GONRG-7679: update policy bootstrap

78ca64a2 · Yauheni Rykhter (EPAM) · Shane Hutchins · 5902f445 · 78ca64a2 · 78ca64a2
Commit 78ca64a2 authored 1 year ago by Yauheni Rykhter (EPAM) Committed by Shane Hutchins 1 year ago
--- a/devops/gc/bootstrap-osdu-module/DataPartitionBundles.py
+++ b/devops/gc/bootstrap-osdu-module/DataPartitionBundles.py
@@ -10,8 +10,10 @@ class BootstrapDataPartitionBundles:
        tar_name = "bundle-{dp}.tar.gz".format(dp=dp_id)
        dataauthz_template_name = "dataauthz_template.rego"
        manifest_template_name = "manifest_template.manifest"
+        search_template_name = "search_template.rego"
        dataauthz_filename = "dataauthz.rego"
        manifest_filename = ".manifest"
+        search_filename = "search.rego"
        template_path = "devops/gc/bootstrap-osdu-module/templates/"
        env = Environment(
@@ -20,19 +22,21 @@ class BootstrapDataPartitionBundles:
        )
        dataauthz_template = env.get_template(dataauthz_template_name)
        manifest_template = env.get_template(manifest_template_name)
+        search_template = env.get_template(search_template_name)
        dataauthz_render = dataauthz_template.render(dp_id=dp_id)
        manifest_render = manifest_template.render(dp_id=dp_id)
+        search_render = search_template.render(dp_id=dp_id)
        with open(dataauthz_filename,"w") as f1:
            f1.write(dataauthz_render)
        with open(manifest_filename, "w") as f2:
            f2.write(manifest_render)
+        with open(search_filename, "w") as f2:
+            f2.write(search_render)
        with tarfile.open(tar_name, "w:gz") as tar_handle:
            tar_handle.add(os.path.abspath(dataauthz_filename), arcname=dataauthz_filename)
            tar_handle.add(os.path.abspath(manifest_filename), arcname=manifest_filename)
+            tar_handle.add(os.path.abspath(search_filename), arcname=search_filename)
 # Initialize class and upload bundles
 if __name__ == '__main__':

--- a/devops/gc/bootstrap-osdu-module/bootstrap_policy.sh
+++ b/devops/gc/bootstrap-osdu-module/bootstrap_policy.sh
@@ -58,18 +58,12 @@ source ./validate-env.sh "POLICY_BUCKET"
 create_instance_bundles
 ## Creating partition bundles
-if [[ "${DATA_PARTITION_ID_LIST}" == "" ]]; then
+IFS=',' read -ra PARTITIONS <<< "${DATA_PARTITION_ID_LIST}"
-  # Single partition case
+PARTITIONS=("${PARTITIONS[@]}")
-  create_partition_bundle "$DATA_PARTITION"
-else
-  # Multipartition case
-  IFS=',' read -ra PARTITIONS <<< "${DATA_PARTITION_ID_LIST}"
-  PARTITIONS=("${DATA_PARTITION}" "${PARTITIONS[@]}")
-  for PARTITION in "${PARTITIONS[@]}"; do
+for PARTITION in "${PARTITIONS[@]}"; do
    create_partition_bundle "${PARTITION}"
-  done
+done
-fi
 ## Uploading bundles to gcs/minio bucket
 if [ "${ONPREM_ENABLED}" == "true" ]

--- a/devops/gc/bootstrap-osdu-module/templates/search_template.rego
+++ b/devops/gc/bootstrap-osdu-module/templates/search_template.rego
+package osdu.partition["{{dp_id}}"].search
+default allow = false
+allow = true {
+    input.operation == "view"
+    # At least one user group needs to be in acl viewers
+    input.record.acl.viewers[_]==input.groups[_]
+}
+allow = true {
+    input.operation == ["view", "create", "update", "delete", "purge"][_]
+    # At least one user group needs to be in acl owners
+    input.record.acl.owners[_]==input.groups[_]
+}
--- a/devops/gc/deploy/templates/opa-configmap.yaml
+++ b/devops/gc/deploy/templates/opa-configmap.yaml
@@ -15,18 +15,11 @@ data:
          gcp_metadata:
            scopes:
              - "{{ .Values.data.scopes }}"
    bundles:
      osdu/instance:
        service: gcs
        # NOTE ?alt=media is required
        resource: 'bundle.tar.gz?alt=media'
-      osdu/partition/{{ .Values.data.dataPartitionId }}:
-        service: gcs
-        resource: 'bundle-{{ .Values.data.dataPartitionId }}.tar.gz?alt=media'
-        polling:
-          min_delay_seconds: {{ .Values.conf.minDelaySeconds }}
-          max_delay_seconds: {{ .Values.conf.maxDelaySeconds }}
      {{- range (compact .Values.data.dataPartitionIdList) }}
      osdu/partition/{{ . }}:
        service: gcs
@@ -47,9 +40,6 @@ data:
      osdu/instance:
        service: s3
        resource: bundle.tar.gz
-      osdu/partition/{{ .Values.data.dataPartitionId }}:
-        service: s3
-        resource: 'bundle-{{ .Values.data.dataPartitionId }}.tar.gz'
      {{- range (compact .Values.data.dataPartitionIdList) }}
      osdu/partition/{{ . }}:
        service: s3

--- a/devops/gc/deploy/values.yaml
+++ b/devops/gc/deploy/values.yaml
@@ -23,7 +23,7 @@ data:
  bucketName: ""
  useBundles: "yes"
  dataPartitionId: ""
-  dataPartitionIdList: []
+  dataPartitionIdList: ["osdu"]
  scopes: "https://www.googleapis.com/auth/devstorage.read_only"
  # baremetal only
  minioHost: "http://minio:9000"