Commit 80c8b9f1 authored by Varunkumar Manohar's avatar Varunkumar Manohar
Browse files

Foundations for dataset level access functionality - Part 2

parent 63ac2513
......@@ -1391,6 +1391,18 @@ definitions:
type: string
data:
type: object
acls:
type: object
description: ACLs with admin groups and viewer groups for the dataset
properties:
admins:
type: array
items:
type: string
viewers:
type: array
items:
type: string
example:
type: "segy"
gtags: ["tagA", "tagB", "tagC"]
......@@ -1400,6 +1412,17 @@ definitions:
"legal": { "legaltags": ["legal-tag"], "otherRelevantDataCountries": ["US"] },
"data": { "msg": "sample data" },
}
acls:
{
"admins":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.admin@slb.p4d.cloud.slb-ds.com",
],
"viewers":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.viewer@slb.p4d.cloud.slb-ds.com",
],
}
# OK
Dataset:
required:
......@@ -1531,6 +1554,18 @@ definitions:
type: string
data:
type: object
acls:
type: object
description: ACLs with admin groups and viewer groups for the dataset
properties:
admins:
type: array
items:
type: string
viewers:
type: array
items:
type: string
example:
dataset_new_name: "dsx02"
metadata: { "f1": "v1", "f2": "v2", "f3": "v3" }
......@@ -1545,6 +1580,17 @@ definitions:
"legal": { "legaltags": ["Slb-Private-USA-EHC"], "otherRelevantDataCountries": ["US"] },
"data": { "msg": "sample data" },
}
acls:
{
"admins":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.admin@slb.p4d.cloud.slb-ds.com",
],
"viewers":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.viewer@slb.p4d.cloud.slb-ds.com",
],
}
# OK
DatasetPermission:
......@@ -1705,7 +1751,7 @@ definitions:
enum: [uniform, dataset]
acls:
type: object
description: ACLs with admin groups and viewere groups
description: ACLs with admin groups and viewer groups for the subproject
properties:
admins:
type: array
......@@ -1780,7 +1826,7 @@ definitions:
description: Cloud storage bucket associated with the subproject
acls:
type: object
description: ACLs with admin groups and viewere groups
description: ACLs with admin groups and viewer groups for the subproject
properties:
admins:
type: array
......
......@@ -1455,6 +1455,18 @@ definitions:
type: string
data:
type: object
acls:
type: object
description: ACLs with admin groups and viewer groups for the dataset
properties:
admins:
type: array
items:
type: string
viewers:
type: array
items:
type: string
example:
type: "segy"
gtags: ["tagA", "tagB", "tagC"]
......@@ -1464,6 +1476,18 @@ definitions:
"legal": { "legaltags": ["Slb-Private-USA-EHC"], "otherRelevantDataCountries": ["US"] },
"data": { "msg": "sample data" },
}
acls:
{
"admins":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.admin@slb.p4d.cloud.slb-ds.com",
],
"viewers":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.viewer@slb.p4d.cloud.slb-ds.com",
],
}
# OK
Dataset:
required:
......@@ -1595,6 +1619,18 @@ definitions:
type: string
data:
type: object
acls:
type: object
description: ACLs with admin groups and viewer groups for the dataset
properties:
admins:
type: array
items:
type: string
viewers:
type: array
items:
type: string
example:
dataset_new_name: "dsx02"
metadata: { "f1": "v1", "f2": "v2", "f3": "v3" }
......@@ -1609,6 +1645,17 @@ definitions:
"legal": { "legaltags": ["Slb-Private-USA-EHC"], "otherRelevantDataCountries": ["US"] },
"data": { "msg": "sample data" },
}
acls:
{
"admins":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.admin@slb.p4d.cloud.slb-ds.com",
],
"viewers":
[
"data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.viewer@slb.p4d.cloud.slb-ds.com",
],
}
# OK
DatasetPermission:
......@@ -1769,7 +1816,7 @@ definitions:
enum: [uniform, dataset]
acls:
type: object
description: ACLs with admin groups and viewere groups
description: ACLs with admin groups and viewer groups for the subproject
properties:
admins:
type: array
......@@ -1798,7 +1845,7 @@ definitions:
default: "dataset"
acls:
type: object
description: ACLs with admin groups and viewer groups. Existing acls will be replaced with the provided acls.
description: ACLs with admin groups and viewer groups for the subproject. Existing acls will be replaced with the provided acls.
properties:
admins:
type: array
......@@ -1844,7 +1891,7 @@ definitions:
description: Cloud storage bucket associated with the subproject
acls:
type: object
description: ACLs with admin groups and viewere groups
description: ACLs with admin groups and viewer groups for the subproject
properties:
admins:
type: array
......@@ -1867,7 +1914,7 @@ definitions:
- data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.admin@slb.p4d.cloud.slb-ds.com
- data.sdms.tenant.subproject.1zr317e5-fb0e-402a-b725-123942f42f23.admin@slb.p4d.cloud.slb-ds.com
viewers:
- data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.viewer@slb.p4d.cloud.slb-ds.com
- data.sdms.tenant.subproject.1b1417e5-fb0e-402a-b725-606723e50b76.viewer@slb.p4d.cloud.slb-ds.com
# OK
TenantCreateBody:
......
......@@ -65,7 +65,9 @@ export class DatasetHandler {
Response.writeOK(res, await this.putTags(req, tenant, subproject));
} else { throw (Error.make(Error.Status.UNKNOWN, 'Internal Server Error')); }
} catch (error) { Response.writeError(res, error); }
} catch (error) {
Response.writeError(res, error);
}
}
......@@ -108,6 +110,16 @@ export class DatasetHandler {
try {
if (dataset.acls) {
const subprojectMetadata = await SubProjectDAO.get(journalClient, tenant.name, subproject.name);
const subprojectAccessPolicy = subprojectMetadata.access_policy;
if (subprojectAccessPolicy === 'uniform') {
throw Error.make(Error.Status.BAD_REQUEST,
'Subproject access policy is set to uniform and so the dataset acls cannot be applied. Patch the subproject access policy to dataset and attempt this operation again.');
}
}
// attempt to acquire a mutex on the dataset name and set the lock for the dataset in redis
// a mutex is applied on the resource on the shared cache (removed at the end of the method)
const datasetLockKey = dataset.tenant + '/' + dataset.subproject + dataset.path + dataset.name;
......@@ -418,6 +430,17 @@ export class DatasetHandler {
return dataset;
}
// Ensure subproject access policy is not set to uniform
if (datasetIN.acls) {
const subprojectMetadata = await SubProjectDAO.get(journalClient, tenant.name, subproject.name);
const subprojectAccessPolicy = subprojectMetadata.access_policy;
if (subprojectAccessPolicy === 'uniform') {
throw Error.make(Error.Status.BAD_REQUEST,
'Subproject access policy is set to uniform and so the dataset acls cannot be applied. Patch the subproject access policy to dataset and attempt this operation again.');
}
}
// unlock the dataset for close operation (and patch)
const lockres = wid ? await Locker.unlock(lockKey, wid) : { id: null, cnt: 0 };
......
......@@ -34,9 +34,16 @@ export interface IDatasetModel {
readonly: boolean;
seismicmeta_guid: string;
transfer_status: string;
acls?: IDatasetAcl;
}
export interface IPaginationModel {
limit: number;
cursor: string;
}
export interface IDatasetAcl {
admins: string[],
viewers: string[];
}
\ No newline at end of file
......@@ -18,7 +18,7 @@ import { Request as expRequest } from 'express';
import { DatasetModel } from '.';
import { Config } from '../../cloud';
import { SeistoreFactory } from '../../cloud/seistore';
import { Error, Params, Utils } from '../../shared';
import { Error, Params } from '../../shared';
export class DatasetParser {
......@@ -52,6 +52,7 @@ export class DatasetParser {
dataset.created_date = dataset.last_modified_date = new Date().toString();
dataset.gtags = req.body ? req.body.gtags : undefined;
// Check the parameters
Params.checkString(dataset.type, 'type', false);
Params.checkString(dataset.ltag, 'ltag', false);
......@@ -64,7 +65,7 @@ export class DatasetParser {
Params.checkObject(seismicmeta.data, 'data');
// {data-parititon(delfi)|auhtority(osdu)}.{source}.{entityType}.{semanticSchemaVersion}
if((seismicmeta.kind as string).split(':').length !== 4) {
if ((seismicmeta.kind as string).split(':').length !== 4) {
throw (Error.make(Error.Status.BAD_REQUEST, 'The seismicmeta kind is in a wrong format'));
}
// (recortdType == entityType)
......@@ -72,10 +73,36 @@ export class DatasetParser {
}
DatasetParser.validateAcls(dataset, req);
return [dataset, seismicmeta];
}
private static validateAcls(dataset: DatasetModel, req) {
dataset.acls = req.body && 'acls' in req.body ? req.body.acls : undefined;
if (dataset.acls) {
if (!('admins' in dataset.acls) || !('viewers' in dataset.acls)) {
throw Error.make(Error.Status.BAD_REQUEST,
'Admins and viewers properties are both required in the acls ');
}
if (dataset.acls.admins.length === 0 || dataset.acls.viewers.length === 0) {
throw Error.make(Error.Status.BAD_REQUEST,
'Admins and viewers groups must each have atleast one group email');
}
for (const adminGroupEmail of dataset.acls.admins) {
Params.checkEmail(adminGroupEmail, 'acls.admins', true);
}
for (const viewerGroupEmail of dataset.acls.viewers) {
Params.checkEmail(viewerGroupEmail, 'acls.viewers', true);
}
}
}
public static get(req: expRequest): [DatasetModel, boolean] {
return [this.createDatasetModelFromRequest(req),
req.query.seismicmeta === 'true'];
......@@ -126,6 +153,8 @@ export class DatasetParser {
const seismicmeta = req.body.seismicmeta;
Params.checkObject(seismicmeta, 'seismicmeta', false);
DatasetParser.validateAcls(dataset, req);
return [dataset, seismicmeta, newName, closeid];
}
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment