configpolicy

package
v0.38.0-rc2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 28, 2024 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// DefaultInvariantConfigStr is the default invariant config val used for tests.
	DefaultInvariantConfigStr = `{
	"description": "random description", 
	"resources": {"slots": 4, "max_slots": 8}
	}`
	// DefaultConstraintsStr is the default constraints val used for tests.
	DefaultConstraintsStr = `{"priority_limit": 10, "resources": {"max_slots": 8}}`
)
View Source 
const (
	// GlobalConfigConflictErr is the error reported when an invariant config has a conflict
	// with a value already set in the global config.
	GlobalConfigConflictErr = "conflict between global and workspace config policy"
	// InvalidExperimentConfigPolicyErr is the error reported by an invalid experiment config policy.
	InvalidExperimentConfigPolicyErr = "invalid experiment config policy"
	// InvalidNTSCConfigPolicyErr is the error reported by an invalid NTSC config policy.
	InvalidNTSCConfigPolicyErr = "invalid ntsc config policy"
	// NotSupportedConfigPolicyErr is the error reported when admins attempt to set NTSC invariant config.
	NotSupportedConfigPolicyErr = "not supported"
	// SlotsReqTooHighErr is the error reported when the requested slots violates the max slots
	// constraint.
	SlotsReqTooHighErr = "requested slots is violates max slots constraint"
)

Variables

View Source 
var AuthZProvider authz.AuthZProviderType[ConfigPolicyAuthZ]

AuthZProvider providers WorkspaceAuthZ implementations.

Functions

func CanSetMaxSlots 

func CanSetMaxSlots(slotsReq *int, wkspID int) (*int, error)

CanSetMaxSlots returns true if the slots requested don't violate a constraint. It returns the enforced max slots for the workspace if that's set as an invariant config, and returns the requested max slots otherwise. Returns an error when max slots is not set as an invariant config and the requested max slots violates the constriant.

func CheckExperimentConstraints 

func CheckExperimentConstraints(
	ctx context.Context,
	workspaceID int,
	workloadConfig expconf.ExperimentConfigV0,
	resourceManager rm.ResourceManager,
) error

CheckExperimentConstraints returns an error if the NTSC config fails constraint checks.

func CheckNTSCConstraints 

func CheckNTSCConstraints(
	ctx context.Context,
	workspaceID int,
	workloadConfig model.CommandConfig,
	resourceManager rm.ResourceManager,
) error

CheckNTSCConstraints returns an error if the NTSC config fails constraint checks.

func ConfigPolicyWarning 

func ConfigPolicyWarning(msg string)

ConfigPolicyWarning logs a warning for the configuration policy component.

func DeleteConfigPolicies 

func DeleteConfigPolicies(ctx context.Context,
	scope *int, workloadType string,
) error

DeleteConfigPolicies deletes the invariant experiment config and constraints for the given scope (global or workspace-level) and workload type.

func GetConfigPolicyField 

func GetConfigPolicyField[T any](ctx context.Context, wkspID *int, policyType, field, workloadType string) (*T,
	error,
)

GetConfigPolicyField fetches the field from an invariant_config or constraints policyType, in order of precedence. Global scope has highest precedence, then workspace. Returns nil if none is found. **NOTE** The field arguments are wrapped in bun.Safe, so you must specify the "raw" string exactly as you wish for it to be accessed in the database. For example, if you want to access resources.max_slots, the field argument should be "'resources' -> 'max_slots'" NOT "resources -> max_slots". **NOTE**When using this function to retrieve an object of Kind Pointer, set T as the Type of object that the Pointer wraps. For example, if we want an object of type *int, set T to int, so that when its pointer is returned, you get an object of type *int.

func GetMergedConstraints 

func GetMergedConstraints(ctx context.Context, workspaceID int, workloadType string) (*model.Constraints, error)

GetMergedConstraints retrieves Workspace and Global constraints and returns a merged result. workloadType is expected to be model.ExperimentType or model.NTSCType.

func GetTaskConfigPolicies 

func GetTaskConfigPolicies(
	ctx context.Context, scope *int, workloadType string,
) (*model.TaskConfigPolicies, error)

GetTaskConfigPolicies retrieves the invariant config and constraints for the given scope (global or workspace-level) and workload Type.

func MarshalConfigPolicy 

func MarshalConfigPolicy(configPolicy interface{}) *structpb.Struct

MarshalConfigPolicy packs a config policy into a proto struct.

func MergeWithInvariantExperimentConfigs 

func MergeWithInvariantExperimentConfigs(ctx context.Context, workspaceID int,
	config expconf.ExperimentConfigV0,
) (*expconf.ExperimentConfigV0, error)

MergeWithInvariantExperimentConfigs merges the config with workspace and global invariant configs, where a global invariant config takes precedence over a workspace-level invariant config.

func PriorityUpdateAllowed 

func PriorityUpdateAllowed(wkspID int, workloadType string, priority int, smallerHigher bool) (bool, error)

PriorityUpdateAllowed returns true if the desired priority is within the task config policy limit.

func SetTaskConfigPolicies 

func SetTaskConfigPolicies(ctx context.Context,
	tcp *model.TaskConfigPolicies,
) error

SetTaskConfigPolicies adds the task invariant config and constraints config policies to the database.

func SetTaskConfigPoliciesTx 

func SetTaskConfigPoliciesTx(ctx context.Context, tx *bun.Tx,
	tcp *model.TaskConfigPolicies,
) error

SetTaskConfigPoliciesTx adds the task invariant config and constraints policies to the database.

func UnmarshalConfigPolicies 

func UnmarshalConfigPolicies[T any](errMsg string, constraintsStr,
	configStr *string) (*model.Constraints, *T,
	error,
)

UnmarshalConfigPolicies unmarshals optionally specified invariant config and constraint configurations presented as YAML or JSON strings.

func UnmarshalConfigPolicy 

func UnmarshalConfigPolicy[T any](str string, errString string) (*T, error)

UnmarshalConfigPolicy is a generic helper function to unmarshal both JSON and YAML strings.

func ValidWorkloadType 

func ValidWorkloadType(val string) bool

ValidWorkloadType checks if the string is an accepted WorkloadType.

func ValidateExperimentConfig 

func ValidateExperimentConfig(
	globalConfigPolicies *model.TaskConfigPolicies,
	configPolicies string,
	priorityEnabledErr error,
) error

ValidateExperimentConfig validates a model.ExperimentType config & constraints.

func ValidateNTSCConfig 

func ValidateNTSCConfig(
	globalConfigPolicies *model.TaskConfigPolicies,
	configPolicies string,
	priorityEnabledErr error,
) error

ValidateNTSCConfig validates a model.NTSCType config & constraints.

Types

type ConfigPolicyAuthZ 

type ConfigPolicyAuthZ interface {
	// PUT /api/v1/config-policies/workspaces/:workspace-id/:type
	CanModifyWorkspaceConfigPolicies(ctx context.Context, curUser model.User,
		workspace *workspacev1.Workspace,
	) error
	// GET /api/v1/config-policies/workspaces/:workspace-id/:type
	CanViewWorkspaceConfigPolicies(ctx context.Context, curUser model.User,
		workspace *workspacev1.Workspace,
	) error

	// CanModifyGlobalConfigPolicies returns an error if the user is not authorized to
	// modify task config policies.
	CanModifyGlobalConfigPolicies(ctx context.Context, curUser *model.User,
	) error

	// CanViewGlobalConfigPolicies returns a nil error.
	CanViewGlobalConfigPolicies(ctx context.Context, curUser *model.User,
	) error
}

ConfigPolicyAuthZ describes authz methods for config policies.

type ConfigPolicyAuthZBasic 

type ConfigPolicyAuthZBasic struct{}

ConfigPolicyAuthZBasic is classic OSS controls.

func (*ConfigPolicyAuthZBasic) CanModifyGlobalConfigPolicies 

func (a *ConfigPolicyAuthZBasic) CanModifyGlobalConfigPolicies(ctx context.Context, curUser *model.User,
) error

CanModifyGlobalConfigPolicies requires curUser to be an admin.

func (*ConfigPolicyAuthZBasic) CanModifyWorkspaceConfigPolicies 

func (a *ConfigPolicyAuthZBasic) CanModifyWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanModifyWorkspaceConfigPolicies requires curUser to be an admin or workspace owner.

func (*ConfigPolicyAuthZBasic) CanViewGlobalConfigPolicies 

func (a *ConfigPolicyAuthZBasic) CanViewGlobalConfigPolicies(ctx context.Context, curUser *model.User,
) error

CanViewGlobalConfigPolicies returns a nil error.

func (*ConfigPolicyAuthZBasic) CanViewWorkspaceConfigPolicies 

func (a *ConfigPolicyAuthZBasic) CanViewWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanViewWorkspaceConfigPolicies returns a nil error.

type ConfigPolicyAuthZPermissive 

type ConfigPolicyAuthZPermissive struct{}

ConfigPolicyAuthZPermissive is the permission implementation.

func (*ConfigPolicyAuthZPermissive) CanModifyGlobalConfigPolicies 

func (p *ConfigPolicyAuthZPermissive) CanModifyGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanModifyGlobalConfigPolicies calls the RBAC implementation and returns if the user has access to modfy global task config policies.

func (*ConfigPolicyAuthZPermissive) CanModifyWorkspaceConfigPolicies 

func (p *ConfigPolicyAuthZPermissive) CanModifyWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanModifyWorkspaceConfigPolicies calls RBAC authz but enforces basic authz.

func (*ConfigPolicyAuthZPermissive) CanViewGlobalConfigPolicies 

func (p *ConfigPolicyAuthZPermissive) CanViewGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanViewGlobalConfigPolicies calls the RBAC implementation but always allows access.

func (*ConfigPolicyAuthZPermissive) CanViewWorkspaceConfigPolicies 

func (p *ConfigPolicyAuthZPermissive) CanViewWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanViewWorkspaceConfigPolicies calls RBAC authz but enforces basic authz.

type ConfigPolicyAuthZRBAC 

type ConfigPolicyAuthZRBAC struct{}

ConfigPolicyAuthZRBAC is RBAC authorization for config policies.

func (*ConfigPolicyAuthZRBAC) CanModifyGlobalConfigPolicies 

func (r *ConfigPolicyAuthZRBAC) CanModifyGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanModifyGlobalConfigPolicies checks if the user can modify global task config policies.

func (*ConfigPolicyAuthZRBAC) CanModifyWorkspaceConfigPolicies 

func (r *ConfigPolicyAuthZRBAC) CanModifyWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) (err error)

CanModifyWorkspaceConfigPolicies determines whether a user can modify workspace task config policies.

func (*ConfigPolicyAuthZRBAC) CanViewGlobalConfigPolicies 

func (r *ConfigPolicyAuthZRBAC) CanViewGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanViewGlobalConfigPolicies checks if the user can view global task config policies.

func (*ConfigPolicyAuthZRBAC) CanViewWorkspaceConfigPolicies 

func (r *ConfigPolicyAuthZRBAC) CanViewWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) (err error)

CanViewWorkspaceConfigPolicies determines whether a user can view workspace task config policies.

type ExperimentConfigPolicies 

type ExperimentConfigPolicies struct {
	InvariantConfig *expconf.ExperimentConfig `json:"invariant_config"`
	Constraints     *model.Constraints        `json:"constraints"`
}

ExperimentConfigPolicies is the invariant config and constraints for an experiment. Submitted experiments whose config fields vary from the respective InvariantConfig fields set within a given scope are silently overridden. Submitted experiments whose constraint fields vary from the respective Constraint fields set within a given scope are rejected.

type NTSCConfigPolicies 

type NTSCConfigPolicies struct {
	InvariantConfig *model.CommandConfig `json:"invariant_config"`
	Constraints     *model.Constraints   `json:"constraints"`
}

NTSCConfigPolicies is the invariant config and constraints for an NTSC task. Submitted NTSC tasks whose config fields vary from the respective InvariantConfig fields set within a given scope are silently overridden. Submitted NTSC tasks whose constraint fields vary from the respective Constraint fields set within a given scope are rejected.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.