-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MG - 1529 - User Removal #2122
base: main
Are you sure you want to change the base?
MG - 1529 - User Removal #2122
Conversation
1479343
to
88eafd0
Compare
88eafd0
to
ec64531
Compare
if err := svc.checkSuperAdmin(ctx, res.GetId()); err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rodneyosodo We are planning like, only super admins can delete users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. It is only super admins who can delete users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I also add that a user can be able to delete themselves?
req := PolicyReq{ | ||
SubjectType: GroupType, | ||
Object: id, | ||
ObjectType: ThingType, | ||
} | ||
|
||
if err := svc.DeletePolicy(ctx, req); err != nil { | ||
return err | ||
} | ||
|
||
// Remove policy from domain | ||
req.SubjectType = DomainType | ||
if err := svc.DeletePolicy(ctx, req); err != nil { | ||
return err | ||
} | ||
|
||
// Remove policy of users | ||
req.SubjectType = UserType | ||
if err := svc.DeletePolicy(ctx, req); err != nil { | ||
return err | ||
} | ||
|
||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For svc.DeletePolicy
only object Type is required field.
So the below snippet will delete all type of subjects related to thing object
req := PolicyReq{ | |
SubjectType: GroupType, | |
Object: id, | |
ObjectType: ThingType, | |
} | |
if err := svc.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
// Remove policy from domain | |
req.SubjectType = DomainType | |
if err := svc.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
// Remove policy of users | |
req.SubjectType = UserType | |
if err := svc.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
return nil | |
// Remove all policies related to thing | |
req := PolicyReq{ | |
Object: id, | |
ObjectType: ThingType, | |
} | |
if err := svc.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't work. I get
{"time":"2024-03-21T08:36:41.624438869Z","level":"WARN","msg":"Delete entity policies failed to complete successfully","duration":"284.946µs","entity_type":"thing","id":"feae8203-452b-4f7c-a003-76b475e43b56","error":{"error":"malformed entity specification","message":"failed to remove the policies"}}
auth/service.go
Outdated
policy := PolicyReq{ | ||
Subject: EncodeDomainUserID(domain.ID, id), | ||
SubjectType: UserType, | ||
Object: domain.ID, | ||
ObjectType: DomainType, | ||
} | ||
if err := svc.agent.DeletePolicy(ctx, policy); err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This below snippet will delete all Thing, Group, Channel relation related to user id within the domain
policy := PolicyReq{ | |
Subject: EncodeDomainUserID(domain.ID, id), | |
SubjectType: UserType, | |
Object: domain.ID, | |
ObjectType: DomainType, | |
} | |
if err := svc.agent.DeletePolicy(ctx, policy); err != nil { | |
return err | |
} | |
policy := PolicyReq{ | |
Subject: EncodeDomainUserID(domain.ID, id), | |
SubjectType: UserType, | |
ObjectType: ThingType, | |
} | |
if err := svc.agent.DeletePolicy(ctx, policy); err != nil { | |
return err | |
} | |
policy = PolicyReq{ | |
Subject: EncodeDomainUserID(domain.ID, id), | |
SubjectType: UserType, | |
ObjectType: GroupType, | |
} | |
if err := svc.agent.DeletePolicy(ctx, policy); err != nil { | |
return err | |
} | |
policy = PolicyReq{ | |
Subject: EncodeDomainUserID(domain.ID, id), | |
SubjectType: UserType, | |
Object: domain.ID, | |
ObjectType: DomainType, | |
} | |
if err := svc.agent.DeletePolicy(ctx, policy); err != nil { | |
return err | |
} |
req := PolicyReq{ | ||
Subject: id, | ||
SubjectType: UserType, | ||
ObjectType: ThingType, | ||
} | ||
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | ||
return err | ||
} | ||
req.ObjectType = GroupType | ||
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | ||
return err | ||
} | ||
req.ObjectType = DomainType | ||
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no need to remove policy between user_id and things/groups, because,There will be no subject just with user id in spicedb.
User's Subject id in spicesdb will be always combination <domain_id>_<user_id>
req := PolicyReq{ | |
Subject: id, | |
SubjectType: UserType, | |
ObjectType: ThingType, | |
} | |
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
req.ObjectType = GroupType | |
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
req.ObjectType = DomainType | |
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | |
return err | |
} | |
req := PolicyReq{ | |
Subject: id, | |
SubjectType: UserType, | |
ObjectType: PlatformType, | |
req.Object = MagistralaObject | |
} | |
if err := svc.agent.DeletePolicy(ctx, req); err != nil { | |
return err | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we leave it spiceDB will see it as a valid policy and will not clean up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @rodneyosodo left some comments for delete policies in auth service.
f13ec49
to
0d0c4ac
Compare
11e3133
to
3d13f69
Compare
38bf43d
to
fdf8bbb
Compare
9258642
to
5734abb
Compare
854aed6
to
9e3c540
Compare
ba7f976
to
0752cf2
Compare
This commit adds a new method to delete a client with a given ID in the repository package. The implementation of this method uses a SQL query to delete the client from the database. Additionally, test cases have been added for the delete method to ensure its functionality. These test cases include assertions for handling expected errors. These changes enhance the functionality of the codebase by allowing clients to be deleted from the database. Note: This commit does not include any breaking changes or additional modifications to other files. Signed-off-by: Rodney Osodo <[email protected]>
This commit adds a new command to the CLI for deleting a user. The command can be accessed by running `cli delete <user_id>`, where `<user_id>` is the ID of the user to be deleted. The code changes include the addition of a new method in the SDK interface, `deleteUser`, which constructs a URL and makes a HTTP DELETE request to delete a user. Additionally, a mock implementation of the method has been included for testing purposes. These changes enhance the functionality of the application by allowing users to delete user records directly from the CLI. Signed-off-by: Rodney Osodo <[email protected]>
- Add new handlers for deleting and changing the status of a client in the users API - Improve logging in the users API - Update response types in the users API - Update the Service interface in the users API Add new functionality for deleting a client: - Add a constant, event type, and method in the eventStore - Implement the DeleteClient method in the service file - The DeleteClient method disables a client by deleting its policies and checking for authorization - Trace the operation by starting a span and calling the DeleteClient function of the wrapped service. Signed-off-by: Rodney Osodo <[email protected]>
- Add new handlers for deleting and changing the status of a client in the users API - Improve logging in the users API - Update response types in the users API - Update the Service interface in the users API Add new functionality for deleting a client: - Add a constant, event type, and method in the eventStore - Implement the DeleteClient method in the service file - The DeleteClient method disables a client by deleting its policies and checking for authorization - Trace the operation by starting a span and calling the DeleteClient function of the wrapped service. Signed-off-by: Rodney Osodo <[email protected]>
Add a method to delete entity's policies for example things or users. This helps reduced network communication between users and auth service Signed-off-by: Rodney Osodo <[email protected]>
Signed-off-by: Rodney Osodo <[email protected]>
Signed-off-by: Rodney Osodo <[email protected]>
Check if domainsURL, invitationsURL and HostURL are empty to default to defURL Signed-off-by: Rodney Osodo <[email protected]>
Signed-off-by: Rodney Osodo <[email protected]>
Signed-off-by: Rodney Osodo <[email protected]>
Signed-off-by: Rodney Osodo <[email protected]>
Signed-off-by: Rodney Osodo <[email protected]>
What type of PR is this?
This is a feature because it adds user removal
What does this do?
This PR adds a new method to delete a user with a given ID in the repository package. The implementation of this method uses an SQL query to delete the client from the database.
Additionally, an extra method has been added to the gRPC auth service to handle entity deletion. This is useful because it reduces network trips back and forth from the client microservices to the auth microservice. Test cases have been added for the delete method to ensure its functionality.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Yes, I have included tests for my changes.
Did you document any new/modified feature?
Yes, I have updated the documentation for the new feature.
Notes