Commit d1f4a23a authored by Rostislav Vatolin [SLB]'s avatar Rostislav Vatolin [SLB]
Browse files

Configure quota for root group using environment variable

parent a7c1d41f
......@@ -18,4 +18,8 @@ server:
contextPath: /api/entitlements/v2
config:
quota:
group:
data:
root: #{ROOT_DATA_GROUP_QUOTA}#
domain: #{DOMAIN}#
\ No newline at end of file
......@@ -71,9 +71,9 @@ spec:
key: appinsights
- name: partition_service_endpoint
value: http://partition/api/partition/v1
- name: cosmosdb_database
value: osdu-db
- name: service_domain_name
value: {{ .Values.config.domain }}
- name: root_data_group_quota
value: "{{ .Values.config.quota.group.data.root }}"
- name: azure_istioauth_enabled
value: "true"
\ No newline at end of file
......@@ -25,4 +25,8 @@ server:
contextPath: /api/entitlements/v2
config:
quota:
group:
data:
root: 5000
domain: contoso.com
......@@ -9,6 +9,7 @@ import org.opengroup.osdu.entitlements.v2.model.EntityNode;
import org.opengroup.osdu.entitlements.v2.model.ParentReference;
import org.opengroup.osdu.entitlements.v2.spi.creategroup.CreateGroupRepo;
import org.opengroup.osdu.entitlements.v2.spi.retrievegroup.RetrieveGroupRepo;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Service;
......@@ -18,6 +19,9 @@ import java.util.Set;
@RequiredArgsConstructor
public class CreateGroupService {
@Value("${app.quota.users.data.root:5000}")
private int dataRootGroupQuota;
private final CreateGroupRepo createGroupRepo;
private final RetrieveGroupRepo retrieveGroupRepo;
private final JaxRsDpsLog log;
......@@ -34,10 +38,10 @@ public class CreateGroupService {
if ((groupNode.isDataGroup() || groupNode.isUserGroup()) && defaultGroupsService.isNotDefaultGroupName(groupNode.getName())) {
EntityNode dataRootGroupNode = retrieveGroupRepo.groupExistenceValidation(String.format(EntityNode.ROOT_DATA_GROUP_EMAIL_FORMAT, createGroupServiceDto.getPartitionDomain()), createGroupServiceDto.getPartitionId());
Set<ParentReference> allExistingParentsOfRootDataGroup = retrieveGroupRepo.loadAllParents(dataRootGroupNode).getParentReferences();
if (allExistingParentsOfRootDataGroup.size() >= EntityNode.MAX_PARENTS) {
if (allExistingParentsOfRootDataGroup.size() >= dataRootGroupQuota) {
log.error(String.format("Identity %s already belong to %d groups", dataRootGroupNode.getNodeId(), allExistingParentsOfRootDataGroup.size()));
throw new AppException(HttpStatus.PRECONDITION_FAILED.value(), HttpStatus.PRECONDITION_FAILED.getReasonPhrase(), String.format("%s's group quota hit. Identity can't belong to more than %d groups",
dataRootGroupNode.getNodeId(), EntityNode.MAX_PARENTS));
dataRootGroupNode.getNodeId(), dataRootGroupQuota));
}
log.info(String.format("Creating a group with root group node: %s", dataRootGroupNode.getName()));
CreateGroupRepoDto createGroupRepoDto = CreateGroupRepoDto.builder()
......
package org.opengroup.osdu.entitlements.v2.service;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
......@@ -16,6 +17,7 @@ import org.opengroup.osdu.entitlements.v2.model.creategroup.CreateGroupRepoDto;
import org.opengroup.osdu.entitlements.v2.model.creategroup.CreateGroupServiceDto;
import org.opengroup.osdu.entitlements.v2.spi.creategroup.CreateGroupRepo;
import org.opengroup.osdu.entitlements.v2.spi.retrievegroup.RetrieveGroupRepo;
import org.powermock.reflect.Whitebox;
import java.util.Collections;
import java.util.HashSet;
......@@ -45,6 +47,11 @@ public class CreateGroupServiceTests {
@InjectMocks
private CreateGroupService createGroupService;
@Before
public void setup() {
Whitebox.setInternalState(createGroupService, "dataRootGroupQuota", 5000);
}
@Test
public void shouldThrow412IfRequesterQuotaHit() {
EntityNode groupNode = EntityNode.builder()
......
......@@ -90,6 +90,22 @@ This project uses [Lombok](https://projectlombok.org/) for code generation. You
### Environment Variables
| name | value | description | sensitive? | source |
| --- | --- | --- | --- | --- |
| `LOG_PREFIX` | `entitlements` | Logging prefix | no | - |
| `LOGGING_LEVEL` | `INFO` | Logging level | no | - |
| `partition_service_endpoint` | ex `https://foo-partition.azurewebsites.net` | Partition Service API endpoint | no | output of infrastructure deployment |
| `aad_client_id` | `********` | AAD client application ID | yes | output of infrastructure deployment |
| `KEYVAULT_URI` | ex `https://foo-keyvault.vault.azure.net/` | URI of KeyVault that holds application secrets | no | output of infrastructure deployment |
| `appinsights_key` | `********` | API Key for App Insights | yes | output of infrastructure deployment |
| `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-tenant-id` |
| `AZURE_CLIENT_ID` | `********` | Identity to run the service locally. This enables access to Azure resources. You only need this if running locally | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-username` |
| `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes | keyvault secret: `$KEYVAULT_URI/secrets/app-dev-sp-password` |
| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |
| `server_port` | ex `8080` | Port of the server | no | -- |
| `service_domain_name` | ex `contoso.com` | domain name of the service | yes | -- |
| `root_data_group_quota` | ex `5000` | Maximum number of parents a group users.data.root can have | no | -- |
In order to run the service locally, you will need to have defined environment variables that you can find [here](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/tools/variables/entitlements.sh#L150).
**Note** The following command can be useful to pull secrets from keyvault:
......@@ -97,14 +113,6 @@ In order to run the service locally, you will need to have defined environment v
az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NAME --query value -otsv
```
**Required to run service**
TODO: Update this section when infrastructure changes will be in place
In Order to run service with Istio authentication, add below environment variables. This is needed only to test Istio filter scenarios,
with these settings service expects "x-payload" header which contains Base64 encoded format of Payload. In this approach service will not do Authentication.
### Build and run the application
After configuring your environment as specified above, you can follow these steps to build and run the application. These steps should be invoked from the *repository root.*
......@@ -128,18 +136,10 @@ $ ./mvnw spring-boot:run -pl provider/entitlements-v2-azure
#### Using Cloud Infrastructure
1. Run Entitlements V2 service from Azure provider (assumed that all the required environment variables are specified for using Cloud Infrastructure).
1. Run Entitlements V2 service from Azure provider (assumed that all the required environment variables specified for using Cloud Infrastructure).
2. Define environment variables for integration tests (e.g. maven options):
| Name | Value | Description | Sensitive? | Source |
| -------------------------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------- |
| `ENTITLEMENT_V2_URL` | ex `http://localhost:8080/api/entitlements/v2` | The host where the service is running | no | -- |
| `DOMAIN` | ex `contoso.com` | The domain of the environment | no | -- |
| `INTEGRATION_TESTER` | `********` | System identity to assume for API calls. Note: this user must have entitlements configured already | no | -- |
| `AZURE_TESTER_SERVICEPRINCIPAL_SECRET` | `********` | Secret for `INTEGRATION_TESTER` | yes | -- |
| `AZURE_AD_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | -- |
| `AZURE_AD_APP_RESOURCE_ID` | `********` | AAD client application ID | yes | output of infrastructure deployment |
[See this link](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/tools/variables/entitlements.sh#L176)
3. Run integration tests:
......@@ -174,15 +174,7 @@ $ ./mvnw test -f testing/entitlements-v2-test-azure
5. Run Entitlements V2 service from Azure provider.
6. Define environment variables for integration tests (e.g. maven options):
| Name | Value | Description | Sensitive? | Source |
| -------------------------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------- |
| `ENTITLEMENT_V2_URL` | ex `http://localhost:8080/api/entitlements/v2` | The host where the service is running | no | -- |
| `DOMAIN` | ex `contoso.com` | The domain of the environment | no | -- |
| `INTEGRATION_TESTER` | `********` | System identity to assume for API calls. Note: this user must have entitlements configured already | no | -- |
| `AZURE_TESTER_SERVICEPRINCIPAL_SECRET` | `********` | Secret for `INTEGRATION_TESTER` | yes | -- |
| `AZURE_AD_TENANT_ID` | `********` | AD tenant to authenticate users from | yes | -- |
| `AZURE_AD_APP_RESOURCE_ID` | `********` | AAD client application ID | yes | output of infrastructure deployment |
[See this link](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/tools/variables/entitlements.sh#L176)
7. Run integration tests:
......@@ -202,7 +194,7 @@ Jet Brains - the authors of Intellij IDEA, have written an [excellent guide](htt
## Deploying the Service
Service deployments into Azure are standardized to make the process the same for all services if using ADO and are
Service deployments into Azure standardized to make the process the same for all services if using ADO and are
closely related to the infrastructure deployed. The steps to deploy into Azure can be [found here](https://github.com/azure/osdu-infrastructure)
The default ADO pipeline is /devops/pipeline.yml
......
......@@ -30,9 +30,11 @@ azure.application-insights.instrumentation-key=${appinsights_key:}
#TenantFactory Configuration
tenantFactoryImpl.required=true
# deprecated property, unused, but required:
tenantInfo.container.name=TenantInfo
#following changed to ${cosmosdb_database:} when available
azure.cosmosdb.database=${cosmosdb_database:}
# deprecated property, unused, but required:
azure.cosmosdb.database=osdu-db
# Graph db configuration
app.graph.db.port=443
......@@ -42,3 +44,4 @@ app.graph.db.sslEnabled=true
# App configuration
app.projectId=evd-ddl-us-services
app.domain=${service_domain_name}
app.quota.users.data.root=${root_data_group_quota}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment