Examples with IamRole bio.terra.service.iam.IamRole used on opensource projects

Example 6 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SnapshotAuthzFileAclStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID snapshotId = workingMap.get(SnapshotWorkingMapKeys.SNAPSHOT_ID, UUID.class);
    Snapshot snapshot = snapshotService.retrieve(snapshotId);
    Map<IamRole, String> policies = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
    String readersPolicyEmail = policies.get(IamRole.READER);
    // TODO: when we support multiple datasets, we can generate more than one copy of this
    // step: one for each dataset. That is because each dataset keeps its file dependencies
    // in its own scope. For now, we know there is exactly one dataset and we take shortcuts.
    SnapshotSource snapshotSource = snapshot.getSnapshotSources().get(0);
    String datasetId = snapshotSource.getDataset().getId().toString();
    Dataset dataset = datasetService.retrieve(UUID.fromString(datasetId));
    List<String> fileIds = fireStoreDao.getDatasetSnapshotFileIds(dataset, snapshotId.toString());
    try {
        if (configService.testInsertFault(SNAPSHOT_GRANT_FILE_ACCESS_FAULT)) {
            throw new StorageException(400, "Fake IAM failure", "badRequest", null);
        }
        gcsPdao.setAclOnFiles(dataset, fileIds, readersPolicyEmail);
    } catch (StorageException ex) {
        // we will log alot and retry on that.
        if (ex.getCode() == 400 && StringUtils.equals(ex.getReason(), "badRequest")) {
            logger.info("Maybe caught an ACL propagation error: " + ex.getMessage() + " reason: " + ex.getReason(), ex);
            return new StepResult(StepStatus.STEP_RESULT_FAILURE_RETRY, ex);
        }
    }
    return StepResult.getStepResultSuccess();
}

Example 7 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SnapshotAuthzTabularAclStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID snapshotId = workingMap.get(SnapshotWorkingMapKeys.SNAPSHOT_ID, UUID.class);
    Snapshot snapshot = snapshotService.retrieve(snapshotId);
    Map<IamRole, String> policies = workingMap.get(SnapshotWorkingMapKeys.POLICY_MAP, Map.class);
    String readersPolicyEmail = policies.get(IamRole.READER);
    try {
        if (configService.testInsertFault(SNAPSHOT_GRANT_ACCESS_FAULT)) {
            throw new BigQueryException(400, "IAM setPolicy fake failure", new BigQueryError("invalid", "fake", "IAM setPolicy fake failure"));
        }
        bigQueryPdao.addReaderGroupToSnapshot(snapshot, readersPolicyEmail);
    } catch (BigQueryException ex) {
        if (FlightUtils.isBigQueryIamPropagationError(ex)) {
            return new StepResult(StepStatus.STEP_RESULT_FAILURE_RETRY, ex);
        }
        throw new PdaoException("Caught BQ exception while granting read access to snapshot", ex);
    }
    return StepResult.getStepResultSuccess();
}

Example 8 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class CreateDatasetAuthzPrimaryDataStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID datasetId = workingMap.get(DatasetWorkingMapKeys.DATASET_ID, UUID.class);
    Map<IamRole, String> policyEmails = workingMap.get(DatasetWorkingMapKeys.POLICY_EMAILS, Map.class);
    Dataset dataset = datasetService.retrieve(datasetId);
    try {
        if (configService.testInsertFault(DATASET_GRANT_ACCESS_FAULT)) {
            throw new BigQueryException(400, "IAM setPolicy fake failure", new BigQueryError("invalid", "fake", "IAM setPolicy fake failure"));
        }
        bigQueryPdao.grantReadAccessToDataset(dataset, policyEmails.values());
    } catch (BigQueryException ex) {
        if (FlightUtils.isBigQueryIamPropagationError(ex)) {
            return new StepResult(StepStatus.STEP_RESULT_FAILURE_RETRY, ex);
        }
        throw new PdaoException("Caught BQ exception while granting read access to dataset", ex);
    }
    return StepResult.getStepResultSuccess();
}

Example 9 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SamIam method createSnapshotResourceInner.

private Map<IamRole, String> createSnapshotResourceInner(AuthenticatedUserRequest userReq, UUID snapshotId, List<String> readersList) throws ApiException {
    CreateResourceCorrectRequest req = new CreateResourceCorrectRequest();
    if (readersList == null) {
        readersList = Collections.emptyList();
    }
    // Add the as custodian to the reader policy
    List<String> fullReadersList = new ArrayList<>(readersList);
    String custodianEmail = userReq.getEmail();
    fullReadersList.add(custodianEmail);
    req.setResourceId(snapshotId.toString());
    req.addPoliciesItem(IamRole.STEWARD.toString(), createAccessPolicy(IamRole.STEWARD.toString(), Collections.singletonList(samConfig.getStewardsGroupEmail())));
    req.addPoliciesItem(IamRole.CUSTODIAN.toString(), createAccessPolicy(IamRole.CUSTODIAN.toString(), Collections.singletonList(custodianEmail)));
    req.addPoliciesItem(IamRole.READER.toString(), createAccessPolicy(IamRole.READER.toString(), fullReadersList));
    req.addPoliciesItem(IamRole.DISCOVERER.toString(), new AccessPolicyMembership().roles(Collections.singletonList(IamRole.DISCOVERER.toString())));
    ResourcesApi samResourceApi = samResourcesApi(userReq.getRequiredToken());
    logger.debug("SAM request: " + req.toString());
    // create the resource in sam
    createResourceCorrectCall(samResourceApi.getApiClient(), IamResourceType.DATASNAPSHOT.toString(), req);
    // sync the policies
    Map<IamRole, String> policies = new HashMap<>();
    String policy = syncOnePolicy(userReq, IamResourceType.DATASNAPSHOT, snapshotId, IamRole.READER);
    policies.put(IamRole.READER, policy);
    policy = syncOnePolicy(userReq, IamResourceType.DATASNAPSHOT, snapshotId, IamRole.CUSTODIAN);
    policies.put(IamRole.CUSTODIAN, policy);
    return policies;
}

Example 10 with IamRole

use of bio.terra.service.iam.IamRole in project jade-data-repo by DataBiosphere.

the class SnapshotAuthzIamStep method doStep.

@Override
public StepResult doStep(FlightContext context) throws InterruptedException {
    FlightMap workingMap = context.getWorkingMap();
    UUID snapshotId = workingMap.get(SnapshotWorkingMapKeys.SNAPSHOT_ID, UUID.class);
    // This returns the policy email created by Google to correspond to the readers list in SAM
    Map<IamRole, String> policies = sam.createSnapshotResource(userReq, snapshotId, snapshotRequestModel.getReaders());
    workingMap.put(SnapshotWorkingMapKeys.POLICY_MAP, policies);
    return StepResult.getStepResultSuccess();
}