Example 1 with IamRole
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class CreateDatasetAuthzBqJobUserStep method doStep.
@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
Map<IamRole, String> policies = workingMap.get(DatasetWorkingMapKeys.POLICY_EMAILS, Map.class);
Dataset dataset = datasetService.retrieve(datasetId);
DatasetModel datasetModel = datasetService.retrieveModel(dataset);
// The underlying service provides retries so we do not need to retry this operation
resourceService.grantPoliciesBqJobUser(datasetModel.getDataProject(), policies.values());
return StepResult.getStepResultSuccess();
}
Also used :
Dataset(bio.terra.service.dataset.Dataset)
IamRole(bio.terra.service.iam.IamRole)
FlightMap(bio.terra.stairway.FlightMap)
UUID(java.util.UUID)
DatasetModel(bio.terra.model.DatasetModel)
Example 2 with IamRole
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class CreateDatasetAuthzIamStep method doStep.
@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
Map<IamRole, String> policyEmails = iamClient.createDatasetResource(userReq, datasetId);
workingMap.put(DatasetWorkingMapKeys.POLICY_EMAILS, policyEmails);
return StepResult.getStepResultSuccess();
}Example 3 with IamRole
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class SamIam method createDatasetResourceInner.
private Map<IamRole, String> createDatasetResourceInner(AuthenticatedUserRequest userReq, UUID datasetId) throws ApiException {
CreateResourceCorrectRequest req = new CreateResourceCorrectRequest();
req.setResourceId(datasetId.toString());
req.addPoliciesItem(IamRole.STEWARD.toString(), createAccessPolicy(IamRole.STEWARD.toString(), Collections.singletonList(samConfig.getStewardsGroupEmail())));
req.addPoliciesItem(IamRole.CUSTODIAN.toString(), createAccessPolicy(IamRole.CUSTODIAN.toString(), Collections.singletonList(userReq.getEmail())));
req.addPoliciesItem(IamRole.INGESTER.toString(), new AccessPolicyMembership().roles(Collections.singletonList(IamRole.INGESTER.toString())));
ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
logger.debug(req.toString());
// create the resource in sam
createResourceCorrectCall(samResourceApi.getApiClient(), IamResourceType.DATASET.toString(), req);
// we'll want all of these roles to have read access to the underlying data,
// so we sync and return the emails for the policies that get created by SAM
Map<IamRole, String> policies = new HashMap<>();
for (IamRole role : Arrays.asList(IamRole.STEWARD, IamRole.CUSTODIAN, IamRole.INGESTER)) {
String policy = syncOnePolicy(userReq, IamResourceType.DATASET, datasetId, role);
policies.put(role, policy);
}
return policies;
}
Also used :
HashMap(java.util.HashMap)
IamRole(bio.terra.service.iam.IamRole)
ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)
AccessPolicyMembership(org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembership)
Example 4 with IamRole
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class SnapshotAuthzBqJobUserStep method doStep.
@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
Snapshot snapshot = snapshotService.retrieveByName(snapshotName);
SnapshotDataProject projectForSnapshot = dataLocationService.getOrCreateProject(snapshot);
Map<IamRole, String> policyMap = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
// Allow the custodian to make queries in this project.
// The underlying service provides retries so we do not need to retry this operation
resourceService.grantPoliciesBqJobUser(projectForSnapshot.getGoogleProjectId(), Collections.singletonList(policyMap.get(IamRole.CUSTODIAN)));
return StepResult.getStepResultSuccess();
}
Also used :
Snapshot(bio.terra.service.snapshot.Snapshot)
IamRole(bio.terra.service.iam.IamRole)
FlightMap(bio.terra.stairway.FlightMap)
SnapshotDataProject(bio.terra.service.snapshot.SnapshotDataProject)
Example 5 with IamRole
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class SnapshotAuthzFileAclStep method undoStep.
@Override
public StepResult undoStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
UUID snapshotId = workingMap.get(SnapshotWorkingMapKeys.SNAPSHOT_ID, UUID.class);
Snapshot snapshot = snapshotService.retrieve(snapshotId);
Map<IamRole, String> policies = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
String readersPolicyEmail = policies.get(IamRole.READER);
// TODO: when we support multiple datasets, we can generate more than one copy of this
// step: one for each dataset. That is because each dataset keeps its file dependencies
// in its own scope. For now, we know there is exactly one dataset and we take shortcuts.
SnapshotSource snapshotSource = snapshot.getSnapshotSources().get(0);
String datasetId = snapshotSource.getDataset().getId().toString();
Dataset dataset = datasetService.retrieve(UUID.fromString(datasetId));
List<String> fileIds = fireStoreDao.getDatasetSnapshotFileIds(dataset, snapshotId.toString());
try {
gcsPdao.removeAclOnFiles(dataset, fileIds, readersPolicyEmail);
} catch (StorageException ex) {
// We don't let the exception stop us from continuing to remove the rest of the snapshot parts.
// TODO: change this to whatever our alert-a-human log message is.
logger.warn("NEEDS CLEANUP: Failed to remove snapshot reader ACLs from files", ex);
}
return StepResult.getStepResultSuccess();
}
Also used :
Snapshot(bio.terra.service.snapshot.Snapshot)
Dataset(bio.terra.service.dataset.Dataset)
SnapshotSource(bio.terra.service.snapshot.SnapshotSource)
IamRole(bio.terra.service.iam.IamRole)
FlightMap(bio.terra.stairway.FlightMap)
UUID(java.util.UUID)
StorageException(com.google.cloud.storage.StorageException)
Aggregations
IamRole (bio.terra.service.iam.IamRole)10
FlightMap (bio.terra.stairway.FlightMap)8
UUID (java.util.UUID)7
Dataset (bio.terra.service.dataset.Dataset)4
Snapshot (bio.terra.service.snapshot.Snapshot)4
StepResult (bio.terra.stairway.StepResult)3
PdaoException (bio.terra.common.exception.PdaoException)2
SnapshotSource (bio.terra.service.snapshot.SnapshotSource)2
BigQueryError (com.google.cloud.bigquery.BigQueryError)2
BigQueryException (com.google.cloud.bigquery.BigQueryException)2
StorageException (com.google.cloud.storage.StorageException)2
HashMap (java.util.HashMap)2
ResourcesApi (org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)2
AccessPolicyMembership (org.broadinstitute.dsde.workbench.client.sam.model.AccessPolicyMembership)2
DatasetModel (bio.terra.model.DatasetModel)1
SnapshotDataProject (bio.terra.service.snapshot.SnapshotDataProject)1
ArrayList (java.util.ArrayList)1
