BZ 1513139. Only a cluster admin can interact with RBAC resources on a 3.6 server, so this will quickly error out if run by a non-privileged user. Bug 1513139 Signed-off-by: Monis Khan <[email protected]>

openshift-ci-robot · 2018-01-19T20:42:00Z

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: enj

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

pkg/oc/OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

enj · 2018-01-19T22:30:09Z

/retest

openshift-merge-robot · 2018-01-20T20:39:09Z

/test all [submit-queue is verifying that this PR is safe to merge]

enj · 2018-01-20T22:06:30Z

/retest

openshift-merge-robot · 2018-01-20T22:21:52Z

Automatic merge from submit-queue (batch tested with PRs 18005, 18174).

openshift-cherrypick-robot · 2018-01-20T22:22:31Z

@enj: #18005 failed to apply on top of branch "release-3.8":

error: Failed to merge in the changes.
Using index info to reconstruct a base tree...
M	pkg/oc/admin/migrate/authorization/authorization.go
M	pkg/oc/admin/migrate/migrator.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/oc/admin/migrate/migrator.go
CONFLICT (content): Merge conflict in pkg/oc/admin/migrate/migrator.go
Auto-merging pkg/oc/admin/migrate/authorization/authorization.go
Patch failed at 0001 Fix issues with oc adm migrate authorization

In response to this:

/cherrypick release-3.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot · 2018-01-20T23:25:07Z

@enj: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/extended_conformance_install	`679add3`	link	`/test extended_conformance_install`

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

…stream-release-3.8 Automatic merge from submit-queue. Automated cherry pick of #18005 on release-3.8 Cherry pick of #18005 on release-3.8. #18005: Fix issues with oc adm migrate authorization

openshift-ci-robot assigned deads2k, mrogers950, simo5 and smarterclayton Jan 5, 2018

openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jan 5, 2018

openshift-ci-robot requested review from juanvallejo and soltysh January 5, 2018 20:13

openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 5, 2018

smarterclayton reviewed Jan 19, 2018

View reviewed changes

enj force-pushed the enj/i/migrate_authz_no_rate_limiting/1513139 branch from 496c518 to 679add3 Compare January 19, 2018 20:39

enj added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. labels Jan 19, 2018

openshift-merge-robot merged commit 61d82de into openshift:master Jan 20, 2018

enj mentioned this pull request Jan 22, 2018

Automated cherry pick of #18005 on release-3.8 #18220

Merged

Fix issues with oc adm migrate authorization #18005

Fix issues with oc adm migrate authorization #18005

Uh oh!

Conversation

enj commented Jan 5, 2018

Uh oh!

enj commented Jan 5, 2018

Uh oh!

openshift-cherrypick-robot commented Jan 5, 2018

Uh oh!

enj commented Jan 5, 2018

Uh oh!

openshift-cherrypick-robot commented Jan 5, 2018

Uh oh!

enj commented Jan 5, 2018

Uh oh!

openshift-cherrypick-robot commented Jan 5, 2018

Uh oh!

simo5 commented Jan 5, 2018

Uh oh!

enj commented Jan 17, 2018

Uh oh!

smarterclayton Jan 19, 2018

Choose a reason for hiding this comment

Uh oh!

smarterclayton commented Jan 19, 2018

Uh oh!

openshift-ci-robot commented Jan 19, 2018

Uh oh!

enj commented Jan 19, 2018

Uh oh!

openshift-merge-robot commented Jan 20, 2018

Uh oh!

enj commented Jan 20, 2018

Uh oh!

openshift-merge-robot commented Jan 20, 2018

Uh oh!

openshift-cherrypick-robot commented Jan 20, 2018

Uh oh!

openshift-ci-robot commented Jan 20, 2018

Uh oh!

Uh oh!