snap/system_usernames,tests: Azure IoT Edge system usernames #12141
Conversation
alexclewontin
changed the title
|
Checks failed because I messed up the PR name, should be good now |
alexclewontin
force-pushed
the
system-usernames-aziotedge
branch
from
b817262 to
f1237a3
Compare
|
Thanks Alex! I like the changes on the spread test! I'm not sure about adding all those usernames for a single snap, it seems a bit too much, but if you already agreed this with @pedronis then it's fine for me as well. In any case, I don't think that we need to add unit tests for all of them; I actually wouldn't add any unit test, given that the functionality is already tested by the existing usernames, and you have a good test in the spread. |
mardy
added
the
Needs Samuele review
|
@mardy thanks for the review! I'll nix the unit tests. Just as context: I also don't love adding all the usernames but unfortunately it is necessary to support the Azure IoT Edge application architecture, which relies on all of these services running under different UIDs corresponding to known usernames (which we are meeting Microsoft halfway with by adding the |
alexclewontin
force-pushed
the
system-usernames-aziotedge
branch
from
f1237a3 to
0073ec7
Compare
|
Split the usernames across two snap IDs (one is an Azure ID service which can be used by more than just the Azure IoT Edge runtime, the other is the Azure IoT Edge runtime). Removed unnecessary unit tests as per @mardy's review. Looks like the failing check is not related to this PR? |
@pedronis unfortunately I already know of one more request that is going to come through the pipe (the Azure Device Update service, a different Microsoft service which also uses the azure-iot-identity snap as an authentication backend) although it's really part of the same usecase. If that would be too many we can look at reverting to store-side declaration method, although I'd like to understand what the timeline is and if there is anything I could do in that case to drive that work, as we have some commercial commitments based on the idea we'd do it this way. My understanding is that most of that work would actually be in snapd (extending the definition of the snap-decl assertion, consulting snap-decl assertion when deciding whether a system-username declared in snap.yaml is valid or not), is that correct? |
|
Added the usernames for the above-mentioned Azure Device Update service. Check failure appears unrelated. |
alexclewontin
force-pushed
the
system-usernames-aziotedge
branch
from
c576f60 to
c42fa62
Compare
snap/system_usernames.go
Outdated
| "snap_do": {Id: 584795, AllowedSnapIds: []string{ | ||
| "KzF67Mv8CeQBdUdrGaKU2sZVEiICWBg1", // deviceupdate-agent | ||
| }}, | ||
| "snap_adu": {Id: 584796, AllowedSnapIds: []string{ | ||
| "KzF67Mv8CeQBdUdrGaKU2sZVEiICWBg1", // deviceupdate-agent |
There was a problem hiding this comment.
these two are really not very purpose-unique names
alexclewontin
force-pushed
the
system-usernames-aziotedge
branch
from
c42fa62 to
a4f0c40
Compare
Extend the system-usernames-microk8s test to allow creating variants to test arbitrary system usernames scoped to particular snaps. Rename the test to reflect this. Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
alexclewontin
force-pushed
the
system-usernames-aziotedge
branch
from
a4f0c40 to
3badb4a
Compare
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
alexclewontin
force-pushed
the
system-usernames-aziotedge
branch
from
3badb4a to
abe724a
Compare
Genericize system-usernames-microk8s test to test arbitrary usernames scoped to a specific snap ID. Then add Azure IoT Edge scoped system usernames.