https://pulp.plan.io/https://pulp.plan.io/favicon.ico2020-10-15T16:28:48ZPulpRPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=637782020-10-15T16:28:48Zttereshcttereshc@redhat.com
<ul></ul><p>For the sake of starting a discussion, what if we add <code>resource_href</code> to the task report.<br>
<code>created_resources</code> will be an indication whether the resource has been created or not.</p>
<p>The potential problem with this approach is when multiple resources are being created.<br>
I think if we are creating a resource using POST to its dedicated endpoint (C of the CRUD), <code>resource_href</code> can be there. If it's a special action it should not be filled. E.g.<br>
<code>POST /pulp/api/v3/content/rpm/packages/</code> will have a <code>resource_href</code> filled in the task report when the task is complete.<br>
<code>POST /pulp/api/v3/rpm/rpm/repositories/<uuid>/sync</code> won't have the <code>resource_href</code> filled in the task report when the task is complete.</p>
<p>Any security concerns? will RBAC help here?</p>
<p>Most importantly, any other ideas?</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=637792020-10-15T16:35:01Zdalleydalley@redhat.com
<ul></ul><p>While it would still be stretching definitions, I think it might be OK to use a new field named "updated_resources" for this.</p>
<p>Even though content are immutable, I don't think it would necessarily be harmful to overload the meaning in this context - at least not as harmful as overloading "created_resources". And it would have uses elsewhere as well, so we can be less concerned about making a mess of the task API for this specific use case.</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=637832020-10-15T19:29:34Zbmbouterbmbouter@redhat.com
<ul></ul><p>If the Content created from an artifact the user provides, I think it would be useful to return what would have been created as if it was created. Effectively, this changes the behavior to be a "get_or_create" type of expectation with our Content creation endpoints. Similarly for the Artifact creation endpoints. I see this change as a good thing for the user experience. Couldn't we do that with no additional fields added and use <code>created_resource</code></p>
<p>We don't RBAC content or artifacts themselves today, but when this occurs a user providing an artifact or one that would produce content that already exists, the user would get access to that existing artifact and existing content also in the permissions sytem. They would previously not had access to it. This is all future stuff though, for now paragraph 1 here is my +1 to making this better.</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=638492020-10-19T07:48:52Zwibbit
<ul></ul><p>From a personal perspecitve the create_or_update/create_or_return works well for my work flow, It think I prefer return as opposed to update, especially if we can't update.</p>
<p>@bmboute regarding the RBAC, and access to content, the only thing I would highlight here is, from an RPM perspective at least, I believe the NEVRA constitues uniqueness, so there would be nothing stopping me uploading an empty package with the correct nevra details, which theoretically could give access to a package that I don't actually have.</p>
<p>What meaningful implication that has, I'm unsure, however I thought it was worth while highlighting that just because you can generate the nevra, does not mean the original content is available.</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=638522020-10-19T11:23:05Zipanova@redhat.comipanova@redhat.com
<ul></ul><p>wibbit wrote:</p>
<blockquote>
<p>From a personal perspecitve the create_or_update/create_or_return works well for my work flow, It think I prefer return as opposed to update, especially if we can't update.</p>
<p>@bmboute regarding the RBAC, and access to content, the only thing I would highlight here is, from an RPM perspective at least, I believe the NEVRA constitues uniqueness, so there would be nothing stopping me uploading an empty package with the correct nevra details, which theoretically could give access to a package that I don't actually have.</p>
<p>What meaningful implication that has, I'm unsure, however I thought it was worth while highlighting that just because you can generate the nevra, does not mean the original content is available.</p>
</blockquote>
<p>I agree with you, that's why we should consider using checksum as well.</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=638572020-10-19T14:13:04Zbmbouterbmbouter@redhat.com
<ul></ul><p><a href="mailto:ipanova@redhat.com" class="email">ipanova@redhat.com</a> wrote:</p>
<blockquote>
<p>I agree with you, that's why we should consider using checksum as well.</p>
</blockquote>
<p>I agree as well. The ideal situation is one where any user who provides the binary data can have access to content which is identical to that binary data. Additionally, any time Pulp doesn't already have content units that correspond to user provided binary data that data should be able to be saved, for example NEVRA "squatting" should not be possible.</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=638592020-10-19T14:26:46Zwibbit
<ul></ul><p>bmbouter wrote:</p>
<blockquote>
<p><a href="mailto:ipanova@redhat.com" class="email">ipanova@redhat.com</a> wrote:</p>
<blockquote>
<p>I agree with you, that's why we should consider using checksum as well.</p>
</blockquote>
<p>I agree as well. The ideal situation is one where any user who provides the binary data can have access to content which is identical to that binary data. Additionally, any time Pulp doesn't already have content units that correspond to user provided binary data that data should be able to be saved, for example NEVRA "squatting" should not be possible.</p>
</blockquote>
<p>Just to be clear, NEVRA != HASH/CHECKSUM due to a valid "identical" package being built at different times/different hosts, so a hash against a artifact can't be used to compare RPM content.</p>
<p>I'd not considered "NEVRA" squatting, which I'd see as more of an annoyance than a risk.</p>
<p>My concern was valid content being present, and some one using an "empty" artifact that has the correct NEVRA metadata to gain access to the pre-existing content in some way. Though I think via the API, that is liable to be limited to metadata, so I'm unsure how more of a real risk this poses.</p>
<p>Having a create_or_return v's a dedicated "query content based on this artifact".</p>
<p>That would leave elements to the API consumer, to query first, however probably would work better with the RBAC logic.</p>
<p>I think at this point, I'm probably better stepping back and letting those that know the platform best, decide the right solution :D</p> RPM Support - Story #7708: Improve content creation experiencehttps://pulp.plan.io/issues/7708?journal_id=781082021-12-22T15:33:32Zpulpbot
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/78108/diff?detail_id=78736">diff</a>)</li><li><strong>Status</strong> changed from <i>NEW</i> to <i>CLOSED - DUPLICATE</i></li></ul>