domino_admin_toolkit.checks.info.test_authz_data_metrics module

Description:

Reports counts and grant/member volumes for authorization-related Mongo collections (datasetrw, datasetrw_snapshot, organizations) so we can baseline and track authz data scale over time.

Result:

Logs a CSV-formatted block (one row per (collection, metric) pair) that can be pasted directly into a spreadsheet.

class domino_admin_toolkit.checks.info.test_authz_data_metrics.EntitySpec(name, array_field=None, custom_checks=())

Bases: object

Describes how to compute authz metrics for a single Mongo collection.

Add new collections by appending another EntitySpec to ENTITIES below — no other code changes required.

Attributes:
name: Collection name in the domino database; also the label used

in the output.

array_field: Optional field name whose array length is summed across

all documents (e.g. grants, members).

custom_checks: Optional (metric_name, fn) pairs. Each fn takes

the mongo client and returns the numeric value to report.

array_field: str | None = None
custom_checks: tuple[tuple[str, Callable[[Any], int]], ...] = ()
name: str
domino_admin_toolkit.checks.info.test_authz_data_metrics.authz_metrics_data(mongo_client)

Collect authz-related document counts and array-length sums from MongoDB.

Returns one row per (collection, metric) pair. Failed sub-queries land as None so the rest of the report still surfaces.

Return type:

DataFrame

domino_admin_toolkit.checks.info.test_authz_data_metrics.test_authz_data_metrics(authz_metrics_data)
Description:

Inventory check for authorization-related MongoDB data. For each configured collection (datasetrw, datasetrw_snapshot, organizations), reports total document count, an optional cumulative array-length total (e.g. all grants across all datasetrw docs), and any collection-specific custom checks (e.g. count of datasets with duplicated grants by targetId). Output is a CSV block in the captured logs.

Failure Conditions:

  • This is an informational check; it never fails on data values.

  • The check is skipped if MongoDB is unreachable (handled by the mongo_client session fixture).

  • An empty result set is logged but does not fail the test.

  • Individual metric queries that error are logged at ERROR level and recorded as empty value cells; the rest of the metrics still render.

Troubleshooting Steps:

  1. Confirm the MongoDB pod is healthy via the Domino UI or kubectl get pods -l app=mongodb-replicaset on the platform namespace.

  2. From a platform admin shell, verify connectivity to the MongoDB service and that the domino database is reachable.

  3. If a specific metric shows an empty value cell, search the toolkit run logs for Failed to compute <collection>.<metric> to see the underlying PyMongo error.

Resolution Steps:

  1. For connectivity failures, restore MongoDB availability (replica promotion, pod restart, network policy fix) before re-running.

  2. For permission errors on aggregation pipelines, ensure the toolkit’s MongoDB user has read access to the datasetrw, datasetrw_snapshot, and organizations collections in the domino database.

Required Permissions:

  • Read access to the domino database in MongoDB (count_documents and aggregate on the configured collections).

  • Domino platform admin access to inspect MongoDB pod state during troubleshooting.

See also:

  • test_mongodb.py — broader Mongo collection size/index stats.

  • test_dataset_lifecycle_status.py — separate lifecycle/health view of datasetrw and datasetrw_snapshot.