fix: cli is not a library! #7891
Conversation
✅ Deploy Preview for determined-ui ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
3 times, most recently
from
591eedc
to
556d2e9
Compare
| @@ -63,10 +62,10 @@ def test_trial_logs() -> None: | |||
| @pytest.mark.parametrize( | |||
| "task_type,task_config,log_regex", | |||
| [ | |||
| (command.TaskTypeCommand, {"entrypoint": ["echo", "hello"]}, re.compile("^.*hello.*$")), | |||
There was a problem hiding this comment.
because the CLI is not a library. It should never be imported from outside the cli/ directory.
Importing it for a few static strings is a violation of the application-nature of the CLI, with no particular benefit. I don't think these strings are going to change in the next 10 years.
There was a problem hiding this comment.
I didn't check where the command namespace was coming from. makes sense.
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
2 times, most recently
from
92b36be
to
fc341b8
Compare
e2e_tests/tests/cluster/test_rbac.py
Outdated
| user = bindings.v1User(username=api_utils.get_random_string(), admin=False, active=True) | ||
| creds = api_utils.create_test_user(True, user=user) | ||
| for role in roles: | ||
| api.assign_role( |
There was a problem hiding this comment.
Excision of determined.cli.rbac.assign_role into determined.common.api.assign_role looks great, as does its use here. api.assign_role seems like a pretty reasonable place to call something from that fronts the backend. But there's something about it living in determined.common.api._util that feels wrong to me. It's a nit either way, and who really cares what file the function is in, but if you think that it'll be helpful to us to someday have structure to that directory, I think now is a good time to start it.
There was a problem hiding this comment.
I really don't care what file the function is in. If you want me to put it in a different file, lmk what to name it and I'll do it.
I do like having it in the api namespace, and this is a case where I really like the separation between how code is called and where code is defined.
There was a problem hiding this comment.
I do like having it in the api namespace, and this is a case where I really like the separation between how code is called and where code is defined.
I've not had cause to differentiate the two in the past, but I agree. It's really nice, here.
This comment applies to many of the other moved functions, too. How about determined/common/api/_rbac.py?
There was a problem hiding this comment.
I think that sounds like a great name.
I put all the functions I added there, since they're all rbac-related. Even not_found_errs is rbac-related.
| return bindings.get_GetWorkspace(session, id=w[0].id).workspace | ||
|
|
||
|
|
||
| # not_found_errs mirrors NotFoundErrs from the golang api/errors.go. In the cases where |
There was a problem hiding this comment.
I don't get what's going on with this function. Could it be part of your cleanup?
There was a problem hiding this comment.
Yes, I'll look into it. I didn't ask that question earlier, I just shuffled it around.
There was a problem hiding this comment.
looked into it. It just helps users remember that 404 errors in rbac cases might be permissions errors.
I promoted the comment to a docstring and added more explanation.
There was a problem hiding this comment.
The docstring is a better place to put the help text, for sure. And thanks for figuring out what the function is for.
I still have to do more work to understand what the function does than I want a person to have to do. Something seems off about the design. Bleh.
But anyway, I think bigger changes are outside the scope of this PR. So maybe here just a suggestion like:
"""Construct a NotFoundException from passed strings.
This function creates NotFoundExceptions with the same syntax as the NotFoundErrs from api/errors.go so that messages from both layers look the same. If RBAC is enabled, the exceptions underlying the 404s that this function constructs might be the result of a permissions error. In that event, this function appends a suggestion to the constructed exception string that the user to check permissions.
"""
The type mismatch between the actual return type and its superclass is a little weird. That'd be an easy fix if you want to make it.
carolinaecalderon
force-pushed
the
main
branch
from
9ac8f82
to
8eff8ac
Compare
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
from
fc341b8
to
f0256ab
Compare
| group_name_to_assign: Optional[str] = None, | ||
| ) -> Tuple[List[bindings.v1UserRoleAssignment], List[bindings.v1GroupRoleAssignment]]: | ||
| if (username_to_assign is None) == (group_name_to_assign is None): | ||
| # XXX: very weird that we use api.errors.BadRequestException here! |
There was a problem hiding this comment.
Don't forget to either remove me or turn this into a TODO and/or ticket.
There was a problem hiding this comment.
ah yes, thank you
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
2 times, most recently
from
b38bfa3
to
5d3a5ba
Compare
|
status update: this is blocked on bringing the EE changes in e2e_tests into the OSS repo. We can't solve the rebase problem for the whole world, but we can solve it for this directory! |
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
from
5d3a5ba
to
da8090a
Compare
|
status update: EE changes to e2e_tests are finally in OSS now, and this PR can proceed as planned. |
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
from
da8090a
to
d916469
Compare
| raise api.errors.BadRequestException(f"could not find role name {role_name}") | ||
|
|
||
|
|
||
| def create_assignment_request( |
There was a problem hiding this comment.
I don't like this method. It's got all kinds of weird. It's not your job, but do you want to be the person on the other side of the git blame?
I think it should be split into:
create_user_assignment_request(session, role, workspace, username) -> bindings.v1UserRoleAssignment
create_group_assignment_request(session, role, workspace, group) -> bindings.v1GroupRoleAssignmentThere was a problem hiding this comment.
lol, you are exactly right. I didn't even read the function body.
rb-determined-ai
changed the title
rb-determined-ai
changed the title
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
from
d916469
to
5d463de
Compare
Direct calls into the CLI are problematic, because the CLI uses a variety of authentication techniques, some of which are only configured by the cli's __main__() codepath. That means that cli auth and cert singletons have been configured all over e2e tests in order to support direct CLI calls. Avoiding direct calls to cli functions is a step in the direction of cleaning up our authentication story.
rb-determined-ai
force-pushed
the
rb/cli-not-a-library
branch
from
5d463de
to
bdb6efe
Compare
|
I removed a review request from the web team, seems to have been from an old force-push-to-master incident. |
|
Everything passed except some known flakes. Same story over in the EE repo. Force-merging. |
Direct calls into the CLI are problematic, because the CLI uses a variety of authentication techniques, some of which are only configured by the cli's main() codepath. That means that cli auth and cert singletons have been configured all over e2e tests in order to support direct CLI calls.
Avoiding direct calls to cli functions is a step in the direction of cleaning up our authentication story.