configpolicy

package
v0.38.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 30, 2024 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// DefaultInvariantConfigStr is the default invariant config val used for tests.
	DefaultInvariantConfigStr = `{
	"description": "random description", 
	"resources": {"slots": 4, "max_slots": 8}
	}`
	// DefaultConstraintsStr is the default constraints val used for tests.
	DefaultConstraintsStr = `{"priority_limit": 10, "resources": {"max_slots": 8}}`
)
View Source
const (
	// GlobalConfigConflictErr is the error reported when an invariant config has a conflict
	// with a value already set in the global config.
	GlobalConfigConflictErr = "conflict between global and workspace config policy"
	// InvalidExperimentConfigPolicyErr is the error reported by an invalid experiment config policy.
	InvalidExperimentConfigPolicyErr = "invalid experiment config policy"
	// InvalidNTSCConfigPolicyErr is the error reported by an invalid NTSC config policy.
	InvalidNTSCConfigPolicyErr = "invalid ntsc config policy"
	// NotSupportedConfigPolicyErr is the error reported when admins attempt to set NTSC invariant config.
	NotSupportedConfigPolicyErr = "not supported"
	// SlotsReqTooHighErr is the error reported when the requested slots violates the max slots
	// constraint.
	SlotsReqTooHighErr = "requested slots is violates max slots constraint"
)

Variables

AuthZProvider providers WorkspaceAuthZ implementations.

Functions

func CanSetMaxSlots

func CanSetMaxSlots(slotsReq *int, wkspID int) (*int, error)

CanSetMaxSlots returns true if the slots requested don't violate a constraint. It returns the enforced max slots for the workspace if that's set as an invariant config, and returns the requested max slots otherwise. Returns an error when max slots is not set as an invariant config and the requested max slots violates the constriant.

func CheckExperimentConstraints

func CheckExperimentConstraints(
	ctx context.Context,
	workspaceID int,
	workloadConfig expconf.ExperimentConfigV0,
	resourceManager rm.ResourceManager,
) error

CheckExperimentConstraints returns an error if the NTSC config fails constraint checks.

func CheckNTSCConstraints

func CheckNTSCConstraints(
	ctx context.Context,
	workspaceID int,
	workloadConfig model.CommandConfig,
	resourceManager rm.ResourceManager,
) error

CheckNTSCConstraints returns an error if the NTSC config fails constraint checks.

func ConfigPolicyWarning

func ConfigPolicyWarning(msg string)

ConfigPolicyWarning logs a warning for the configuration policy component.

func DeleteConfigPolicies

func DeleteConfigPolicies(ctx context.Context,
	scope *int, workloadType string,
) error

DeleteConfigPolicies deletes the invariant experiment config and constraints for the given scope (global or workspace-level) and workload type.

func GetConfigPolicyField

func GetConfigPolicyField[T any](ctx context.Context, wkspID *int, policyType, field, workloadType string) (*T,
	error,
)

GetConfigPolicyField fetches the field from an invariant_config or constraints policyType, in order of precedence. Global scope has highest precedence, then workspace. Returns nil if none is found. **NOTE** The field arguments are wrapped in bun.Safe, so you must specify the "raw" string exactly as you wish for it to be accessed in the database. For example, if you want to access resources.max_slots, the field argument should be "'resources' -> 'max_slots'" NOT "resources -> max_slots". **NOTE**When using this function to retrieve an object of Kind Pointer, set T as the Type of object that the Pointer wraps. For example, if we want an object of type *int, set T to int, so that when its pointer is returned, you get an object of type *int.

func GetMergedConstraints

func GetMergedConstraints(ctx context.Context, workspaceID int, workloadType string) (*model.Constraints, error)

GetMergedConstraints retrieves Workspace and Global constraints and returns a merged result. workloadType is expected to be model.ExperimentType or model.NTSCType.

func GetTaskConfigPolicies

func GetTaskConfigPolicies(
	ctx context.Context, scope *int, workloadType string,
) (*model.TaskConfigPolicies, error)

GetTaskConfigPolicies retrieves the invariant config and constraints for the given scope (global or workspace-level) and workload Type.

func MarshalConfigPolicy

func MarshalConfigPolicy(configPolicy interface{}) *structpb.Struct

MarshalConfigPolicy packs a config policy into a proto struct.

func MergeWithInvariantExperimentConfigs

func MergeWithInvariantExperimentConfigs(ctx context.Context, workspaceID int,
	config expconf.ExperimentConfigV0,
) (*expconf.ExperimentConfigV0, error)

MergeWithInvariantExperimentConfigs merges the config with workspace and global invariant configs, where a global invariant config takes precedence over a workspace-level invariant config.

func PriorityUpdateAllowed

func PriorityUpdateAllowed(wkspID int, workloadType string, priority int, smallerHigher bool) (bool, error)

PriorityUpdateAllowed returns true if the desired priority is within the task config policy limit.

func SetTaskConfigPolicies

func SetTaskConfigPolicies(ctx context.Context,
	tcp *model.TaskConfigPolicies,
) error

SetTaskConfigPolicies adds the task invariant config and constraints config policies to the database.

func SetTaskConfigPoliciesTx

func SetTaskConfigPoliciesTx(ctx context.Context, tx *bun.Tx,
	tcp *model.TaskConfigPolicies,
) error

SetTaskConfigPoliciesTx adds the task invariant config and constraints policies to the database.

func UnmarshalConfigPolicies

func UnmarshalConfigPolicies[T any](errMsg string, constraintsStr,
	configStr *string) (*model.Constraints, *T,
	error,
)

UnmarshalConfigPolicies unmarshals optionally specified invariant config and constraint configurations presented as YAML or JSON strings.

func UnmarshalConfigPolicy

func UnmarshalConfigPolicy[T any](str string, errString string) (*T, error)

UnmarshalConfigPolicy is a generic helper function to unmarshal both JSON and YAML strings.

func ValidWorkloadType

func ValidWorkloadType(val string) bool

ValidWorkloadType checks if the string is an accepted WorkloadType.

func ValidateExperimentConfig

func ValidateExperimentConfig(
	globalConfigPolicies *model.TaskConfigPolicies,
	configPolicies string,
	priorityEnabledErr error,
) error

ValidateExperimentConfig validates a model.ExperimentType config & constraints.

func ValidateNTSCConfig

func ValidateNTSCConfig(
	globalConfigPolicies *model.TaskConfigPolicies,
	configPolicies string,
	priorityEnabledErr error,
) error

ValidateNTSCConfig validates a model.NTSCType config & constraints.

Types

type ConfigPolicyAuthZ

type ConfigPolicyAuthZ interface {
	// PUT /api/v1/config-policies/workspaces/:workspace-id/:type
	CanModifyWorkspaceConfigPolicies(ctx context.Context, curUser model.User,
		workspace *workspacev1.Workspace,
	) error
	// GET /api/v1/config-policies/workspaces/:workspace-id/:type
	CanViewWorkspaceConfigPolicies(ctx context.Context, curUser model.User,
		workspace *workspacev1.Workspace,
	) error

	// CanModifyGlobalConfigPolicies returns an error if the user is not authorized to
	// modify task config policies.
	CanModifyGlobalConfigPolicies(ctx context.Context, curUser *model.User,
	) error

	// CanViewGlobalConfigPolicies returns a nil error.
	CanViewGlobalConfigPolicies(ctx context.Context, curUser *model.User,
	) error
}

ConfigPolicyAuthZ describes authz methods for config policies.

type ConfigPolicyAuthZBasic

type ConfigPolicyAuthZBasic struct{}

ConfigPolicyAuthZBasic is classic OSS controls.

func (*ConfigPolicyAuthZBasic) CanModifyGlobalConfigPolicies

func (a *ConfigPolicyAuthZBasic) CanModifyGlobalConfigPolicies(ctx context.Context, curUser *model.User,
) error

CanModifyGlobalConfigPolicies requires curUser to be an admin.

func (*ConfigPolicyAuthZBasic) CanModifyWorkspaceConfigPolicies

func (a *ConfigPolicyAuthZBasic) CanModifyWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanModifyWorkspaceConfigPolicies requires curUser to be an admin or workspace owner.

func (*ConfigPolicyAuthZBasic) CanViewGlobalConfigPolicies

func (a *ConfigPolicyAuthZBasic) CanViewGlobalConfigPolicies(ctx context.Context, curUser *model.User,
) error

CanViewGlobalConfigPolicies returns a nil error.

func (*ConfigPolicyAuthZBasic) CanViewWorkspaceConfigPolicies

func (a *ConfigPolicyAuthZBasic) CanViewWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanViewWorkspaceConfigPolicies returns a nil error.

type ConfigPolicyAuthZPermissive

type ConfigPolicyAuthZPermissive struct{}

ConfigPolicyAuthZPermissive is the permission implementation.

func (*ConfigPolicyAuthZPermissive) CanModifyGlobalConfigPolicies

func (p *ConfigPolicyAuthZPermissive) CanModifyGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanModifyGlobalConfigPolicies calls the RBAC implementation and returns if the user has access to modfy global task config policies.

func (*ConfigPolicyAuthZPermissive) CanModifyWorkspaceConfigPolicies

func (p *ConfigPolicyAuthZPermissive) CanModifyWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanModifyWorkspaceConfigPolicies calls RBAC authz but enforces basic authz.

func (*ConfigPolicyAuthZPermissive) CanViewGlobalConfigPolicies

func (p *ConfigPolicyAuthZPermissive) CanViewGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanViewGlobalConfigPolicies calls the RBAC implementation but always allows access.

func (*ConfigPolicyAuthZPermissive) CanViewWorkspaceConfigPolicies

func (p *ConfigPolicyAuthZPermissive) CanViewWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) error

CanViewWorkspaceConfigPolicies calls RBAC authz but enforces basic authz.

type ConfigPolicyAuthZRBAC

type ConfigPolicyAuthZRBAC struct{}

ConfigPolicyAuthZRBAC is RBAC authorization for config policies.

func (*ConfigPolicyAuthZRBAC) CanModifyGlobalConfigPolicies

func (r *ConfigPolicyAuthZRBAC) CanModifyGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanModifyGlobalConfigPolicies checks if the user can modify global task config policies.

func (*ConfigPolicyAuthZRBAC) CanModifyWorkspaceConfigPolicies

func (r *ConfigPolicyAuthZRBAC) CanModifyWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) (err error)

CanModifyWorkspaceConfigPolicies determines whether a user can modify workspace task config policies.

func (*ConfigPolicyAuthZRBAC) CanViewGlobalConfigPolicies

func (r *ConfigPolicyAuthZRBAC) CanViewGlobalConfigPolicies(
	ctx context.Context, curUser *model.User,
) error

CanViewGlobalConfigPolicies checks if the user can view global task config policies.

func (*ConfigPolicyAuthZRBAC) CanViewWorkspaceConfigPolicies

func (r *ConfigPolicyAuthZRBAC) CanViewWorkspaceConfigPolicies(
	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
) (err error)

CanViewWorkspaceConfigPolicies determines whether a user can view workspace task config policies.

type ExperimentConfigPolicies

type ExperimentConfigPolicies struct {
	InvariantConfig *expconf.ExperimentConfig `json:"invariant_config"`
	Constraints     *model.Constraints        `json:"constraints"`
}

ExperimentConfigPolicies is the invariant config and constraints for an experiment. Submitted experiments whose config fields vary from the respective InvariantConfig fields set within a given scope are silently overridden. Submitted experiments whose constraint fields vary from the respective Constraint fields set within a given scope are rejected.

type NTSCConfigPolicies

type NTSCConfigPolicies struct {
	InvariantConfig *model.CommandConfig `json:"invariant_config"`
	Constraints     *model.Constraints   `json:"constraints"`
}

NTSCConfigPolicies is the invariant config and constraints for an NTSC task. Submitted NTSC tasks whose config fields vary from the respective InvariantConfig fields set within a given scope are silently overridden. Submitted NTSC tasks whose constraint fields vary from the respective Constraint fields set within a given scope are rejected.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL