Entitlements merge requestshttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests2023-08-18T11:35:35Zhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/55Add audit logs for write operations in database2023-08-18T11:35:35ZRostislav Vatolinvatolinrp@gmail.comAdd audit logs for write operations in databaseMore details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/42More details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/42M5 - Release 0.8https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/29Add delete member API2023-08-18T11:36:13ZRostyslav Matushkin (SLB)Add delete member APIMore details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/17More details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/17M4 - Release 0.7https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/536Added check redis connection (GONRG-7597)2023-09-18T07:00:18ZYurii Ruban [EPAM / GCP]Added check redis connection (GONRG-7597)# Description:
In case of loss of connection between the service and Redis, the processing of requests to the service is delayed, and an error of the type "Command timed out after 30 SECONDS" is received. Added Redis connection health ch...# Description:
In case of loss of connection between the service and Redis, the processing of requests to the service is delayed, and an error of the type "Command timed out after 30 SECONDS" is received. Added Redis connection health checks. Issue https://community.opengroup.org/osdu/platform/system/lib/core/os-core-common/-/issues/72
# How to test:
1. Choose a service with core common lib.
2. Сheck service viability.
3. Turn off the Redis.
4. Get the result of a request to the service without errors.
5. Check logs with the message "Redis connection is closed.".
# Changes include:
- [ ] Bugfix (a non-breaking change that solves an issue).
# Changes in:
- [ ] GCP
- [ ] Azure
- [ ] AWS
- [ ] IBMM21 - Release 0.24Rustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/498added impersonation flow for get groups2023-08-22T10:57:48ZRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comadded impersonation flow for get groups# Description:
Implementation for https://community.opengroup.org/osdu/platform/data-flow/ingestion/home/-/issues/54.
Was moved from GC module to core module.
Endpoint `/groups` was updated, if the request contains header `on-behalf-of`...# Description:
Implementation for https://community.opengroup.org/osdu/platform/data-flow/ingestion/home/-/issues/54.
Was moved from GC module to core module.
Endpoint `/groups` was updated, if the request contains header `on-behalf-of` request will be passed to new method and authorization filters that evaluate if impersonation is allowed:
~~~
curl --location 'https://community.gcp.gnrg-osdu.projects.epam.com/api/entitlements/v2/groups' \
--header 'Data-Partition-Id: osdu' \
--header 'on-behalf-of: user-to-impersonate@test.com' \
--header 'Authorization: Bearer <IMPERSONATOR_TOKEN>
~~~
If the requester doesn't have a group `users.datalake.delegation`, the request will be forbidden:
~~~
{
"code": 403,
"reason": "Forbidden",
"message": "Impersonation not allowed for rustam_lotsmanenko@osdu-gcp.go3-nrg.projects.epam.com"
}
~~~
If the target user to be impersonated doesn't have a group `users.datalake.impersonation` the request will be forbidden:
~~~
{
"code": 403,
"reason": "Forbidden",
"message": "Impersonation not allowed for user-to-impersonate@test.com"
}
~~~
Thus least privilege principle is respected, bootstrapping was not updated and by default, none of the users have any of those groups. <br/>
An exception is a `tenant service account`, which by default is `owner of all groups`. For that was added validation that prevent the impersonation of a tenant service account.
Few points to mention:
- Solution respects the least privilege principle
- Impact on the platform is minimal as the same endpoint `/groups` is used, no changes are required in services except DAGs that should impersonate the user.
# How to test:
via integration tests.
# Changes include:
- [ ] Refactor (a non-breaking change that improves code maintainability).
- [ ] Bugfix (a non-breaking change that solves an issue).
- [x] New feature (a non-breaking change that adds functionality).
- [ ] Breaking change (a change that is not backward-compatible and/or changes current functionality).
# Changes in:
- [x] Common code
# Dev Checklist:
- [x] Added Unit Tests, wherever applicable.
- [x] Updated the Readme, if applicable.
- [x] Existing Tests pass
- [x] Verified functionality locally
- [x] Self Reviewed my code for formatting and complex business logic.M20 - Release 0.23Rustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/105Added new version info endpoint (GONRG-2681)2021-08-26T09:21:20ZDmitrii Novikov (EPAM)Added new version info endpoint (GONRG-2681)## Type of change
- [ ] Bug Fix
- [x] Feature
osdu/platform/system/lib/core/os-core-common#47
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so whic...## Type of change
- [ ] Bug Fix
- [x] Feature
osdu/platform/system/lib/core/os-core-common#47
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [x] AWS
- [x] Azure
- [x] GCP
- [x] IBM
## Does this introduce a breaking change?
- [YES]
## What is the current behavior?
Provides info about maven build and gitM8 - Release 0.11Rostislav Dublin (EPAM)Rostislav Dublin (EPAM)https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/642Added oid validation for azure2024-03-22T11:13:34ZDeepa KumariAdded oid validation for azureAdded OID validation for Azure, below scenarios covered with the help of https://community.opengroup.org/osdu/platform/system/lib/cloud/azure/os-core-lib-azure/-/merge_requests/340
Issue: https://community.opengroup.org/osdu/platform/se...Added OID validation for Azure, below scenarios covered with the help of https://community.opengroup.org/osdu/platform/system/lib/cloud/azure/os-core-lib-azure/-/merge_requests/340
Issue: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/166
1. Group
2. Default Service principal Client ID/OID, multiple service principal's in environment
3. User
4. All validations are behind feature flag and apply to User type of node being added from entitlements.
Common code changes:
1. Only integration tests where overriding member to be added was necessary, so stubbed it additional default members inside ConfigurationService class, and tests referring from there, instead of direct hardcoded values
Azure:
1. Added other validations for integration tests, uncovered from common scenarios, additional variables introduced:
- AZURE_AD_VALID_OID_USER1
- AZURE_AD_VALID_OID_USER2
- AZURE_AD_NO_DATA_ACCESS_SP_OID
- AZURE_AD_GROUP_OIDM23 - Release 0.26Deepa KumariDeepa Kumarihttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/556Added redis connection error handling (GONRG-7597)2023-09-20T07:56:47ZYurii Ruban [EPAM / GCP]Added redis connection error handling (GONRG-7597)# Description:
In case of loss of connection between the service and Redis, the processing of requests to the service is delayed, and an error of the type "Command timed out after 30 SECONDS" is received. Added Redis connection error han...# Description:
In case of loss of connection between the service and Redis, the processing of requests to the service is delayed, and an error of the type "Command timed out after 30 SECONDS" is received. Added Redis connection error handling. Issue https://community.opengroup.org/osdu/platform/system/lib/core/os-core-common/-/issues/72
# How to test:
1. Turn off the Redis.
2. Get the result of a request to the service without errors.
3. Check logs with the message "Redis connection is closed."
# Changes include:
- [x] Bugfix (a non-breaking change that solves an issue).
# Changes in:
- [x] GCP
- [x] Azure
- [x] AWS
- [x] IBMM21 - Release 0.24Riabokon Stanislav(EPAM)[GCP]Riabokon Stanislav(EPAM)[GCP]https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/382added spring-boot-maven plugin version2022-11-28T15:20:26ZRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comadded spring-boot-maven plugin version## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provi...## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [x] AWS
- [x] Azure
- [x] Google Cloud
- [x] IBM
- [x] Common code
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
Projects that do not specify the spring-boot-maven plugin version will not compile, since the latest version of the spring-boot-maven plugin suppose to build spring-boot V3 projects with Java 17M15 - Release 0.18Chad LeongChad Leonghttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/115Add error message for partition exception response (GONRG-2963)2021-09-27T13:50:48ZArtem Dobrynin (EPAM)Add error message for partition exception response (GONRG-2963)## Type of change
- [x] Bug Fix
- [ ] Feature
The message for partition service was added
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so which cl...## Type of change
- [x] Bug Fix
- [ ] Feature
The message for partition service was added
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] GCP
- [ ] IBM
## Does this introduce a breaking change?
- [No]
## What is the current behavior?
- The message from Partition Service goes directly to the response. The user could use this response to get the info about internal state of the environment. With this fix we will change the message to more generic one.M9 - Release 0.12Rostislav Dublin (EPAM)Rostislav Dublin (EPAM)https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/507Adding versions to the provider POMs2023-06-26T22:03:03ZDavid Diederichd.diederich@opengroup.orgAdding versions to the provider POMsThis is necessary to create a provider specific release. When creating a provider specific release, the artifact version of the single provider is incremented, then a special tag is created to indicate the change only refers to that one ...This is necessary to create a provider specific release. When creating a provider specific release, the artifact version of the single provider is incremented, then a special tag is created to indicate the change only refers to that one provider.
In the existing case, there are no versions specified for provider libraries. That causes maven to inherit the version from the parent, which in turn forces all provider libraries to have the same version. We need to explicitly set the versions in order to have different ones per provider.M18 - Release 0.21David Diederichd.diederich@opengroup.orgDavid Diederichd.diederich@opengroup.orghttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/30add more steps in the data migration script2023-08-18T11:36:10ZMingyang Zhuadd more steps in the data migration scriptAdd 2 extra steps in the data migration script. The current script will migrate the data from v1 as-is. And the extra steps will do the following
1. Run the tenant provisioning API first before migrating data. It creates the bootstrap gr...Add 2 extra steps in the data migration script. The current script will migrate the data from v1 as-is. And the extra steps will do the following
1. Run the tenant provisioning API first before migrating data. It creates the bootstrap groups and relationship
2. Migrate data admins. In entitlements-azure, there is a feature allows the whitelisted data admins to be able to access all data groups. V2 achieve this through the group hierarchy through the data admin group (users.data.root). So just migrating data as-is will make the data admins. This extra step run at last to add all the whitelisted data admins from v1 into the data admin group.M4 - Release 0.7Mingyang ZhuMingyang Zhuhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/65Add protection for bootstrapped groups2023-08-18T11:35:19ZRostislav Vatolinvatolinrp@gmail.comAdd protection for bootstrapped groupsMore details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/51More details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/51M5 - Release 0.8https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/580Adds an Integration Test to ensure that the data root group is added as a mem...2023-11-20T14:14:37ZDerek HudsonAdds an Integration Test to ensure that the data root group is added as a member of newly created groupsAdds an integration tests that ensures that newly created data groups are not added to the root group and that the root group is added to the created data group.
Currently requires the `disable-data-root-group-hierarchy` feature flag to...Adds an integration tests that ensures that newly created data groups are not added to the root group and that the root group is added to the created data group.
Currently requires the `disable-data-root-group-hierarchy` feature flag to be disabled. Might need to be changed if this fails for other CSPs.
This should ensure that [this issue](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/109) is fixed for all Cloud Service Providers.
The AWS test will fail until the AWS team merges back to master.M22 - Release 0.25Derek HudsonDerek Hudsonhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/18Add service principal authorization2023-08-18T11:36:25ZRostislav Vatolinvatolinrp@gmail.comAdd service principal authorizationMore details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/9More details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/9M4 - Release 0.7https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/586Add support for RequestRejectedHandler2023-11-23T09:27:59ZVidyaDharani LokamAdd support for RequestRejectedHandlerAdd RequestRejectedHandler to change the response code to 400 when there is a RequestRejectedException instead of 500.
Fixes issues:
#127 #128 #129 .Add RequestRejectedHandler to change the response code to 400 when there is a RequestRejectedException instead of 500.
Fixes issues:
#127 #128 #129 .M22 - Release 0.25VidyaDharani LokamVidyaDharani Lokamhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/16Add tenant init API2023-08-18T11:36:28ZRostislav Vatolinvatolinrp@gmail.comAdd tenant init APIMore details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/7More details: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/7M4 - Release 0.7https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/122add validation for cyclic membership in AddMember API2023-08-18T11:34:12ZKelly Zhouadd validation for cyclic membership in AddMember APIM9 - Release 0.12https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/297API /members/{member_email}/groups endpoint contract discrepancy2022-07-26T12:17:13ZRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comAPI /members/{member_email}/groups endpoint contract discrepancy# Description:
There is an endpoint on Entitlements list-group-on-behalf-of-api - GET /members/{member_email}/groups<br/>
used for getting a list of certain user groups. Its Swagger spec says it has an optional query parameter "type".<br...# Description:
There is an endpoint on Entitlements list-group-on-behalf-of-api - GET /members/{member_email}/groups<br/>
used for getting a list of certain user groups. Its Swagger spec says it has an optional query parameter "type".<br/>
This is not accurate. Indeed, the parameter is mandatory. Trying to run without it one gets an error:
~~~
https://{{ENTITLEMENTS_HOST}}/members/:member_email/groups
{
"code": 400,
"reason": "Bad Request",
"message": "Invalid filter"
}
~~~
It expects a value from the org.opengroup.osdu.entitlements.v2.model.GroupType, one of: NONE, DATA, USER, SERVICE.<br/>
This mitigation is in contradiction with the spec, and this explicit format seems excessive and not convenient.<br/>
Moreover, the spec doesn't list the admitted type codes, so, a user has no chance to guess of them.<br/>
# Changes include:
- [ ] Refactor (a non-breaking change that improves code maintainability).
- [x] Bugfix (a non-breaking change that solves an issue).
- [ ] New feature (a non-breaking change that adds functionality).
- [ ] Breaking change (a change that is not backward-compatible and/or changes current functionality).
# Changes in:
- [x] GCP
- [x] Common code
# Dev Checklist:
- [ ] Added Unit Tests, wherever applicable.
- [x] Updated the Readme, if applicable.
- [ ] Existing Tests pass
- [ ] Verified functionality locally
- [ ] Self Reviewed my code for formatting and complex business logic.M13 - Release 0.16Rustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comRustam Lotsmanenko (EPAM)rustam_lotsmanenko@epam.comhttps://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/222[BUG FIX] Allow OPS user to manage groups and group members2023-08-18T11:32:51ZRostislav Vatolinvatolinrp@gmail.com[BUG FIX] Allow OPS user to manage groups and group membersFixes https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/105Fixes https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/issues/105M12 - Release 0.15https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/merge_requests/558Cherry-pick 'Added redis connection error handling (GONRG-7597)' into release...2023-09-26T10:17:22ZDavid Diederichd.diederich@opengroup.orgCherry-pick 'Added redis connection error handling (GONRG-7597)' into release/0.23**Original MR**: !556
### This MR is a Cherry Pick into a Release Branch.
After the release branch is first created, any subsequent changes use this process to update the release (often resulting in a new patch tag) without incorporati...**Original MR**: !556
### This MR is a Cherry Pick into a Release Branch.
After the release branch is first created, any subsequent changes use this process to update the release (often resulting in a new patch tag) without incorporating all changes in the default branch.
These MRs must be approved by the PMC before they are merged, since they alter the scope of the release.
To see more details about the change itself, look at the Original MR listed above.
#### Skipped Pipeline
Normally, pipelines are not executed on the cherry pick branch/MR prior to merging.
This optimization is accepted because the code was tested when it merged into the default branch, and will be tested again in the release branch prior to tagging.
However, if anybody feels that the MR requires further scrutiny -- whether because it had conflicts in the cherry-picking, it interfaces with some drastically altered logic between the branches, or any other reason -- we can run the pipeline here prior to merging.
#### If There's Reason to Run a Pipeline
If you want to see a pipeline result before this merges, first add a comment explaining why you'd like to see the pipeline results so the PMC and others know your thinking.
Then, mark the MR as a Draft MR (using the vertical ellipsis above, choose 'Mark as Draft').
This prevents the MR from being approved & merged accidentally by a busy release coordinator who didn't see your comment.
Finally, if you are a maintainer on the project, launch a pipeline on this branch.
Since this branch is a protected branch and the MR has ~no-detached-pipeline set, all integration tests will run and there's no need for any `trusted-*` branches.
[Launch a Pipeline for this Branch](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/pipelines/new?ref=cherry-pick-for-556)M20 - Release 0.23David Diederichd.diederich@opengroup.orgChad LeongSrinivasan NarayananDavid Diederichd.diederich@opengroup.org