[Backport - 2.8] Check Det User First [CORE-2131] (#9694) (#9698)

This PR checks if the Det User is already created and, if so, updates their status and rotates the password. If they aren't in the DB it will add them.
pachyderm · Jan 31, 2024 · 351608d · 351608d
1 parent 91b33ac
commit 351608d
Showing 1 changed file with 35 additions and 25 deletions.
diff --git a/src/server/pps/server/determined.go b/src/server/pps/server/determined.go
@@ -20,11 +20,9 @@ import (
 	"github.com/pachyderm/pachyderm/v2/src/pps"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/metadata"
-	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -331,36 +329,48 @@ func validateWorkspacePermissions(ctx context.Context, dc det.DeterminedClient,
 }
 
 func provisionDeterminedPipelineUser(ctx context.Context, dc det.DeterminedClient, p *pps.Pipeline, password string) (int32, error) {
+	// Try to get the user first
+	u, err := getDetPipelineUser(ctx, dc, p)
+	if err != nil {
+		// Temporary thing, probably not the best to use strings.Contains here
+		if strings.Contains(err.Error(), "no determined users return") {
+			u = nil
+		} else {
+			return 0, err
+		}
+	}
+
+	// If the user exists, check and update if needed
+	if u != nil {
+		if !u.Active {
+			if _, err := dc.PatchUser(ctx, &det.PatchUserRequest{
+				UserId: u.Id,
+				User: &userv1.PatchUser{
+					Active: &wrapperspb.BoolValue{Value: true},
+				},
+			}); err != nil {
+				return 0, errors.Wrapf(err, "reactivate user %q", pipelineUserName(p))
+			}
+		}
+		if _, err := dc.SetUserPassword(ctx, &det.SetUserPasswordRequest{
+			UserId:   u.Id,
+			Password: password,
+		}); err != nil {
+			return 0, errors.Wrapf(err, "set password for user %q", pipelineUserName(p))
+		}
+		return u.Id, nil
+	}
+
+	// If no user exists, proceed with user creation
 	resp, err := dc.PostUser(ctx, &det.PostUserRequest{
 		User:     &userv1.User{Username: pipelineUserName(p), Active: true},
 		Password: password,
 	})
 	if err != nil {
-		if status.Code(err) == codes.InvalidArgument && strings.Contains(err.Error(), "user already exists") {
-			u, err := getDetPipelineUser(ctx, dc, p)
-			if err != nil {
-				return 0, err
-			}
-			if !u.Active {
-				if _, err := dc.PatchUser(ctx, &det.PatchUserRequest{
-					UserId: u.Id,
-					User: &userv1.PatchUser{
-						Active: &wrapperspb.BoolValue{Value: true},
-					},
-				}); err != nil {
-					return 0, errors.Wrapf(err, "reactivate user %q", pipelineUserName(p))
-				}
-			}
-			if _, err := dc.SetUserPassword(ctx, &det.SetUserPasswordRequest{
-				UserId:   u.Id,
-				Password: password,
-			}); err != nil {
-				return 0, errors.Wrapf(err, "set password for user %q", pipelineUserName(p))
-			}
-			return u.Id, nil
-		}
+		// Handle the error here, API call issue should be thrown as an error
 		return 0, errors.Wrap(err, "provision determined user")
 	}
+
 	return resp.User.Id, nil
 }