Skip to content

[auth] fix bootstrap_create_accounts for inactive users #15154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 4, 2025
Merged

[auth] fix bootstrap_create_accounts for inactive users #15154

merged 1 commit into from
Nov 4, 2025

Conversation

@cjllanwarne
Copy link
Collaborator

@cjllanwarne cjllanwarne commented Oct 22, 2025
edited by sarahgibs
Loading

Change Description

Fixes our bootstrap_create_accounts script to be resilient to inactive users.

In this case "create"ing an account that is currently inactive becomes reactivating it.

Security Assessment

  • This change potentially impacts the Hail Batch instance as deployed by Broad Institute in GCP

Impact Rating

  • This change has a low security impact

Impact Description

Making a script resilient be replacing a "create" action with a "reactivate" action, if necessary

Appsec Review

  • Required: The impact has been assessed and approved by appsec

@cjllanwarne cjllanwarne requested a review from a team as a code owner October 22, 2025 19:22
@cjllanwarne cjllanwarne requested a review from grohli October 22, 2025 19:22
grohli
grohli reviewed Oct 23, 2025
View reviewed changes
Copy link
Contributor

@grohli grohli left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just one comment/question I had on the new change see updated comment. In that case LGTM! Thanks for the fix.

ci/bootstrap_create_accounts.py
'UPDATE users SET state = "active", last_activated = CURRENT_TIMESTAMP(3) WHERE id = %s;',
(row['id'],),
)
return None
Copy link
Contributor

@grohli grohli Oct 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just want to confirm, will this reactivate all inactive users rather than just any inactive test users (eg test-dev)? And then follow up if yes, do we think making every inactive user active again mess with anything else downstream of this in ci?

Disregard, I can't read. I see now that we're only doing this for the bot accounts:

hail/ci/bootstrap_create_accounts.py

Lines 76 to 84 in 9458374

users = [
# username, login_id, is_developer, is_service_account
('auth', None, 0, 1),
('batch', None, 0, 1),
('ci', None, 0, 1),
('test', None, 0, 0),
('test-dev', None, 1, 0),
('grafana', None, 0, 1),
]

...

hail/ci/bootstrap_create_accounts.py

Lines 104 to 105 in 9458374

for username, login_id, is_developer, is_service_account in users:
user_id = await insert_user_if_not_exists(app, username, login_id, is_developer, is_service_account)

Copy link
Collaborator Author

@cjllanwarne cjllanwarne Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, but actually bot or non-bot we can read this as "for the accounts that we are bootstrapping into the system, we should reactivate them if they already exist but are inactive". It doesn't do anything to any other preexisting accounts

sarahgibs
sarahgibs approved these changes Oct 27, 2025
View reviewed changes
Copy link

@sarahgibs sarahgibs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good.

@hail-ci-robot hail-ci-robot merged commit d50d178 into hail-is:main Nov 4, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grohli grohli grohli approved these changes

@sarahgibs sarahgibs sarahgibs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cjllanwarne @grohli @sarahgibs @hail-ci-robot