Tenant deprovisioning API
Problem Statement
Currently Entitlements API’s in OSDU lack the direct functionality of clearing all the entitlements respective to a partition. There’s no dedicated API exposed which can perform exhaustive cleaning or removing all the entitlements. There is a gap in terms of functionality for the use case in which all the groups, including bootstrapped groups, and all their members can be removed in one go. There is no API which does the opposite to what the tenant-provisioning API does. There are some endpoints exposed to get the desired functionality iteratively deleting each group and their respective members but there is no possible way to clear out all the entitlements for a partition using a single endpoint. The delete group API only clears one group at a time. The delete member API cleans all the association of the user from associated groups and then removes the member.
Therefore, the users and CSPs, when required, cannot clear out all the entitlements of a partition and to bridge this gap there’s a need to extend the set of APIs exposed currently by adding one with the capability of cleaning the entitlements end to end for a respective partition.
Adding to the requirement the availability of the new functionality will help all the CSP’s to efficiently manage the entitlements on data partition level.
Rationale behind the proposal
In future if OSDU wants to add support for deleting the data partition this feature will be very helpful in its implementation. While cleaning the resources corresponding to a data partition being deleted all the entitlements can be removed with a call to single API.
Proposals
API Design:
A new entitlement API is proposed to provide the tenant de-provisioning functionality. This API shall be capable of removing all the entitlement groups of the partition internally by removing the data from the CSP respective databases. This API should be deleting all the groups including bootstrap groups and deleting all the members of the respective groups also. There should be complete disassociation of members belonging to the data partition given as input to API. On completion of deletion activity, the rest-API need to provide with appropriate status-code for success or failure.
The user with valid access token is permitted to call the API. The permitted token needs to be a valid admin app token only, no other token shall be allowed to access the API restricting the admin users to perform the cleaning of the entitlements. This restriction is like the authentication in case of tenant-provisioning allowing only the OSDU admin to perform the critical operations. The new endpoint can be same as tenant-provisioning update with delete method.
API Signature:
HOST URL: {{endpoint}}/api/entitlements/v2/tenant-provisioning
headers = {
'data-partition-id': data-partition-name,
'Content-Type': 'application/json',
'Authorization': Bearer <token>
}
method = 'DELETE'
The above API can be implemented by providing definition to the following interface associated with the controller for the tenant deprovisioning. The deprovisionTenant functionality must clear all the entitlement’s groups and all members before returning.
package org.opengroup.osdu.entitlements.v2.service;
public interface TenantDeprovisioningService {
/**
* In case of unexpected error all changes made are reverted.
*/
void deprovisionTenant();
}
Api Controller
Following controller change need to be added to make use of the definition provided as follow:
@RestController
public class InitApi {
@Autowired
private TenantInitService tenantInitService;
@Autowired
private TenantDeprovisioningService tenantDeprovisioningService;
@PostMapping("/tenant-provisioning")
@PreAuthorize("@authorizationFilter.hasAnyPermission()")
public ResponseEntity<InitServiceDto> initiateTenant(@RequestBody(required = false) InitServiceDto initServiceDto) {
tenantInitService.createDefaultGroups();
tenantInitService.bootstrapInitialAccounts(initServiceDto);
return new ResponseEntity<>(initServiceDto, HttpStatus.OK);
}
@DeleteMapping("/tenant-provisioning")
@PreAuthorize("@authorizationFilter.hasAnyPermission()")
public ResponseEntity<Void> deleteTenant(@RequestBody(required = false) DeleteServiceDto deleteServiceDto) {
tenantDeprovisioningService.deprovisionTenant();
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
}
}
Flow Diagram
FAQ
-
The delete API will be a synchronous call and can this be done in a few seconds?
A. Yes, it will be a sync call only, and will be completed within seconds.