Implement WAL rollback mechanism for Role Assignments #110
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… Roles associated with Role
…ize mismatch between number of roles and assignmentIDs, parameterize Resource Group in test
…ead of Errorf for AzureRoles and assignmentIDs check
…t-wal-rollback-for-roleassignments
davidadeleon
deleted the
davidadeleon/implement-wal-rollback-for-roleassignments
branch
jasonodonnell
pushed a commit
that referenced
this pull request
Nov 22, 2022
* Implement Role Assignment WAL and rollback * Improve error handling around unassignment of non-existent role assignment ID * Better error handling in test, and guarding against nil or empty values * Add clarity to rollback log message, and check if there were no Azure Roles associated with Role * Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test * Fix rollback test, and clean up left over debug line * Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check * Add warning about resources potentially still existing if WAL has expired
jasonodonnell
pushed a commit
that referenced
this pull request
Nov 22, 2022
* Implement Role Assignment WAL and rollback * Improve error handling around unassignment of non-existent role assignment ID * Better error handling in test, and guarding against nil or empty values * Add clarity to rollback log message, and check if there were no Azure Roles associated with Role * Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test * Fix rollback test, and clean up left over debug line * Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check * Add warning about resources potentially still existing if WAL has expired
jasonodonnell
pushed a commit
that referenced
this pull request
Nov 22, 2022
* Implement Role Assignment WAL and rollback * Improve error handling around unassignment of non-existent role assignment ID * Better error handling in test, and guarding against nil or empty values * Add clarity to rollback log message, and check if there were no Azure Roles associated with Role * Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test * Fix rollback test, and clean up left over debug line * Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check * Add warning about resources potentially still existing if WAL has expired
jasonodonnell
added a commit
that referenced
this pull request
Nov 22, 2022
* Implement Role Assignment WAL and rollback * Improve error handling around unassignment of non-existent role assignment ID * Better error handling in test, and guarding against nil or empty values * Add clarity to rollback log message, and check if there were no Azure Roles associated with Role * Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test * Fix rollback test, and clean up left over debug line * Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check * Add warning about resources potentially still existing if WAL has expired Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
jasonodonnell
added a commit
that referenced
this pull request
Nov 22, 2022
* Implement Role Assignment WAL and rollback * Improve error handling around unassignment of non-existent role assignment ID * Better error handling in test, and guarding against nil or empty values * Add clarity to rollback log message, and check if there were no Azure Roles associated with Role * Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test * Fix rollback test, and clean up left over debug line * Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check * Add warning about resources potentially still existing if WAL has expired Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
jasonodonnell
added a commit
that referenced
this pull request
Nov 22, 2022
* Implement Role Assignment WAL and rollback * Improve error handling around unassignment of non-existent role assignment ID * Better error handling in test, and guarding against nil or empty values * Add clarity to rollback log message, and check if there were no Azure Roles associated with Role * Further improve error handling, fix failing test, add guard against size mismatch between number of roles and assignmentIDs, parameterize Resource Group in test * Fix rollback test, and clean up left over debug line * Add missing error check for spRevoke during test, use errors.New instead of Errorf for AzureRoles and assignmentIDs check * Add warning about resources potentially still existing if WAL has expired Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
This was referenced Nov 22, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Implement a rollback mechanism for Role Assignments to handle a case where on dynamic SP creation we may encounter an error and have to rollback any changes. Currently the AppID will be deleted which also removes the SP, but any successful role assignments will be orphaned. This incurs a hit against the Role Assignment limit. There is no change to the user experience.
Design of Change
Create a separate WAL where the generated UUIDs of the role assignments can be stored, and referred to if needed for rollback. Added a TRACE level log for instances where a 204 response is returned from Azure. A 204 is returned when the Role Assignment ID has already been deleted or never existed.
Test Output