Search in sources :

Example 1 with CreateResourceRequestV2

use of org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2 in project terra-workspace-manager by DataBiosphere.

the class SamService method createControlledResource.

/**
 * Create a controlled resource in Sam.
 *
 * @param resource The WSM representation of the resource to create.
 * @param privateIamRole The IAM role to grant on a private resource. It is required for
 *     user-private resources and optional for application-private resources.
 * @param assignedUserEmail Email identifier of the assigned user of this resource. Same
 *     constraints as privateIamRoles.
 * @param userRequest Credentials to use for talking to Sam.
 */
@Traced
public void createControlledResource(ControlledResource resource, @Nullable ControlledResourceIamRole privateIamRole, @Nullable String assignedUserEmail, AuthenticatedUserRequest userRequest) throws InterruptedException {
    // We need the WSM SA for setting controlled resource policies
    initializeWsmServiceAccount();
    FullyQualifiedResourceId workspaceParentFqId = new FullyQualifiedResourceId().resourceId(resource.getWorkspaceId().toString()).resourceTypeName(SamConstants.SamResource.WORKSPACE);
    CreateResourceRequestV2 resourceRequest = new CreateResourceRequestV2().resourceId(resource.getResourceId().toString()).parent(workspaceParentFqId);
    var builder = new ControlledResourceSamPolicyBuilder(this, privateIamRole, assignedUserEmail, userRequest, ControlledResourceCategory.get(resource.getAccessScope(), resource.getManagedBy()));
    builder.addPolicies(resourceRequest);
    try {
        // We use the user request for the create, but could equally well use the WSM SA.
        // The creating token has no effect on the resource policies.
        ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
        SamRetry.retry(() -> resourceApi.createResourceV2(resource.getCategory().getSamResourceName(), resourceRequest));
        logger.info("Created Sam controlled resource {}", resource.getResourceId());
        dumpRoleBindings(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), getWsmServiceAccountToken());
    } catch (ApiException apiException) {
        // Do nothing if the resource to create already exists, this may not be the first time do is
        // called. Other exceptions still need to be surfaced.
        // Resource IDs are randomly generated, so we trust that the caller must have created
        // an existing Sam resource.
        logger.info("Sam API error while creating a controlled resource, code is " + apiException.getCode());
        if (apiException.getCode() == HttpStatus.CONFLICT.value()) {
            logger.info("Sam error was CONFLICT on creation request. This means the resource already " + "exists but is not an error so no exception thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error creating controlled resource in Sam", apiException);
    }
}
Also used : FullyQualifiedResourceId(org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId) ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) CreateResourceRequestV2(org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException) Traced(io.opencensus.contrib.spring.aop.Traced)

Example 2 with CreateResourceRequestV2

use of org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2 in project terra-cli by DataBiosphere.

the class SamService method createResource.

/**
 * Call the SAM "/api/resources/v2/{resourceTypeName}" POST endpoint to create a new resource with
 * the given policies (i.e. not default owner policy).
 *
 * @param resourceType type of resource
 * @param resourceId id of resource
 * @param policies list of policies on the resource
 */
public void createResource(String resourceType, String resourceId, Map<String, AccessPolicyMembershipV2> policies) {
    CreateResourceRequestV2 request = new CreateResourceRequestV2().resourceId(resourceId).policies(policies);
    logger.debug("create resource request: {}", request);
    callWithRetries(() -> new ResourcesApi(apiClient).createResourceV2(resourceType, request), "Error creating SAM resource.");
}
Also used : ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) CreateResourceRequestV2(org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2)

Example 3 with CreateResourceRequestV2

use of org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2 in project terra-workspace-manager by DataBiosphere.

the class SamService method createWorkspaceWithDefaults.

/**
 * Wrapper around the Sam client to create a workspace resource in Sam.
 *
 * <p>This creates a workspace with the provided ID and requesting user as the sole Owner. Empty
 * reader and writer policies are also created. Errors from the Sam client will be thrown as Sam
 * specific exception types.
 */
@Traced
public void createWorkspaceWithDefaults(AuthenticatedUserRequest userRequest, UUID id) throws InterruptedException {
    ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
    // Sam will throw an error if no owner is specified, so the caller's email is required. It can
    // be looked up using the auth token if that's all the caller provides.
    // If we called WSM as the pet SA and went through the proxy, this becomes the pet SA's email if
    // we use the request email. That caused an issue where the human user wasn't recognized on the
    // workspace.
    String humanUserEmail = getUserEmailFromSam(userRequest);
    CreateResourceRequestV2 workspaceRequest = new CreateResourceRequestV2().resourceId(id.toString()).policies(defaultWorkspacePolicies(humanUserEmail));
    try {
        SamRetry.retry(() -> resourceApi.createResourceV2(SamConstants.SamResource.WORKSPACE, workspaceRequest));
        logger.info("Created Sam resource for workspace {}", id);
    } catch (ApiException apiException) {
        throw SamExceptionFactory.create("Error creating a Workspace resource in Sam", apiException);
    }
    dumpRoleBindings(SamConstants.SamResource.WORKSPACE, id.toString(), userRequest.getRequiredToken());
}
Also used : ResourcesApi(org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi) CreateResourceRequestV2(org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2) ApiException(org.broadinstitute.dsde.workbench.client.sam.ApiException) Traced(io.opencensus.contrib.spring.aop.Traced)

Aggregations

ResourcesApi (org.broadinstitute.dsde.workbench.client.sam.api.ResourcesApi)3 CreateResourceRequestV2 (org.broadinstitute.dsde.workbench.client.sam.model.CreateResourceRequestV2)3 Traced (io.opencensus.contrib.spring.aop.Traced)2 ApiException (org.broadinstitute.dsde.workbench.client.sam.ApiException)2 FullyQualifiedResourceId (org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId)1