correct handling of resource ownership for self-serve roles #3068
Conversation
Signed-off-by: Henry Avetisyan <[email protected]>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @havetisyan, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request addresses a logical inconsistency in how resource ownership is applied to self-serve roles and groups. Previously, setting a member resource owner on a self-serve entity would inadvertently block other users from adding themselves, defeating the purpose of the self-serve option. The changes ensure that member resource ownership is always ignored for self-serve roles and groups, allowing them to function as intended while maintaining other ownership types (meta, object).
Highlights
- Ignore Member Ownership for Self-Serve Roles/Groups: The system will now explicitly ignore and nullify the 'membersOwner' attribute for roles and groups that are marked as 'selfServe = true'. This prevents conflicts where a self-serve role/group (intended for open membership) is inadvertently restricted by a member resource owner.
- Updated ResourceOwnership Utility: The 'verifyRoleMembersResourceOwnership' and 'verifyGroupMembersResourceOwnership' methods in 'ResourceOwnership.java' now include checks to return 'null' immediately if the role or group is self-serve, effectively bypassing member ownership validation.
- ZMS API Enforcement: The 'ZMSImpl.java' methods ('putRole', 'putGroup', 'putResourceRoleOwnership', 'putResourceGroupOwnership') have been updated to explicitly set 'membersOwner' to 'null' if the role or group is self-serve when resource ownership is being set or updated.
- New Test Cases: 'ResourceOwnershipTest.java' and 'ServerResourceOwnershipTest.java' have been updated with new test cases to ensure that member ownership is correctly ignored and nullified for self-serve roles and groups, and to handle invalid role/group names.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request correctly adjusts the handling of resource ownership for self-serve roles and groups. By ignoring member ownership for these entities, it aligns with the self-serve concept where any member can manage memberships. The changes are implemented across ResourceOwnership and ZMSImpl and are well-supported by both unit and integration tests. I have a few suggestions to improve efficiency in ZMSImpl by optimizing how role and group objects are fetched, and also noted a couple of minor issues.
servers/zms/src/test/java/com/yahoo/athenz/zms/ServerResourceOwnershipTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Henry Avetisyan <[email protected]>
Description
if you have a role/group marked as self-serve then we have a problem when we set member resource ownership on the role/group (e.g. terraform) since that blocks all other users from adding themselves to the role/group directly which is the actual purpose of self-serve option.
we now always ignore the member ownership bit for roles/group with self-serve option enabled.
Contribution Checklist:
Attach Screenshots (Optional)