[Backend][Multi-user] Add namespace to Experiment API implementation #3243
Conversation
|
/retest |
|
/assign @Bobgy |
|
Shall we add some tests when multi user mode is on for resource_manager_test, api_converter_test? Because there will be new code paths just for that. |
There was a problem hiding this comment.
Great work!
/lgtm
Now I realize you emphasized a lot on integration tests for the complete experiment server from end to end. I think that's a good practice, but it's different from existing pattern. It seems with existing pattern, we need some tests for each unit.
/cc @IronPan
for reviewing this part.
I'm okay with your choices because I don't have much context on which would be better and why it is like current convention.
| @@ -817,7 +821,7 @@ func (r *ResourceManager) CreateDefaultExperiment() (string, error) { | |||
| } | |||
|
|
|||
| // Create default experiment | |||
| defaultExperiment := &model.Experiment{ | |||
| defaultExperiment := &api.Experiment{ | |||
| Name: "Default", | |||
| Description: "All runs created without specifying an experiment will be grouped here.", | |||
| } | |||
There was a problem hiding this comment.
There is no namespace reference here, so it will always fail in multi user mode.
Shall we add a check earlier? We just skip trying to create a default namespace when in multi user mode?
There was a problem hiding this comment.
Great catch! Apparently this is one place I missed unit test coverage, because this default experiment creation doesn't hit experiment_server.
To allow creating default experiment in multi-user mode, I moved the namespace requirement out of ToModelExperiment -- it is enforced in experimentServer.CreateExperiment which is sufficient to capture invalid input. Also added unit tests for CreateDefaultExperiment and ToModelExperiment
There was a problem hiding this comment.
I don't fully remember your design about default experiment. If default experiment doesn't contain a namespace, it will be useless in multi user mode.
Maybe we should just throw an error message here for multi user mode like Please specify an experiment. No default experiment has been set up.?
There was a problem hiding this comment.
The plan is:
- for short term, we provide a SQL script to help users backfill existing experiments including the default one.
- long term, we will automate the backfill in api-server using the namespace specified by a config map/environment variable.
So allowing the default experiment without namespace is okay for now.
chensun
changed the title
While there're things unit tests cannot really verify - such as the real authorization, I'm with you that unit test is critical and should not be missed -- this is also one of my top complains about our code base. So I added more unit tests following your comments -- thanks again for catching the issue where Default experiment creation would fail in multi-user mode. |
|
/assign @IronPan |
| // Skip authorization if not multi-user mode. | ||
| return nil | ||
| } | ||
| namespace, err := s.resourceManager.GetNamespaceFromExperimentID(experimentID) |
There was a problem hiding this comment.
does it make sense to move the GetNamespaceFromExperimentID to inline here?
There was a problem hiding this comment.
The difference is probably trivial, but I feel like having this wrapper in resource_manager.go is slightly better. It keeps the experiment model details within resource_manager and hides it away from experiment_server.
That said, we might refactor the code to get rid of this canAccessExperiment (just added a TODO), so this is subject to change. So I think we can just keep it as-is for now.
| Name: experiment.Name, | ||
| Description: experiment.Description, | ||
| CreatedAt: ×tamp.Timestamp{Seconds: experiment.CreatedAtInSec}, | ||
| ResourceReferences: []*api.ResourceReference{ |
There was a problem hiding this comment.
Can we dedup the common code and only add RR field in multi-user mode?
|
/lgtm |
| @@ -122,7 +133,7 @@ func (s *ExperimentServer) canAccessExperiment(ctx context.Context, experimentID | |||
| return util.Wrap(err, "Failed to authorize with the experiment ID.") | |||
| } | |||
| if len(namespace) == 0 { | |||
| return util.NewInternalServerError(errors.New("There is no namespace found"), "There is no namespace found") | |||
| return util.NewInternalServerError(errors.New("Empty namespace"), "The experiment doesn't have a valid namespace.") | |||
There was a problem hiding this comment.
nit: not a big issue, would it make sense to allow access to experiment with namespace="" blindly?
because these namespaces are coming from before multi user mode was enabled.
I think you can decide whatever makes sense to you.
There was a problem hiding this comment.
Initially, I allow listing experiments with empty namespace, but reject accessing experiment with empty namespace. The idea was to allow user see a list, but when they click on it, they get an error message.
Now that we disallowed empty namespace during listing, the experiments with empty namespace is almost invisible. So I'm leaning towards keeping it consistent for both list and get.
Eventually, this shouldn't happen once backfill is done (either via a SQL script or by automated backfill from api-server).
| ResourceReferences: resourceReferences, | ||
| }} | ||
| assert.Equal(t, expectedExperiment, result.Experiments) | ||
| tests := []struct { |
There was a problem hiding this comment.
Great work! Thanks for improving unit tests!
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: IronPan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…ubeflow#3243) * Experiment API implementation * Address review comments and add additional unit tests * Update build file * fix unit tests * Reject empty namespace in multi user mode * Address review comments
Conduct user authorization on namespace for the following experiment APIs:
/cc @IronPan @Bobgy
Image for testing: gcr.io/chesu-dev/api-server:pr3243
This change is