[SC 38762] Adding collection role create #1182
Conversation
jkube-globus
requested review from
MaxTueckeGlobus,
aaschaer,
ada-globus,
derek-globus,
kurtmckee,
m1yag1 and
sirosen
as code owners
derek-globus
left a comment
derek-globus
left a comment
There was a problem hiding this comment.
Hey James, sorry about the really slow review here, we must've lost sight of this PR.
A couple requests for changes, but overall looks good!
…obus/globus-cli into SC-38762_Collection_Role_Create
… users primary identity for role assignments target principal
sirosen
left a comment
sirosen
left a comment
There was a problem hiding this comment.
There are some minor tweaks around the command itself to discuss, but I think my main feedback is around the supporting tooling -- fields and test data.
Overall I think this is on-track, just needs a little bit more refinement and polish! 💎
| "http_response_code": 200, | ||
| }, | ||
| ).add() | ||
|
|
There was a problem hiding this comment.
I see that this moved from being a code construction here to being defined in the YAML fixture files.
Can we revert this change, and the one in the role show test, and leave these data alone?
I've been trying to migrate CLI and SDK off of the YAML fixtures, and onto the pattern used here of imperatively defined test data. It's a slow transition because we can't pull support all at once (or it would break a lot of tests).
Ideally we would not make any additions to the fixture files, but I won't insist on that for all new work at this stage. For now, I just don't want us to migrate things which are moving away from that paradigm "backwards", in the wrong direction.
Note
My rationale for getting away from the YAML is that it has in practice not worked out very well for extensibility and has created some brittle dependencies between test files. Most notably, when multiple distinct files are coordinated, this is done by carefully keeping IDs in sync between distinct files. The newer way to manage data dependencies I've worked up is to construct configurators like the get_identities_mocker (seen below this comment). It still doesn't cover all needs, but I'm interested in growing that suite of tools.
There was a problem hiding this comment.
Absolutely and will do!
| super().__init__(auth_client) | ||
| self.add_items(collection_role.get("id")) | ||
| self.add_items(collection_role.get("role", ())) | ||
| self.add_items(collection_role.get("principal")) |
There was a problem hiding this comment.
It's not clear to me why this additional formatter exists. Could you help me understand why it's here?
By my understanding, all three of these calls pass strings, which are then iterated on with an attempt to parse each character in those strings:
globus-cli/src/globus_cli/termio/formatters/auth.py
Lines 61 to 68 in e7d2804
Since no single character will successfully parse as a principal URN, I'd expect the three calls to do nothing.
I see it used below in a field where it is formatting the principal field in a response. Would a PrincipalURNFormatter, which is what was in use in role list prior to this PR, not suffice?
| @command("create") | ||
| @collection_id_arg | ||
| @click.argument("ROLE", type=click.Choice(t.get_args(_VALID_ROLES)), metavar="ROLE") | ||
| @click.argument("PRINCIPAL", type=str, required=False) |
There was a problem hiding this comment.
I have two notes on this being an optional argument.
The first is a general "CLI feel" item: if it's optional, I think it should be an option, e.g. --principal.
It's good for any individual CLI tool to establish some sort of style guide to provide a uniform experience. In globus-cli, we try to keep things 100% mapped to "all required inputs are arguments, all optional inputs are options". I should probably add this to the contrib docs.
The second is... Should this be optional? I'm not convinced that's the correct way to represent the GCS API. I think defaulting to the current user is a very surprising behavior: since the API itself is for manipulating roles, the current user must have some role already. In all likelihood, a user running role create is creating roles for other users and groups.
In summary:
- We should choose
@click.option("--principal")or@click.argument("PRINCIPAL")(norequired=False) - My current inclination is that
@click.argument("PRINCIPAL")is most appropriate
There was a problem hiding this comment.
Agreed on the first point, option = optional; argument = required.
The second point is a change that I suggested to James. I'll ask in the gcs devchat; seems like a pretty domain specific usage question.
There was a problem hiding this comment.
seems like a pretty domain specific usage question.
Maybe this is where our perspectives diverge. I don't think it's purely domain specific.
I think we should consider this in the context of the following commands:
globus endpoint permission createglobus endpoint role createglobus flows update-- specifically the role optionsglobus group {join,leave,invite}globus group member {add,approve,invite,reject,remove}globus search index role create
Of these, globus group join, globus group leave, globus group invite accept, and globus group invite decline all lookup the current user, and the rest require a user or group as input. globus flows update is the only one I would consider inherently dissimilar from this API.
There was a problem hiding this comment.
gcs weighed in, let's go back to your original behavior James (no defaulting to the current user). Sorry for the flip-flop.
From Jason:
Insist on an explicit identity_id or username
that makes it consistent with the gcs cli
admins omitting identity_id can (1) lead to confusing about which identity id will be used and (2) support tickets when things don't behave as expected
But also, in order to run collection role create you already need a role to allow the operation, so the operation is a bit redundant
| "--principal-type", | ||
| type=click.Choice(["identity", "group"]), | ||
| help="Qualifier to specify what type of principal (identity or group) is provided.", | ||
| ) |
There was a problem hiding this comment.
Note
For any other reviewers, this --principal-type phrasing is already in use elsewhere in the CLI, and I think we should apply it here (as currently in the PR) for uniformity.
That said, I'm very much interested in developing a better interface for passing these inputs. I think we could design something as a replacement which takes URNs, short-forms like group:<id>, and usernames.
Co-authored-by: Stephen Rosen <[email protected]>
3 participants
Adding in
globus collection role createand corresponding test in support of SC-38762Updated:
Added: