Search in sources :

Example 1 with ApiGcpAiNotebookInstanceCreationParameters

use of bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters in project terra-workspace-manager by DataBiosphere.

the class ControlledResourceServiceTest method createAiNotebookInstanceNoWriterRoleThrowsBadRequest.

@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void createAiNotebookInstanceNoWriterRoleThrowsBadRequest() throws Exception {
    String instanceId = "create-ai-notebook-instance-shared";
    ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
    ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspace.getWorkspaceId(), instanceId, instanceId);
    // Shared notebooks not yet implemented.
    // Private IAM roles must include writer role.
    ControlledResourceIamRole notWriter = ControlledResourceIamRole.READER;
    BadRequestException noWriterException = assertThrows(BadRequestException.class, () -> controlledResourceService.createAiNotebookInstance(resource, creationParameters, notWriter, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest()));
    assertEquals("A private, controlled AI Notebook instance must have the writer or editor role or else it is not useful.", noWriterException.getMessage());
}
Also used : ApiGcpAiNotebookInstanceCreationParameters(bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters) BadRequestException(bio.terra.common.exception.BadRequestException) ControlledResourceIamRole(bio.terra.workspace.service.iam.model.ControlledResourceIamRole) ControlledAiNotebookInstanceResource(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource) ApiJobControl(bio.terra.workspace.generated.model.ApiJobControl) Test(org.junit.jupiter.api.Test) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest) DisabledIfEnvironmentVariable(org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable)

Example 2 with ApiGcpAiNotebookInstanceCreationParameters

use of bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters in project terra-workspace-manager by DataBiosphere.

the class ControlledResourceServiceTest method createAiNotebookInstanceUndo.

@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void createAiNotebookInstanceUndo() throws Exception {
    String instanceId = "create-ai-notebook-instance-undo";
    String name = "create-ai-notebook-instance-undo-name";
    ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
    ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspace.getWorkspaceId(), name, instanceId);
    // Test idempotency of undo steps by retrying them once.
    Map<String, StepStatus> retrySteps = new HashMap<>();
    retrySteps.put(GrantPetUsagePermissionStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(CreateAiNotebookInstanceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    jobService.setFlightDebugInfoForTest(FlightDebugInfo.newBuilder().lastStepFailure(true).undoStepFailures(retrySteps).build());
    // Revoke user's Pet SA access, if they have it. Because these tests re-use a common workspace,
    // the user may have pet SA access enabled prior to this test.
    String serviceAccountEmail = samService.getOrCreatePetSaEmail(projectId, user.getAuthenticatedRequest().getRequiredToken());
    petSaService.disablePetServiceAccountImpersonation(workspace.getWorkspaceId(), user.getEmail(), user.getAuthenticatedRequest());
    IamCow userIamCow = crlService.getIamCow(user.getAuthenticatedRequest());
    // Assert the user does not have access to their pet SA before the flight
    // Note this uses user credentials for the IAM cow to validate the user's access.
    assertFalse(canImpersonateSa(ServiceAccountName.builder().projectId(projectId).email(serviceAccountEmail).build(), userIamCow));
    String jobId = controlledResourceService.createAiNotebookInstance(resource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest());
    jobService.waitForJob(jobId);
    assertEquals(FlightStatus.ERROR, stairwayComponent.get().getFlightState(jobId).getFlightStatus());
    assertNotFound(resource.toInstanceName(projectId), crlService.getAIPlatformNotebooksCow());
    assertThrows(ResourceNotFoundException.class, () -> controlledResourceService.getControlledResource(resource.getWorkspaceId(), resource.getResourceId(), user.getAuthenticatedRequest()));
    // This check relies on cloud IAM propagation and is sometimes delayed.
    CloudUtils.runWithRetryOnException(() -> throwIfImpersonateSa(ServiceAccountName.builder().projectId(projectId).email(serviceAccountEmail).build(), userIamCow));
}
Also used : HashMap(java.util.HashMap) ApiGcpAiNotebookInstanceCreationParameters(bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters) CreateAiNotebookInstanceStep(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.CreateAiNotebookInstanceStep) StepStatus(bio.terra.stairway.StepStatus) ControlledAiNotebookInstanceResource(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource) GrantPetUsagePermissionStep(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.GrantPetUsagePermissionStep) IamCow(bio.terra.cloudres.google.iam.IamCow) ApiJobControl(bio.terra.workspace.generated.model.ApiJobControl) Test(org.junit.jupiter.api.Test) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest) DisabledIfEnvironmentVariable(org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable)

Example 3 with ApiGcpAiNotebookInstanceCreationParameters

use of bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters in project terra-workspace-manager by DataBiosphere.

the class CreateAiNotebookInstanceStep method createInstanceModel.

private static Instance createInstanceModel(FlightContext flightContext, String projectId, String serviceAccountEmail) {
    Instance instance = new Instance();
    ApiGcpAiNotebookInstanceCreationParameters creationParameters = flightContext.getInputParameters().get(CREATE_NOTEBOOK_PARAMETERS, ApiGcpAiNotebookInstanceCreationParameters.class);
    setFields(creationParameters, serviceAccountEmail, instance);
    setNetworks(instance, projectId, flightContext.getWorkingMap());
    return instance;
}
Also used : Instance(com.google.api.services.notebooks.v1.model.Instance) ApiGcpAiNotebookInstanceCreationParameters(bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters)

Example 4 with ApiGcpAiNotebookInstanceCreationParameters

use of bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters in project terra-workspace-manager by DataBiosphere.

the class ControlledResourceServiceTest method createAiNotebookInstanceDo.

@Test
@DisabledIfEnvironmentVariable(named = "TEST_ENV", matches = BUFFER_SERVICE_DISABLED_ENVS_REG_EX)
void createAiNotebookInstanceDo() throws Exception {
    UUID workspaceId = reusableWorkspace(user).getWorkspaceId();
    String instanceId = "create-ai-notebook-instance-do";
    ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
    ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspaceId, "initial-notebook-name", instanceId);
    // Test idempotency of steps by retrying them once.
    Map<String, StepStatus> retrySteps = new HashMap<>();
    retrySteps.put(RetrieveNetworkNameStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(GrantPetUsagePermissionStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(CreateAiNotebookInstanceStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    retrySteps.put(NotebookCloudSyncStep.class.getName(), StepStatus.STEP_RESULT_FAILURE_RETRY);
    jobService.setFlightDebugInfoForTest(FlightDebugInfo.newBuilder().doStepFailures(retrySteps).build());
    String jobId = controlledResourceService.createAiNotebookInstance(resource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest());
    jobService.waitForJob(jobId);
    assertEquals(FlightStatus.SUCCESS, stairwayComponent.get().getFlightState(jobId).getFlightStatus());
    assertEquals(resource, controlledResourceService.getControlledResource(workspaceId, resource.getResourceId(), user.getAuthenticatedRequest()));
    InstanceName instanceName = resource.toInstanceName(workspaceService.getAuthorizedRequiredGcpProject(workspaceId, user.getAuthenticatedRequest()));
    Instance instance = crlService.getAIPlatformNotebooksCow().instances().get(instanceName).execute();
    // Test that the user has permissions from WRITER roles on the notebooks instance. Only notebook
    // instance level permissions can be checked on the notebook instance test IAM permissions
    // endpoint, so no "notebooks.instances.list" permission as that's project level.
    List<String> expectedWriterPermissions = ImmutableList.of("notebooks.instances.get", "notebooks.instances.reset", "notebooks.instances.setAccelerator", "notebooks.instances.setMachineType", "notebooks.instances.start", "notebooks.instances.stop", "notebooks.instances.use");
    assertThat(AIPlatformNotebooksCow.create(crlService.getClientConfig(), user.getGoogleCredentials()).instances().testIamPermissions(instanceName, new com.google.api.services.notebooks.v1.model.TestIamPermissionsRequest().setPermissions(expectedWriterPermissions)).execute().getPermissions(), Matchers.containsInAnyOrder(expectedWriterPermissions.toArray()));
    // Test that the user has access to the notebook with a service account through proxy mode.
    // git secrets gets a false positive if 'service_account' is double quoted.
    assertThat(instance.getMetadata(), Matchers.hasEntry("proxy-mode", "service_" + "account"));
    ServiceAccountName serviceAccountName = ServiceAccountName.builder().projectId(instanceName.projectId()).email(instance.getServiceAccount()).build();
    // The user needs to have the actAs permission on the service account.
    String actAsPermission = "iam.serviceAccounts.actAs";
    assertThat(IamCow.create(crlService.getClientConfig(), user.getGoogleCredentials()).projects().serviceAccounts().testIamPermissions(serviceAccountName, new TestIamPermissionsRequest().setPermissions(List.of(actAsPermission))).execute().getPermissions(), Matchers.contains(actAsPermission));
    // Creating a controlled resource with a duplicate underlying notebook instance is not allowed.
    ControlledAiNotebookInstanceResource duplicateResource = makeNotebookTestResource(workspaceId, "new-name-same-notebook-instance", instanceId);
    String duplicateResourceJobId = controlledResourceService.createAiNotebookInstance(duplicateResource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), "fakeResultPath", user.getAuthenticatedRequest());
    jobService.waitForJob(duplicateResourceJobId);
    JobService.JobResultOrException<ControlledAiNotebookInstanceResource> duplicateJobResult = jobService.retrieveJobResult(duplicateResourceJobId, ControlledAiNotebookInstanceResource.class, user.getAuthenticatedRequest());
    assertEquals(DuplicateResourceException.class, duplicateJobResult.getException().getClass());
}
Also used : HashMap(java.util.HashMap) Instance(com.google.api.services.notebooks.v1.model.Instance) TestInstance(org.junit.jupiter.api.TestInstance) TestIamPermissionsRequest(com.google.api.services.iam.v1.model.TestIamPermissionsRequest) ServiceAccountName(bio.terra.cloudres.google.iam.ServiceAccountName) StepStatus(bio.terra.stairway.StepStatus) RetrieveNetworkNameStep(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.RetrieveNetworkNameStep) GrantPetUsagePermissionStep(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.GrantPetUsagePermissionStep) ApiJobControl(bio.terra.workspace.generated.model.ApiJobControl) JobService(bio.terra.workspace.service.job.JobService) InstanceName(bio.terra.cloudres.google.notebooks.InstanceName) ApiGcpAiNotebookInstanceCreationParameters(bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters) CreateAiNotebookInstanceStep(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.CreateAiNotebookInstanceStep) NotebookCloudSyncStep(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.NotebookCloudSyncStep) UUID(java.util.UUID) ControlledAiNotebookInstanceResource(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource) Test(org.junit.jupiter.api.Test) BaseConnectedTest(bio.terra.workspace.common.BaseConnectedTest) DisabledIfEnvironmentVariable(org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable)

Example 5 with ApiGcpAiNotebookInstanceCreationParameters

use of bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters in project terra-workspace-manager by DataBiosphere.

the class ControlledResourceServiceTest method createDefaultPrivateAiNotebookInstance.

/**
 * Create a controlled AI Notebook instance with default private settings.
 */
private ControlledAiNotebookInstanceResource createDefaultPrivateAiNotebookInstance(String instanceId, UserAccessUtils.TestUser user) {
    Workspace workspace = reusableWorkspace(user);
    ApiGcpAiNotebookInstanceCreationParameters creationParameters = ControlledResourceFixtures.defaultNotebookCreationParameters().instanceId(instanceId).location(DEFAULT_NOTEBOOK_LOCATION);
    ControlledAiNotebookInstanceResource resource = makeNotebookTestResource(workspace.getWorkspaceId(), instanceId, instanceId);
    String createJobId = controlledResourceService.createAiNotebookInstance(resource, creationParameters, DEFAULT_ROLE, new ApiJobControl().id(UUID.randomUUID().toString()), null, user.getAuthenticatedRequest());
    jobService.waitForJob(createJobId);
    JobService.JobResultOrException<ControlledAiNotebookInstanceResource> creationResult = jobService.retrieveJobResult(createJobId, ControlledAiNotebookInstanceResource.class, user.getAuthenticatedRequest());
    assertNull(creationResult.getException(), "Error creating controlled AI notebook instance");
    assertNotNull(creationResult.getResult(), "Unexpected null created controlled AI notebook instance");
    return creationResult.getResult();
}
Also used : ApiGcpAiNotebookInstanceCreationParameters(bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters) ControlledAiNotebookInstanceResource(bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource) ApiJobControl(bio.terra.workspace.generated.model.ApiJobControl) JobService(bio.terra.workspace.service.job.JobService) Workspace(bio.terra.workspace.service.workspace.model.Workspace)

Aggregations

ApiGcpAiNotebookInstanceCreationParameters (bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceCreationParameters)7 Test (org.junit.jupiter.api.Test)5 ApiJobControl (bio.terra.workspace.generated.model.ApiJobControl)4 ControlledAiNotebookInstanceResource (bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.ControlledAiNotebookInstanceResource)4 Instance (com.google.api.services.notebooks.v1.model.Instance)4 BaseConnectedTest (bio.terra.workspace.common.BaseConnectedTest)3 DisabledIfEnvironmentVariable (org.junit.jupiter.api.condition.DisabledIfEnvironmentVariable)3 StepStatus (bio.terra.stairway.StepStatus)2 BaseUnitTest (bio.terra.workspace.common.BaseUnitTest)2 JobService (bio.terra.workspace.service.job.JobService)2 CreateAiNotebookInstanceStep (bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.CreateAiNotebookInstanceStep)2 GrantPetUsagePermissionStep (bio.terra.workspace.service.resource.controlled.cloud.gcp.ainotebook.GrantPetUsagePermissionStep)2 HashMap (java.util.HashMap)2 IamCow (bio.terra.cloudres.google.iam.IamCow)1 ServiceAccountName (bio.terra.cloudres.google.iam.ServiceAccountName)1 InstanceName (bio.terra.cloudres.google.notebooks.InstanceName)1 BadRequestException (bio.terra.common.exception.BadRequestException)1 ApiGcpAiNotebookInstanceAcceleratorConfig (bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceAcceleratorConfig)1 ApiGcpAiNotebookInstanceContainerImage (bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceContainerImage)1 ApiGcpAiNotebookInstanceVmImage (bio.terra.workspace.generated.model.ApiGcpAiNotebookInstanceVmImage)1