feat(dir): add manager-scoped agent discovery via pluggable org resolver#1469
feat(dir): add manager-scoped agent discovery via pluggable org resolver#1469vivekkrishna wants to merge 2 commits into
Conversation
Introduces --manager flag on the search command that expands a manager alias to their full org subtree (direct + indirect reports) and returns all agent records whose owner.id annotation matches any alias in that subtree. Key changes: - New pluggable org.Resolver interface with a static YAML file backend - OrgResolverConfig added to server config; static resolver configured via org_resolver.type = "static" + org_resolver.static.file - Relative file paths in config resolved against the config file's directory (via resolveRelativePaths in daemon/config.go) - RECORD_QUERY_TYPE_MANAGER = 16 added to proto + regenerated pb.go - OwnerAliases filter in RecordFilters uses a dedicated SQL JOIN alias (owner_ann) to avoid interference with --annotation filters - SearchController uses functional options pattern (WithOrgResolver) so the resolver remains optional; --manager returns an error when no resolver is configured - E2e tests (13_manager_search_test.go) verify subtree expansion, leaf nodes, unknown aliases, and combined manager+annotation filtering - Test org chart wired into local testenv config Signed-off-by: Vivek Krishna Choppa <[email protected]>
vivekkrishna
force-pushed
the
optional-org-chart-integration
branch
from
021c121 to
6209972
Compare
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
|
Hi @vivekkrishna, thank you for contributing. I do agree that ownership is something that needs to be addressed, but I am not sure if this is the approach we would want to take. There are two important things that I would like to adjust here:
For this PR to go forward, I would suggest we start from an issue/discussion and agree on a plan collectively as this is an important feature. We do support right now ownership through DNS/HTTPs claims through record naming (e.g. |
|
Hi @ramizpolic , that makes sense, should we use this thread to discuss and finalize on the approach? #1468 ? |
|
Yes, lets continue the discussion there. If you are available today (5th of May) at 5PM CEST, we have a public community meeting. This would be an interesting topic to discuss |
|
I can attend with a proposal, can you share the meeting link? |
@vivekkrishna here is the google calendar link https://zoom-lfx.platform.linuxfoundation.org/meetings/agntcy?view=week |
ramizpolic
added
kind/research
Implements single-source-of-truth ownership via OCI referrers: - Proto: new agntcy.dir.ownership.v1.OwnershipClaim message + RECORD_QUERY_TYPE_OWNER=17 + CEL whitelist update - API: OwnershipClaimReferrerType constant + MarshalReferrer/UnmarshalReferrer helpers - DB: Owner table (record_cid, owner_id, claimed_at) auto-migrated; AddOwner/RemoveOwners methods; owners JOIN in handleFilterOptions - Types: OwnershipDatabaseAPI interface; Owners filter field + WithOwners() - Controller: enforces caller SPIFFE ID == owner_id when authn enabled; immediately indexes claim on push - OCI: OwnershipClaimArtifactMediaType mapping - Reconciler: new ownership task walks OwnershipClaimReferrerType referrers to keep DB in sync on restart - CLI: dirctl ownership claim --record <CID> --owner <id>; dirctl search --owner flag - E2E: 7 ownership-based search tests (exact, wildcard, combined filter, negative cases) Part of agntcy#1468
github-actions
Bot
added
size/L
2 participants
Summary
Closes #1445
Introduces manager-scoped agent discovery: given a manager alias, find all agent records owned by anyone in their org subtree. Ownership is expressed via the
owner.idannotation on records; the org hierarchy is provided by a pluggableorg.Resolver.--managerflag on the search command expands a manager alias to their full subtree (direct + indirect reports) and returns all records whoseowner.idannotation matches any alias in that setorg.Resolverinterface (server/org/resolver.go) with a static YAML file backend as the first implementationorg_resolveris absent from the config the server starts normally;--managerreturns an informative error. All other search is unaffected.RECORD_QUERY_TYPE_MANAGER = 16added to proto (regenerated pb.go)owner_ann) for the owner filter, so--managerand--annotationcan be combined without interference13_manager_search_test.go) cover subtree expansion, leaf nodes, aliases outside the org chart, unknown aliases, and combined--manager+--annotationfilteringConfiguration
Org chart format (YAML)
Usage
Design decisions — feedback welcome
owner.idannotation convention: we rely on records being tagged withowner.id: <alias>to express ownership. This is a convention, not enforced by schema validation today. Should this be a first-class field, or is annotation-based ownership the right model?Proto enum vs server-side handling:
RECORD_QUERY_TYPE_MANAGERis a new proto enum value. An alternative would be to handle--managerpurely in the CLI by pre-expanding aliases before sending queries. The current approach keeps expansion server-side (where the org chart lives), which feels cleaner but does touch the wire format.Static-only resolver for now: the
org.Resolverinterface is designed to support LDAP, IdP, or Git-based team resolvers in the future, but only the static YAML backend is implemented here. Happy to drop the interface and ship a concrete type if the team prefers not merging an abstraction without a second implementation.Test plan
go build ./...— server, CLI, e2e testsgo vet— server, CLItask gen— no uncommitted diffs after regenerationtask lint(golangci-lint via pre-commit hook) — passes