feat: allow direct changes to the subnet admins for cloud engines#9672
feat: allow direct changes to the subnet admins for cloud engines#9672NikolaMilosa wants to merge 4 commits intomasterfrom
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
This pull request changes code owned by the Governance team. Therefore, make sure that
you have considered the following (for Governance-owned code):
-
Update
unreleased_changelog.md(if there are behavior changes, even if they are
non-breaking). -
Are there BREAKING changes?
-
Is a data migration needed?
-
Security review?
How to Satisfy This Automatic Review
-
Go to the bottom of the pull request page.
-
Look for where it says this bot is requesting changes.
-
Click the three dots to the right.
-
Select "Dismiss review".
-
In the text entry box, respond to each of the numbered items in the previous
section, declare one of the following:
-
Done.
-
$REASON_WHY_NO_NEED. E.g. for
unreleased_changelog.md, "No
canister behavior changes.", or for item 2, "Existing APIs
behave as before.".
Brief Guide to "Externally Visible" Changes
"Externally visible behavior change" is very often due to some NEW canister API.
Changes to EXISTING APIs are more likely to be "breaking".
If these changes are breaking, make sure that clients know how to migrate, how to
maintain their continuity of operations.
If your changes are behind a feature flag, then, do NOT add entrie(s) to
unreleased_changelog.md in this PR! But rather, add entrie(s) later, in the PR
that enables these changes in production.
Reference(s)
For a more comprehensive checklist, see here.
GOVERNANCE_CHECKLIST_REMINDER_DEDUP
NikolaMilosa
dismissed
github-actions[bot]’s stale review
No breaking changes, updated the unreleased_changelog.md
|
Two high-level question/concerns:
|
|
Rate limiting is already implemented here. As for overriding: if done directly (via In general: most of our users will probably have only one principal alongside the controller. |
Ah perfect, that was the line I didn't find. The other was more of an FYI, i.e. we have to be aware of the pitfalls when allowing multiple subnet admins. |
| } | ||
|
|
||
| #[test] | ||
| fn cloud_engine_subnet_admin_can_clear_subnet_admins() { |
There was a problem hiding this comment.
Hmm. Maybe we do not want to allow this? If someone does this, is there any way to get out of the "no admins" state??
Ditto for remove that results in no admins.
There was a problem hiding this comment.
I am not sure. I think that a regular update subnet proposal would cover it, but I am not sure. We are missing some pieces where we would deem one user an owner and ideally it would be separate from admins. Owner then could not be removed or changed easily. But that is beyond this. I will leave this discussion open.
There was a problem hiding this comment.
I have added the check for making the list empty for both Clear and Remove for cloud engines at least.
One thing to note:
The subnet_admin will be a derived principal id that our backend gets when a user creates the engine. This means that the principal id will not be the same for them and for the subnet admin and only their principal through our backend would generate the same derived principal meaning that it won't be callable outside our app.
There is a different path though:
If someone creates and engine subnet without our tool than they can do whatever they want. Not sure how fix that part with the model we have. We can somehow deem subnet_admin[0] as an owner, but that seems like hacking to me. Maybe we would have a proper engine_owner or something.
3 participants
This PR extends the functionality of changing direct subnet admins directly for cloud engines if the caller is among the engine admins already.