Store the silo admin group name (#8850)

jmpesp · web-flow · commit c2862a0cbf82 · 2025-08-28T21:14:38.000Z
The silo admin group is a special group that is automatically created
during silo creation where members are granted the silo admin role. This
name however is not stored, but this is currently ok: any existing silo
won't have the ability to delete groups, meaning that the automatically
created admin group is there to stay and a group with a duplicate name
cannot be created.

Very soon there will be silos with provision types that _can_ delete
groups, meaning this name has to be known in order for Nexus to create
the appropriate policy when a group with a matching name is created
again. It was a mistake not to store this parameter with the silo, so
rectify that with this PR.
diff --git a/nexus/db-model/src/schema_versions.rs b/nexus/db-model/src/schema_versions.rs
@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(183, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(184, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(184, "store-silo-admin-group-name"),
         KnownVersion::new(183, "add-ip-version-to-pools"),
         KnownVersion::new(182, "add-tuf-artifact-board"),
         KnownVersion::new(181, "rename-nat-table"),
diff --git a/nexus/db-model/src/silo.rs b/nexus/db-model/src/silo.rs
@@ -100,6 +100,22 @@ pub struct Silo {
 
     /// child resource generation number, per RFD 192
     pub rcgen: Generation,
+
+    /// Store a group name that will be
+    ///
+    /// 1) automatically created (depending on the provision type of this silo)
+    ///    at silo create time.
+    /// 2) assigned a policy granting members the silo admin role
+    ///
+    /// Prior to this column existing, for api_only and jit provision types,
+    /// Nexus would create this group, and create a policy where users of the
+    /// group would have the silo admin role. It wouldn't store this information
+    /// though as groups cannot be deleted with those provision types.
+    ///
+    /// For provision types that can both create and delete groups, it's
+    /// important to store this name so that when groups are created the same
+    /// automatic policy can be created as well.
+    pub admin_group_name: Option<String>,
 }
 
 /// Form of mapped fleet roles used when serializing to the database
@@ -180,6 +196,7 @@ impl Silo {
                 .into(),
             rcgen: Generation::new(),
             mapped_fleet_roles,
+            admin_group_name: params.admin_group_name,
         })
     }
 
@@ -225,6 +242,7 @@ impl TryFrom<Silo> for views::Silo {
             discoverable: silo.discoverable,
             identity_mode,
             mapped_fleet_roles,
+            admin_group_name: silo.admin_group_name,
         })
     }
 }
diff --git a/nexus/db-schema/src/schema.rs b/nexus/db-schema/src/schema.rs
@@ -751,6 +751,8 @@ table! {
         mapped_fleet_roles -> Jsonb,
 
         rcgen -> Int8,
+
+        admin_group_name -> Nullable<Text>,
     }
 }
 
diff --git a/nexus/types/src/external_api/views.rs b/nexus/types/src/external_api/views.rs
@@ -58,6 +58,10 @@ pub struct Silo {
     /// unless there's a corresponding entry in this map.
     pub mapped_fleet_roles:
         BTreeMap<shared::SiloRole, BTreeSet<shared::FleetRole>>,
+
+    /// Optionally, silos can have a group name that is automatically granted
+    /// the silo admin role.
+    pub admin_group_name: Option<String>,
 }
 
 /// A collection of resource counts used to describe capacity and utilization
diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -23566,6 +23566,11 @@
         "description": "View of a Silo\n\nA Silo is the highest level unit of isolation.",
         "type": "object",
         "properties": {
+          "admin_group_name": {
+            "nullable": true,
+            "description": "Optionally, silos can have a group name that is automatically granted the silo admin role.",
+            "type": "string"
+          },
           "description": {
             "description": "human-readable free-form text about a resource",
             "type": "string"
diff --git a/schema/crdb/dbinit.sql b/schema/crdb/dbinit.sql
@@ -875,7 +875,9 @@ CREATE TABLE IF NOT EXISTS omicron.public.silo (
     mapped_fleet_roles JSONB NOT NULL,
 
     /* child resource generation number, per RFD 192 */
-    rcgen INT NOT NULL
+    rcgen INT NOT NULL,
+
+    admin_group_name TEXT
 );
 
 CREATE UNIQUE INDEX IF NOT EXISTS lookup_silo_by_name ON omicron.public.silo (
@@ -6562,7 +6564,7 @@ INSERT INTO omicron.public.db_metadata (
     version,
     target_version
 ) VALUES
-    (TRUE, NOW(), NOW(), '183.0.0', NULL)
+    (TRUE, NOW(), NOW(), '184.0.0', NULL)
 ON CONFLICT DO NOTHING;
 
 COMMIT;
diff --git a/schema/crdb/store-silo-admin-group-name/up01.sql b/schema/crdb/store-silo-admin-group-name/up01.sql
@@ -0,0 +1,3 @@
+ALTER TABLE omicron.public.silo
+ADD COLUMN IF NOT EXISTS
+admin_group_name TEXT DEFAULT NULL

Original file line number	Diff line number	Diff line change
`@@ -751,6 +751,8 @@ table! {`
`751`	`751`	`mapped_fleet_roles -> Jsonb,`
`752`	`752`
`753`	`753`	`rcgen -> Int8,`
	`754`	`+`
	`755`	`+ admin_group_name -> Nullable<Text>,`
`754`	`756`	`}`
`755`	`757`	`}`
`756`	`758`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ALTER TABLE omicron.public.silo`
	`2`	`+ADD COLUMN IF NOT EXISTS`
	`3`	`+admin_group_name TEXT DEFAULT NULL`