Working on upgrade script for https://github.com/treeverse/lakeFS/pull/2430 - *Add "attach storage namespace [to repository]" IAM action type. There's a split between possibilities here, complexity of SQL balanced against code complexity for a script that should run only once. I would like the script to "add[...] a new rule allowing action

fs:AttachRepositoryNamespace

on

*

for any policy that allows

fs:CreateRepository

". Three possibilities that I can see: • Golang all the way! Pros: probably more readable, easier to get right. uses a good programming language. Cons: (very) poor ops experience: not part of the migration library that we use (or, indeed, any reasonable migration library). • PostgreSQL

jsonb

SQL whackiness. Write 100% safe pure-SQL code that updates the table. Pros: Perfect ops experience. Cons: The function itself will be tricky to write - it needs to handle IAM-style wildcards (

*

,

?

) entirely correctly. • PostgreSQL

jsonb

SQL whackiness but less whacky. Write SQL code that works on every reasonable IAM policy, but fails if the policy uses special (unused!) characters in action names. Fail migration if such a policy is found (unlikely; such a policy includes an action that is unused!). Specifically, fail for actions that include SQL-style wildcards (

_

.

%

); there are no such actions in lakeFS (or anywhere in IAM, really). Unless I hear strenuous objections -- hopefully accompanied by suggestions how to do it better -- I am going with the third option. (Also posting to the PR, of course.)

Kind of lost on third bullet.. Could you give an example that will fail the migration? IIUC why do we allow actions that are not supported in the first place?

These are statements that include a

_

or

?` in the action string. There is no constraint on

auth_polciies

that enforces only legal action strings, so it is possible for a user to generate such a policy.