Search in sources :

Example 1 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class CreateDatasetAuthzBqJobUserStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
    Map<IamRole, String> policies = workingMap.get(DatasetWorkingMapKeys.POLICY_EMAILS, Map.class);
    Dataset dataset = datasetService.retrieve(datasetId);
    DatasetModel datasetModel = datasetService.retrieveModel(dataset);
    // The underlying service provides retries so we do not need to retry this operation
    resourceService.grantPoliciesBqJobUser(datasetModel.getDataProject(), policies.values());
    return StepResult.getStepResultSuccess();
}
Also used : Dataset(bio.terra.service.dataset.Dataset) IamRole(bio.terra.service.iam.IamRole) FlightMap(bio.terra.stairway.FlightMap) UUID(java.util.UUID) DatasetModel(bio.terra.model.DatasetModel)

Example 2 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class CreateDatasetAuthzIamStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
    Map<IamRole, String> policyEmails = iamClient.createDatasetResource(userReq, datasetId);
    workingMap.put(DatasetWorkingMapKeys.POLICY_EMAILS, policyEmails);
    return StepResult.getStepResultSuccess();
}
Also used : IamRole(bio.terra.service.iam.IamRole) FlightMap(bio.terra.stairway.FlightMap) UUID(java.util.UUID)

Example 3 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SamIam method createDatasetResourceInner.

private Map<IamRole, String> createDatasetResourceInner(AuthenticatedUserRequest userReq, UUID datasetId) throws ApiException {
    CreateResourceCorrectRequest req = new CreateResourceCorrectRequest();
    req.setResourceId(datasetId.toString());
    req.addPoliciesItem(IamRole.STEWARD.toString(), createAccessPolicy(IamRole.STEWARD.toString(), Collections.singletonList(samConfig.getStewardsGroupEmail())));
    req.addPoliciesItem(IamRole.CUSTODIAN.toString(), createAccessPolicy(IamRole.CUSTODIAN.toString(), Collections.singletonList(userReq.getEmail())));
    req.addPoliciesItem(IamRole.INGESTER.toString(), new AccessPolicyMembership().roles(Collections.singletonList(IamRole.INGESTER.toString())));
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    logger.debug(req.toString());
    // create the resource in sam
    createResourceCorrectCall(samResourceApi.getApiClient(), IamResourceType.DATASET.toString(), req);
    // we'll want all of these roles to have read access to the underlying data,
    // so we sync and return the emails for the policies that get created by SAM
    Map<IamRole, String> policies = new HashMap<>();
    for (IamRole role : Arrays.asList(IamRole.STEWARD, IamRole.CUSTODIAN, IamRole.INGESTER)) {
        String policy = syncOnePolicy(userReq, IamResourceType.DATASET, datasetId, role);
        policies.put(role, policy);
    }
    return policies;
}
Also used : HashMap(java.util.HashMap) IamRole(bio.terra.service.iam.IamRole) ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) AccessPolicyMembership(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembership)

Example 4 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SnapshotAuthzBqJobUserStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    Snapshot snapshot = snapshotService.retrieveByName(snapshotName);
    SnapshotDataProject projectForSnapshot = dataLocationService.getOrCreateProject(snapshot);
    Map<IamRole, String> policyMap = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
    // Allow the custodian to make queries in this project.
    // The underlying service provides retries so we do not need to retry this operation
    resourceService.grantPoliciesBqJobUser(projectForSnapshot.getGoogleProjectId(), Collections.singletonList(policyMap.get(IamRole.CUSTODIAN)));
    return StepResult.getStepResultSuccess();
}
Also used : Snapshot(bio.terra.service.snapshot.Snapshot) IamRole(bio.terra.service.iam.IamRole) FlightMap(bio.terra.stairway.FlightMap) SnapshotDataProject(bio.terra.service.snapshot.SnapshotDataProject)

Example 5 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SnapshotAuthzFileAclStep method undoStep.

@Override
public StepResult undoStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID snapshotId = workingMap.get(SnapshotWorkingMapKeys.SNAPSHOT_ID, UUID.class);
    Snapshot snapshot = snapshotService.retrieve(snapshotId);
    Map<IamRole, String> policies = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
    String readersPolicyEmail = policies.get(IamRole.READER);
    // TODO: when we support multiple datasets, we can generate more than one copy of this
    // step: one for each dataset. That is because each dataset keeps its file dependencies
    // in its own scope. For now, we know there is exactly one dataset and we take shortcuts.
    SnapshotSource snapshotSource = snapshot.getSnapshotSources().get(0);
    String datasetId = snapshotSource.getDataset().getId().toString();
    Dataset dataset = datasetService.retrieve(UUID.fromString(datasetId));
    List<String> fileIds = fireStoreDao.getDatasetSnapshotFileIds(dataset, snapshotId.toString());
    try {
        gcsPdao.removeAclOnFiles(dataset, fileIds, readersPolicyEmail);
    } catch (StorageException ex) {
        // We don't let the exception stop us from continuing to remove the rest of the snapshot parts.
        // TODO: change this to whatever our alert-a-human log message is.
        logger.warn("NEEDS CLEANUP: Failed to remove snapshot reader ACLs from files", ex);
    }
    return StepResult.getStepResultSuccess();
}
Also used : Snapshot(bio.terra.service.snapshot.Snapshot) Dataset(bio.terra.service.dataset.Dataset) SnapshotSource(bio.terra.service.snapshot.SnapshotSource) IamRole(bio.terra.service.iam.IamRole) FlightMap(bio.terra.stairway.FlightMap) UUID(java.util.UUID) StorageException(com.google.cloud.storage.StorageException)

Aggregations

IamRole (bio.terra.service.iam.IamRole)10 FlightMap (bio.terra.stairway.FlightMap)8 UUID (java.util.UUID)7 Dataset (bio.terra.service.dataset.Dataset)4 Snapshot (bio.terra.service.snapshot.Snapshot)4 StepResult (bio.terra.stairway.StepResult)3 PdaoException (bio.terra.common.exception.PdaoException)2 SnapshotSource (bio.terra.service.snapshot.SnapshotSource)2 BigQueryError (com.google.cloud.bigquery.BigQueryError)2 BigQueryException (com.google.cloud.bigquery.BigQueryException)2 StorageException (com.google.cloud.storage.StorageException)2 HashMap (java.util.HashMap)2 ResourcesApi (org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)2 AccessPolicyMembership (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembership)2 DatasetModel (bio.terra.model.DatasetModel)1 SnapshotDataProject (bio.terra.service.snapshot.SnapshotDataProject)1 ArrayList (java.util.ArrayList)1