Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fdc grant cmds #7656

Merged
merged 8 commits into from
Sep 18, 2024
Merged

Fdc grant cmds #7656

merged 8 commits into from
Sep 18, 2024

Conversation

tammam-g
Copy link
Contributor

@tammam-g tammam-g commented Sep 13, 2024

Description

Add firebase dataconnect:sql:grant -R <role> -E <email> command. The command grants the corresponding role in the FDC sql instance.

Scenarios Tested

Not passing -R or --role -> Error: -R, --role <role> is required. Run the command with -h for more info.
Note passing -E or --email -> Error: -E, --email <email> is required. Run the command with -h for more info.
passing non existing role -> Error: Role should be one of owner | writer | reader.

Screenshot 2024-09-17 at 7 09 15 PM

Sample Commands

firebase dataconnect:sql:grant -E email@gmail.com -R writer
firebase dataconnect:sql:grant --email email@gmail.com --role reader
firebase dataconnect:sql:grant --email email@gmail.com --R owner
src/emulator/auth/handlers.ts Dismissed Show dismissed Hide dismissed
src/emulator/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/emulator/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/emulator/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/emulator/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/emulator/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
src/emulator/auth/oob.spec.ts Dismissed Show dismissed Hide dismissed
@tammam-g tammam-g marked this pull request as ready for review September 13, 2024 22:42
@tammam-g tammam-g requested review from fredzqm and joehan September 13, 2024 22:46
Copy link
Contributor

@fredzqm fredzqm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update description with test commands and screenshots of results?

Both sunny case and error scenarios.

"-E, --email <email>",
"The email of the user or service account we would like to grant the role to.",
)
.before(requirePermissions, ["firebasedataconnect.services.list"])
Copy link
Contributor

@fredzqm fredzqm Sep 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and cloudsql.instance.connect

We can move cloudsql.users.create here for simplicity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are in the iamUserIsCSQLAdmin check so the user can get a nice error message. I'm ok with removing the iamUserIsCSQLAdmin check and just moving things here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine to be checked later

throw new FirebaseError(
"-E, --email <email> is required. Run the command with -h for more info.",
);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these validations be at cmd file?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 - consider using https://github.com/tj/commander.js?tab=readme-ov-file#required-option instead of option to make these required.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to cmd file.

@joehan, I tried using requiredOption but it wasn't possible. We have our own Command type and we don't define requiredOption on it. I also looked around and it seems like we don't have any usage of this.

// Make sure current user can perform this action.
const userIsCSQLAdmin = await iamUserIsCSQLAdmin(options);
if (!userIsCSQLAdmin) {
throw new FirebaseError(`Only users with 'roles/cloudsql.admin' can grant SQL roles.`);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonder if requiring cloudsql.users.create in the cmd permission will do it.

This error message is nice though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a good place to print out instructions telling users to ask their DB admin - ie:

Only users with 'roles/cloudsql.admin' can grant SQL roles. If you do not have this role, ask your database administrator to run this command or manually grant <role> to <user>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the error message. The error message also will take care of the service account extension.

src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
@tammam-g tammam-g requested a review from fredzqm September 17, 2024 23:33
"-E, --email <email>",
"The email of the user or service account we would like to grant the role to.",
)
.before(requirePermissions, ["firebasedataconnect.services.list"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine to be checked later

@tammam-g tammam-g enabled auto-merge (squash) September 18, 2024 18:16
@tammam-g tammam-g merged commit e1d1563 into master Sep 18, 2024
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants