-
Notifications
You must be signed in to change notification settings - Fork 244
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[auth] More easily add developers to developer namespaces (#13180)
I decided to break off this chunk from another PR that has stalled. That PR will ultimately build on this to add all developers automatically to dev AND test namespaces, but this should be an improvement for now. A few things in here: - Deleted all the `DatabaseResource` stuff in the auth driver. Since databases now are created and destroyed with the namespace and not the developer, this is basically dead code. - Added the ability to add a user for an existing hail identity. This is only permitted in dev namespaces and serves as a way for developers to use the same hail identity across namespaces. There is one caveat here: `create_initial_account.py` tries to copy the `<dev-name>-gsa-key` secret from default into the developer namespace and this code will *not* do that anymore. For the developer to submit jobs to the namespace, they must first manually copy in the secret from `default` if it does not already exist inside the namespace. This is awkward, but IMO acceptable because: - the copying code in `create_initial_account.py` is already broken anyway because when that script is run in a dev deploy it does not have access to production secrets - I hope that when we eventually go keyless we can delete the gsa key secrets and this whole problem goes away. - I feel like it's not too bad to do this manual one time copy as opposed to maintaining code that is privileged enough to reach across namespaces. Seems error prone and like a security headache. - Deletes `create_initial_account.py` in favor of using our actual API to create the dev user.
- Loading branch information
1 parent
65b9dff
commit 54e3fad
Showing
13 changed files
with
126 additions
and
261 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.