Allow PCUI to support multiple Pcluster versions

[hgreebe]

Description

Allow PCUI to support managing clusters of different PCUI versions

Changes

• BREAKING CHANGE With this change we are removing the support for ParallelCluster versions <= 3.5.0. This is an approved product decision. The technical reason behind this change is that supporting those older versions would have required an increase in complexity that we considered not worth it.
• PCUI template accepts a comma separated list of versions to support
• An API stack for each pcluster version is launched
• API handler manages the mapping of pcluster version to api invoke url
• Each API request contains a version parameter in the url
• Updating the stack to remove or add support for different pcluster versions is supported
• During cluster create the first page is now a version page that includes a dropdown menu to select a version
• The official Images page includes a dropdown menu to select which version of images to show

How Has This Been Tested?

• Manually Tested the following:
  • Create PCUI stack with the version parameter filled in with multiple versions
  • Validated that you could see info and modify clusters of the multiple supported versions
  • Validated creating clusters of multiple versions
  • Validated updating clusters of multiple versions
  • Validated view the official images of different versions
  • Validated that buttons such as Shell DCV and Stop Fleet work for only the supported versions
  • Validated that clusters of unsupported versions are not editable
  • VAlidated updating the stack by removing and adding supported versions
• Modified unit tests to account for support of multiple versions

In order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[gmarciani]

since this PR is changing the frontend, could you please attach screenshot(s) that represent the most relervant changes?
for example, I'm thinking about the new wizard page for the version

[gmarciani]

Here we are setting the latest PC version as the default one.
The user should be able to control the default version, but with this solution is not.

Example: a user wants to try a new version of PC, but keeping the default version to the one that they consider the most stable.

[hgreebe]

Because for the home page where all of the clusters are displayed, it uses the list clusters API of the default version.
Currently, if the supported API version is larger than an unsupport version of one of the clusters, then you will be able to see some of its information, there will just be a warning saying that you can not edit the cluster. But is the supported API version it less than the unsupported version, you won't be able to see any cluster information and will getting an error message saying that the version is not supported.

The reason for the sorting/default version being the largest version is so that for example if the supported versions for 3.13.0 and 3.11.0, you will be able to see the information for a 3.12.0 cluster no matter the order you put in the supported versions.

[gmarciani]

Got it, thanks for the explanation. Please put a comment explaining why the default version must be the most recent one.

[gmarciani]

what are the implications of this sorting?
Is it used only to determine the default version in the line below?

Also, I suggest to trim blank spaces from the string

[hgreebe]

I explained the sorting in the comment above

[gmarciani]

Should't this be the API URL of the default version?

[gmarciani]

nit: avoid duplication. read the target version ones from the request

[gmarciani]

nit: v -> version

[hgreebe]

[gmarciani]

May you please wrap this logic into a dedicated function and unit test it?

[gmarciani]

nit: unnecessayr to repeat "Select your" in a placeholder. Could simply be "Cluster version"

[gmarciani]

It's a good practice to specify the request param name version in a constant.

const ARG_VERSION="version"

request.args.get(ARG_VERSION)

We did not respect this best practice elsewhere (eg: region), but we can start applying on new code.

[gmarciani]

What if the request is missing the version patameter?

[hgreebe]

the get_base_url function checks if the version has been passed in

[gmarciani]

Got it, thanks for the explanation. Please put a comment explaining why the default version must be the most recent one.

[gmarciani]

Is there a limit to the maximum number of versions that a user can specify?

[gmarciani]

Also, what if a user specifies the same version twice?

[hgreebe]

if the user specifies the sam number twice than it will just launch the api stack for that version once, because the api handler makes the list of versions a set

[hgreebe]

there is not maximum

[gmarciani]

What if a user specifies version <=3.5.0?
This is a breaking change unless you manage <= 3.5.0 in another way (does not seems so).
Can we avoid this change? Why are we forced to introduce it?

[gmarciani]

Does CFN implicitly transform the dotted version with something else?
I'm asking because I assiume you cannot use dots within a resource name.

[hgreebe]

When you use the & symbol instead of the # symbol when referencing the variable, it automatically removes the dots

[gmarciani]

Why did you remove ImageBuilderSubnetId and ImageBuilderVpcId?

[hgreebe]

Because if we only support PC version >3.5.0, than all will use the NonDockerizedPCAPI, which has those two variables set to !Ref AWS::NoValue

[gmarciani]

Seems a very low mem size. What's the maximum mem usage observed across 10 executions? Whatever it is, I suggest to double it. The impact on costs would be very low because this function is executed only on stack create/update/delete, but the potential impact in case of failures is bad.

[hgreebe]

Mem usage is was 86. I will increase it.

[gmarciani]

Can we scope these permissions down? I think we can set the resource to the current stack name, right?

[gmarciani]

If we cannot scope this down using stack name, what about scoping this down using tags as per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag?

[gmarciani]

Why leaving * as resource? Isn't it possible to specify the stack arn with a wildcard only on the stackname?

[gmarciani]

This is a security vulnerabikity. We must scope this policy down.
If injecting APIG ARNs does not work b/c of CFN limitations, then we can do it setting conditions on tags https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag

[gmarciani]

This is a working solution to restrict the permissions using tags.

1. Add tag aws-parallelcluster-ui:stack-id equal to the PCUI stack id to the PCAPI nested stacks.
2. Add condition
   Example:

  ParallelClusterApi:
    Type: AWS::CloudFormation::Stack
    Properties:
      ...
      Tags:
        - Key: 'aws-parallelcluster-ui:stack-id'
          Value: !Ref AWS::StackId


  ParallelClusterApiGatewayInvoke:
    Type: AWS::IAM::ManagedPolicy
    Properties:
       ....
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - execute-api:Invoke
            Effect: Allow
            Resource: !Sub "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:*/*/*"
            Condition:
              StringEquals:
                "aws:ResourceTag/aws-parallelcluster-ui:stack-id": !Ref 'AWS::StackId'
        

[gmarciani]

To address path traversal vulnerability, we recently made a change that must be reflected here (#422)

[gmarciani]

Thanks for adding version selection for images as well. For clusters we added tests to cover this change. What about images?

[gmarciani]

what is parsed_url? What about adding the ARN determined on line 325 to the next print and get rid of this?

[hgreebe]

Sorry, that was leftover from testing.

The arns are listed in the log as the output so I will remove the print.

[gmarciani]

with this concantenation you will end up with a trailing comma at the end of the result. Have you verified this does not have any side effect? Wha about getting rid of that?

[hgreebe]

It has not side effect because but I will remove the trailing comma

[gmarciani]

codestyle: output['OutoputValue'] is repeated 4 times. what about improving readability assigning it to a more self explanatory variable api_url instead?

[gmarciani]

I don;'t remember if we already discussed this topic. However, what is the maximum amount of memory consumed that you observed. Is 256 way enough?

[hgreebe]

Mem usage is was 86. so i think 256 should be more than enough.

[gmarciani]

If we cannot scope this down using stack name, what about scoping this down using tags as per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag?

[gmarciani]

This Pr contains an approved breaking change: it breaks the support for PC <= 3.5.0. Let's highlight this in the PR description.

[gmarciani]

Where is this tag set?

[hgreebe]

line 217 or parallelcluster-ui.yaml

[gmarciani]

The tag name is misleading as it seems to refer to ParallelCluster API id, wheres the id we are injecting here is the ID of ParallelCluster UI API. Can you please rename the tag to parallelcluster-ui:api-id?