Skip to content

Update subproject authorization from seistore service groups to datagroups

Varunkumar Manohar requested to merge moveServiceToDataGroups into master

This merge request updates the subproject creation logic to use datagroups instead of seistore service groups.

Previously three groups namely seistore service admin, seistore service editor and seistore service viewer groups would get created during subproject registration.

With the changes associated with this MR, subproject registration will create a admin datagroup with the name data.sdms.tenantid.subprojectid.uuid.admin and a viewer data group with name data.sdms.tenantid.subprojectid.uuid.viewer

Sample response for subproject registration would be

{
    "name": "subproject-test",
    "tenant": "k8s",
    "ltag": "slb-public-usa-seistore-1",
    "admin": "vmanohar@slb.com",
    "acls": {
        "admins": [
            "data.sdms.k8s.subroject-test.b25e81d5-cd25-4233-b12a-0e90efc80728.admin@slb.p4d.cloud.slb-ds.com"
        ],
        "viewers": [
            "data.sdms.k8s.subproject-test.86428bd0-c048-41c1-a479-d4831c398ac9.viewer@slb.p4d.cloud.slb-ds.com"
        ]
    },
    "storage_class": "REGIONAL",
    "storage_location": "US-CENTRAL1",
    "gcs_bucket": "ss-evd-afdmb2k0s2qvelqr"
}

Compatibility with existing subprojects with seistore serivce groups and with no datagroups

For subprojects that pre-exist, the GET subproject would return the service groups as is and there will be no breaking changes.

{
    "tenant": "k8s",
    "storage_class": "REGIONAL",
    "acls": {
        "admins": [
            "service.seistore.evd.k8s.oldsubproject.admin@slb.p4d.cloud.slb-ds.com"
        ],
        "viewers": [
            "service.seistore.evd.k8s.oldsubproject.viewer@slb.p4d.cloud.slb-ds.com",
        ]
    },
    "admin": "vmanohar@slb.com",
    "gcs_bucket": "ss-evd-it40dlb0vmfmhfcn",
    "name": "oldsubproject",
    "storage_location": "US-CENTRAL1",
    "ltag": "legal-tag"
}

User addition to subprojects created using the changes in the MR

For all new subprojects, admin user addition takes place in data.sdms.[tenant].[subproject].uuid.admin group and viewer user addition takes places in group data.sdms.[tenant].[subproject].[uuid].viewer. Here the groups have the prefix of datagroup data.sdms

User addition to subproject that pre-exists

There will be no breaking change. For subproject that do not have data groups in their acls, the previous functionality remains as is with no change. Admins are added to service.seistore.env.tenant.subproject.admin group and viewers are added to service.seistore.env.tenant.subproject.viewer group

List users in various subproject groups

The user list endpoint is updated to fetch the details of users in all of seistore service groups and datagroups.

Edited by Varunkumar Manohar

Merge request reports

Loading