use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class CreateDatasetAuthzBqJobUserStep method doStep.
@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
Map<IamRole, String> policies = workingMap.get(DatasetWorkingMapKeys.POLICY_EMAILS, Map.class);
Dataset dataset = datasetService.retrieve(datasetId);
DatasetModel datasetModel = datasetService.retrieveModel(dataset);
// The underlying service provides retries so we do not need to retry this operation
resourceService.grantPoliciesBqJobUser(datasetModel.getDataProject(), policies.values());
return StepResult.getStepResultSuccess();
}
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class CreateDatasetAuthzIamStep method doStep.
@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
Map<IamRole, String> policyEmails = iamClient.createDatasetResource(userReq, datasetId);
workingMap.put(DatasetWorkingMapKeys.POLICY_EMAILS, policyEmails);
return StepResult.getStepResultSuccess();
}
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class SamIam method createDatasetResourceInner.
private Map<IamRole, String> createDatasetResourceInner(AuthenticatedUserRequest userReq, UUID datasetId) throws ApiException {
CreateResourceCorrectRequest req = new CreateResourceCorrectRequest();
req.setResourceId(datasetId.toString());
req.addPoliciesItem(IamRole.STEWARD.toString(), createAccessPolicy(IamRole.STEWARD.toString(), Collections.singletonList(samConfig.getStewardsGroupEmail())));
req.addPoliciesItem(IamRole.CUSTODIAN.toString(), createAccessPolicy(IamRole.CUSTODIAN.toString(), Collections.singletonList(userReq.getEmail())));
req.addPoliciesItem(IamRole.INGESTER.toString(), new AccessPolicyMembership().roles(Collections.singletonList(IamRole.INGESTER.toString())));
ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
logger.debug(req.toString());
// create the resource in sam
createResourceCorrectCall(samResourceApi.getApiClient(), IamResourceType.DATASET.toString(), req);
// we'll want all of these roles to have read access to the underlying data,
// so we sync and return the emails for the policies that get created by SAM
Map<IamRole, String> policies = new HashMap<>();
for (IamRole role : Arrays.asList(IamRole.STEWARD, IamRole.CUSTODIAN, IamRole.INGESTER)) {
String policy = syncOnePolicy(userReq, IamResourceType.DATASET, datasetId, role);
policies.put(role, policy);
}
return policies;
}
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class SnapshotAuthzBqJobUserStep method doStep.
@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
Snapshot snapshot = snapshotService.retrieveByName(snapshotName);
SnapshotDataProject projectForSnapshot = dataLocationService.getOrCreateProject(snapshot);
Map<IamRole, String> policyMap = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
// Allow the custodian to make queries in this project.
// The underlying service provides retries so we do not need to retry this operation
resourceService.grantPoliciesBqJobUser(projectForSnapshot.getGoogleProjectId(), Collections.singletonList(policyMap.get(IamRole.CUSTODIAN)));
return StepResult.getStepResultSuccess();
}
use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.
the class SnapshotAuthzFileAclStep method undoStep.
@Override
public StepResult undoStep(FlightContext context) throws InterruptedException {
FlightMap workingMap = context.getWorkingMap();
UUID snapshotId = workingMap.get(SnapshotWorkingMapKeys.SNAPSHOT_ID, UUID.class);
Snapshot snapshot = snapshotService.retrieve(snapshotId);
Map<IamRole, String> policies = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
String readersPolicyEmail = policies.get(IamRole.READER);
// TODO: when we support multiple datasets, we can generate more than one copy of this
// step: one for each dataset. That is because each dataset keeps its file dependencies
// in its own scope. For now, we know there is exactly one dataset and we take shortcuts.
SnapshotSource snapshotSource = snapshot.getSnapshotSources().get(0);
String datasetId = snapshotSource.getDataset().getId().toString();
Dataset dataset = datasetService.retrieve(UUID.fromString(datasetId));
List<String> fileIds = fireStoreDao.getDatasetSnapshotFileIds(dataset, snapshotId.toString());
try {
gcsPdao.removeAclOnFiles(dataset, fileIds, readersPolicyEmail);
} catch (StorageException ex) {
// We don't let the exception stop us from continuing to remove the rest of the snapshot parts.
// TODO: change this to whatever our alert-a-human log message is.
logger.warn("NEEDS CLEANUP: Failed to remove snapshot reader ACLs from files", ex);
}
return StepResult.getStepResultSuccess();
}
Aggregations