New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Gh 998] Maintenance window #1236
base: main
Are you sure you want to change the base?
[Gh 998] Maintenance window #1236
Conversation
# Conflicts: # deploy/stacks/lambda_api.py
# Disable scheduled ECS tasks | ||
# Get all the SSM Params related to the scheduled tasks | ||
ecs_scheduled_rules = ParameterStoreManager.get_parameters_by_path( | ||
region=os.getenv('AWS_REGION', 'eu-west-1'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we really have a default value of eu-west-1 here? Seems like there should be no default and that we check region value and error if it is not a valid region.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am taking the default value from the other similar boto3 wrappers which are defined in dataall/base/aws/ folder. I am in agreement that we should through error if the AWS_REGION env var is nt set. Maybe we should do it for other boto wrappers.
@dlpzx , what are you views ? Is there any particular reason to keep the eu-west-1
) | ||
logger.debug(ecs_scheduled_rules) | ||
ecs_scheduled_rules_list = [item['Value'] for item in ecs_scheduled_rules] | ||
event_bridge_session = EventBridge(region=os.getenv('AWS_REGION', 'eu-west-1')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, curious why we would default to eu-west-1 here.
) | ||
# Enable scheduled ECS tasks | ||
ecs_scheduled_rules = ParameterStoreManager.get_parameters_by_path( | ||
region=os.getenv('AWS_REGION', 'eu-west-1'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question about default region as above.
) | ||
logger.debug(ecs_scheduled_rules) | ||
ecs_scheduled_rules_list = [item['Value'] for item in ecs_scheduled_rules] | ||
event_bridge_session = EventBridge(region=os.getenv('AWS_REGION', 'eu-west-1')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question about default region as above.
if maintenance_record.status == MaintenanceStatus.PENDING.value: | ||
# Check if ECS tasks are running | ||
ecs_cluster_name = ParameterStoreManager.get_parameter_value( | ||
region=os.getenv('AWS_REGION', 'eu-west-1'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question about default region as above.
frontend/src/modules/Administration/views/AdministrationView.js
Outdated
Show resolved
Hide resolved
frontend/src/modules/Administration/components/MaintenanceViewer.js
Outdated
Show resolved
Hide resolved
backend/dataall/modules/maintenance/services/maintenance_service.py
Outdated
Show resolved
Hide resolved
backend/dataall/modules/maintenance/services/maintenance_service.py
Outdated
Show resolved
Hide resolved
backend/api_handler.py
Outdated
) | ||
elif ( | ||
(maintenance_mode == MaintenanceModes.READONLY.value) | ||
and (maintenance_status is not MaintenanceStatus.INACTIVE.value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MaintenanceStatus.INACTIVE is an enum, so you should compare directly with the enum instead of its value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maintenance_status contains the value of the MaintenanceStatus.INACTIVE enum. Let me check if I can get an enum there instead
For now, I have added the tests in the tests/modules/maintenance. For the integration tests, i think they are using the cognito idp to authenticate. As we use our custom auth, I don't think I can add tests easily. I think this could be a part of another PR where-in the same integration tests can be run with a custom IDP user |
Updated code Tested - |
from dataall.core.permissions.services.tenant_policy_service import TenantPolicyValidationService | ||
|
||
logger = logging.getLogger() | ||
logger.setLevel(os.environ.get('LOG_LEVEL', 'INFO')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this used for? We are using "log" everywhere else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean why are we using the setLevel command ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the setLevel method is used mostly at the top of logger initialization. I am adding it here to set the log level to whatever is set for each lambda in their environment variable - which is available via the os.environ.get('LOG_LEVEL', 'INFO')
.
logger.error('Maintenance window already in INACTIVE state. Cannot stop maintenance window') | ||
return False | ||
MaintenanceRepository(session).save_maintenance_status_and_mode( | ||
maintenance_status='INACTIVE', maintenance_mode='' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use Maintenence Enum instead of hardcoded INACTIVE
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in the next update
@return: returns True if successful or False | ||
""" | ||
# Check from the context if the groups contains the DAAAdminstrators group | ||
groups = get_context().groups if get_context().groups is not None else [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought get_context().groups returned an empty list when the user belonged to no group.... good finding
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
groups: list = extract_groups(user_id, claims)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is been used only for initializing the groups list when the API handler is called. This takes in the claims which come from the cognito/custom authorizer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated code
'Access-Control-Allow-Methods': '*', | ||
}, | ||
'body': json.dumps(response), | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created GH issue - #1302
Feature or Bugfix
Detail
Instructions on using maintenance window
Note- In all the mode, data.all admin user is allowed to perform any gql call and access and modify anything on the UI.
Relates
Security
Please answer the questions below briefly where applicable, or write
N/A
. Based onOWASP 10.
fetching data from storage outside the application (e.g. a database, an S3 bucket)? N/A
eval
or similar functions are used?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.