Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(aci): detector permission checks for DetectorWorkflow endpoint #88626

Merged
merged 2 commits into from
Apr 4, 2025
Merged

feat(aci): detector permission checks for DetectorWorkflow endpoint #88626

merged 2 commits into from
Apr 4, 2025

Conversation

ameliahsu
Copy link
Member

detectors should have similar permissions to alerts today, with additional restrictions on default detectors created by Sentry

  • Sentry created (default) detectors
    • Organization-level owner, manager (users with org:write or org:admin)
    • Team-level admins for projects where they are team admins (those who have project:write on the project)
  • User created (custom) detectors
    • Anyone on the team can create/edit if “Let members create alerts” is enabled (in this case all users have alert:write on projects)
    • Otherwise if “Let members create alerts” is disabled, only organization-level owner, manager, or team-level admin roles can create/edit detectors
    • These permissions should be restricted to only projects that members are associated with in the case that "Open team membership" is disabled

@ameliahsu ameliahsu requested a review from a team as a code owner April 2, 2025 20:32
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Apr 2, 2025
saponifi3d
saponifi3d reviewed Apr 3, 2025
View reviewed changes
Copy link
Contributor

@saponifi3d saponifi3d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high level approach on the org permissions looks great, just the suggestion around the check method and then spending some time breaking apart the tests would be good. I think you have a pretty good break down of each test in comment blocks, and could probably just pull out creating the models as a "setup" method and decompose around those comments.

@codecov Codecov
Copy link

codecov bot commented Apr 4, 2025
edited
Loading

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
24703 2 24701 294
View the top 2 failed test(s) by shortest run time 
tests.snuba.api.endpoints.test_project_trace_item_details.ProjectEventDetailsTest::test_simple_using_logs_item_type
Stack Traces | 3.19s run time 
#x1B[1m#x1B[.../api/endpoints/test_project_trace_item_details.py#x1B[0m:170: in test_simple_using_logs_item_type
    assert trace_details_response.data == {
#x1B[1m#x1B[31mE   AssertionError: {'attributes': [{'name': 'bool_attr', 'type': 'bool', 'value': True}, {'name': 'bool_attr', 'type': 'float', 'value': ...oat', 'value': 1.7437802e+18}, ...], 'itemId': '0196016689d17891ac916d2c2b7a4e45', 'timestamp': '2025-04-04T15:23:39Z'}#x1B[0m
#x1B[1m#x1B[31mE   assert {'attributes'...04T15:23:39Z'} == {'attributes'...04T15:23:39Z'}#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     Omitting 2 identical items, use -vv to show#x1B[0m
#x1B[1m#x1B[31mE     Differing items:#x1B[0m
#x1B[1m#x1B[31mE     {'attributes': [{'name': 'bool_attr', 'type': 'bool', 'value': True}, {'name': 'bool_attr', 'type': 'float', 'value': ...', 'type': 'float', 'value': 0.0}, {'name': 'sentry.timestamp_precise', 'type': 'float', 'value': 1.7437802e+18}, ...]} != {'attributes': [{'name': 'bool_attr', 'type': 'bool', 'value': True}, {'name': 'bool_attr', 'type': 'float', 'value': ...'name': 'log.severity_number', 'type': 'float', 'value': 0.0}, {'name': 'int_attr', 'type': 'int', 'value': '2'}, ...]}#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     Full diff:#x1B[0m
#x1B[1m#x1B[31mE       {#x1B[0m
#x1B[1m#x1B[31mE           'attributes': [#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'bool_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'bool',#x1B[0m
#x1B[1m#x1B[31mE                   'value': True,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'bool_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 1.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'float_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 3.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'int_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 2.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.severity_number',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 0.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE     +             'name': 'sentry.timestamp_precise',#x1B[0m
#x1B[1m#x1B[31mE     +             'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE     +             'value': 1.7437802e+18,#x1B[0m
#x1B[1m#x1B[31mE     +         },#x1B[0m
#x1B[1m#x1B[31mE     +         {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'int_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '2',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.severity_number',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '0',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'sentry.item_type',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '3',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'sentry.organization_id',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '4555843738992640',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'sentry.project_id',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '4555843738992642',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE     +             'name': 'sentry.timestamp_precise',#x1B[0m
#x1B[1m#x1B[31mE     +             'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE     +             'value': '1743780219345999872',#x1B[0m
#x1B[1m#x1B[31mE     +         },#x1B[0m
#x1B[1m#x1B[31mE     +         {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.body',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 'foo',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.severity_text',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 'INFO',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'str_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '1',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'trace',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '22e8cc40-4749-436d-bdc8-0f25cb6aace9',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE           ],#x1B[0m
#x1B[1m#x1B[31mE           'itemId': '0196016689d17891ac916d2c2b7a4e45',#x1B[0m
#x1B[1m#x1B[31mE           'timestamp': '2025-04-04T15:23:39Z',#x1B[0m
#x1B[1m#x1B[31mE       }#x1B[0m
tests.snuba.api.endpoints.test_project_trace_item_details.ProjectEventDetailsTest::test_simple
Stack Traces | 3.62s run time 
#x1B[1m#x1B[.../api/endpoints/test_project_trace_item_details.py#x1B[0m:81: in test_simple
    assert trace_details_response.data == {
#x1B[1m#x1B[31mE   AssertionError: {'attributes': [{'name': 'bool_attr', 'type': 'bool', 'value': True}, {'name': 'bool_attr', 'type': 'float', 'value': ...oat', 'value': 1.7437802e+18}, ...], 'itemId': '019601667d20718b935b12af7e738eba', 'timestamp': '2025-04-04T15:23:36Z'}#x1B[0m
#x1B[1m#x1B[31mE   assert {'attributes'...04T15:23:36Z'} == {'attributes'...04T15:23:36Z'}#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     Omitting 2 identical items, use -vv to show#x1B[0m
#x1B[1m#x1B[31mE     Differing items:#x1B[0m
#x1B[1m#x1B[31mE     {'attributes': [{'name': 'bool_attr', 'type': 'bool', 'value': True}, {'name': 'bool_attr', 'type': 'float', 'value': ...', 'type': 'float', 'value': 0.0}, {'name': 'sentry.timestamp_precise', 'type': 'float', 'value': 1.7437802e+18}, ...]} != {'attributes': [{'name': 'bool_attr', 'type': 'bool', 'value': True}, {'name': 'bool_attr', 'type': 'float', 'value': ...'name': 'log.severity_number', 'type': 'float', 'value': 0.0}, {'name': 'int_attr', 'type': 'int', 'value': '2'}, ...]}#x1B[0m
#x1B[1m#x1B[31mE     #x1B[0m
#x1B[1m#x1B[31mE     Full diff:#x1B[0m
#x1B[1m#x1B[31mE       {#x1B[0m
#x1B[1m#x1B[31mE           'attributes': [#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'bool_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'bool',#x1B[0m
#x1B[1m#x1B[31mE                   'value': True,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'bool_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 1.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'float_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 3.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'int_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 2.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.severity_number',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 0.0,#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE     +             'name': 'sentry.timestamp_precise',#x1B[0m
#x1B[1m#x1B[31mE     +             'type': 'float',#x1B[0m
#x1B[1m#x1B[31mE     +             'value': 1.7437802e+18,#x1B[0m
#x1B[1m#x1B[31mE     +         },#x1B[0m
#x1B[1m#x1B[31mE     +         {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'int_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '2',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.severity_number',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '0',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'sentry.item_type',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '3',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'sentry.organization_id',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '4555843738796032',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'sentry.project_id',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '4555843738796034',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE     +             'name': 'sentry.timestamp_precise',#x1B[0m
#x1B[1m#x1B[31mE     +             'type': 'int',#x1B[0m
#x1B[1m#x1B[31mE     +             'value': '1743780216096999936',#x1B[0m
#x1B[1m#x1B[31mE     +         },#x1B[0m
#x1B[1m#x1B[31mE     +         {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.body',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 'foo',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'log.severity_text',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 'INFO',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'str_attr',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': '1',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE               {#x1B[0m
#x1B[1m#x1B[31mE                   'name': 'trace',#x1B[0m
#x1B[1m#x1B[31mE                   'type': 'str',#x1B[0m
#x1B[1m#x1B[31mE                   'value': 'd656dde1-0e25-4479-a7ae-2d963d0f9125',#x1B[0m
#x1B[1m#x1B[31mE               },#x1B[0m
#x1B[1m#x1B[31mE           ],#x1B[0m
#x1B[1m#x1B[31mE           'itemId': '019601667d20718b935b12af7e738eba',#x1B[0m
#x1B[1m#x1B[31mE           'timestamp': '2025-04-04T15:23:36Z',#x1B[0m
#x1B[1m#x1B[31mE       }#x1B[0m

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@ameliahsu ameliahsu requested a review from a team April 4, 2025 15:09
ceorourke
ceorourke approved these changes Apr 4, 2025
View reviewed changes
Copy link
Member

@ceorourke ceorourke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👩‍🍳 nice job on implementing the feedback

@ameliahsu ameliahsu merged commit ce58dee into mia/aci/detector-workflow-endpoint Apr 4, 2025
40 of 43 checks passed
@ameliahsu ameliahsu deleted the mia/aci/detector-workflow-permissions branch April 4, 2025 22:32
@ameliahsu ameliahsu mentioned this pull request Apr 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saponifi3d saponifi3d saponifi3d left review comments

@ceorourke ceorourke ceorourke approved these changes

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ameliahsu @saponifi3d @ceorourke