Skip to content

ADR: [Entitlements] Upgrade bootstrapping of initial accounts (enable multi SA)

Status

  • Proposed
  • Trialing
  • Under review
  • Approved
  • Retired

Context

Entitlements /InitApi REST API is used for bootstrapping of each new tenant's roles and system principals accounts.

Currently InitApi uses the only single available implementation of TenantInitService interface implemented in the DefaultTenantInitServiceImpl class. It invokes bootstrapInitialAccounts() method that bootstraps user accounts and grants them roles in accordance with JSON configuration files placed in  CSPs' resources/provisioning/accounts/ folders. 

The current algorithm is restricted by the hardcoded functionality of the private Map<String, String> createUserEmails() method, which populates the list of accounts to be bootstrapped by only one item with SERVICE_PRINCIPAL key and requestInfo.getTenantInfo().getServiceAccount().

Reason

It's unlikely that all CSPs and consumers are going to use one single account per tenant for all purposes, if not now then in the future responsibilities will be divided between different entities. This set of responsibilities will likely become part of platform installation\bootstrapping. To reduce bootstrap and installation complexity we need to improve bootstrapping API accordingly.

Decision

Aliases for all accounts that could be bootstrapped

InitApi POST body to transmit alias-to-account mappings. 
Currently, the method is not expecting and reading any info from the body.


We could extend it and read mappings from the body, expected to be a JSON document of the following structure and content:

{
  "aliasToSAMappings": [
    {
      "alias": "WHATEVER_ACCOUNT_CSP_NEEDS_TO_BOOTSTRAP",
      "id": "my.account@email.com"
    },
    {
      "alias": "ANY_OTHER_ACCOUNT",
      "id": "other.account.@email.com"
    }
  ]
}


To pass the body content through components (from the controller to the finite service) the following common code components’ methods’ signatures should be changed:

InitApi (RestController) initiateTenant() method – add @RequestBody Object body parameter

TenantInitService interface bootstrapInitialAccounts() method – add Object body parameter

DefaultTenantInitServiceImpl class bootstrapInitialAccounts() method – add Object body parameter

Role definition JSON files for all account aliases

How to handle such aliases could be defined by each CSP as they want, for GCP we will use

Compose a set of JSON configuration files, one for each account alias.

And add them to existing provisioning resources `provisioning/*** files.

Edited by Chad Leong