From 78ca64a234ad03242c714d85114c1b4589dba19b Mon Sep 17 00:00:00 2001
From: "Yauheni Rykhter (EPAM)" <yauheni_rykhter@epam.com>
Date: Thu, 7 Sep 2023 13:48:15 +0000
Subject: [PATCH] GONRG-7679: update policy bootstrap
---
.../bootstrap-osdu-module/DataPartitionBundles.py | 10 +++++++---
.../gc/bootstrap-osdu-module/bootstrap_policy.sh | 14 ++++----------
.../templates/search_template.rego | 15 +++++++++++++++
devops/gc/deploy/templates/opa-configmap.yaml | 10 ----------
devops/gc/deploy/values.yaml | 2 +-
5 files changed, 27 insertions(+), 24 deletions(-)
create mode 100644 devops/gc/bootstrap-osdu-module/templates/search_template.rego
diff --git a/devops/gc/bootstrap-osdu-module/DataPartitionBundles.py b/devops/gc/bootstrap-osdu-module/DataPartitionBundles.py
index 59a33da9..17a94427 100644
--- a/devops/gc/bootstrap-osdu-module/DataPartitionBundles.py
+++ b/devops/gc/bootstrap-osdu-module/DataPartitionBundles.py
@@ -10,8 +10,10 @@ class BootstrapDataPartitionBundles:
tar_name = "bundle-{dp}.tar.gz".format(dp=dp_id)
dataauthz_template_name = "dataauthz_template.rego"
manifest_template_name = "manifest_template.manifest"
+ search_template_name = "search_template.rego"
dataauthz_filename = "dataauthz.rego"
manifest_filename = ".manifest"
+ search_filename = "search.rego"
template_path = "devops/gc/bootstrap-osdu-module/templates/"
env = Environment(
@@ -20,19 +22,21 @@ class BootstrapDataPartitionBundles:
)
dataauthz_template = env.get_template(dataauthz_template_name)
manifest_template = env.get_template(manifest_template_name)
+ search_template = env.get_template(search_template_name)
dataauthz_render = dataauthz_template.render(dp_id=dp_id)
manifest_render = manifest_template.render(dp_id=dp_id)
+ search_render = search_template.render(dp_id=dp_id)
with open(dataauthz_filename,"w") as f1:
f1.write(dataauthz_render)
with open(manifest_filename, "w") as f2:
f2.write(manifest_render)
+ with open(search_filename, "w") as f2:
+ f2.write(search_render)
with tarfile.open(tar_name, "w:gz") as tar_handle:
tar_handle.add(os.path.abspath(dataauthz_filename), arcname=dataauthz_filename)
tar_handle.add(os.path.abspath(manifest_filename), arcname=manifest_filename)
-
-
-
+ tar_handle.add(os.path.abspath(search_filename), arcname=search_filename)
# Initialize class and upload bundles
if __name__ == '__main__':
diff --git a/devops/gc/bootstrap-osdu-module/bootstrap_policy.sh b/devops/gc/bootstrap-osdu-module/bootstrap_policy.sh
index d4453e31..d8e87f4c 100644
--- a/devops/gc/bootstrap-osdu-module/bootstrap_policy.sh
+++ b/devops/gc/bootstrap-osdu-module/bootstrap_policy.sh
@@ -58,18 +58,12 @@ source ./validate-env.sh "POLICY_BUCKET"
create_instance_bundles
## Creating partition bundles
-if [[ "${DATA_PARTITION_ID_LIST}" == "" ]]; then
- # Single partition case
- create_partition_bundle "$DATA_PARTITION"
-else
- # Multipartition case
- IFS=',' read -ra PARTITIONS <<< "${DATA_PARTITION_ID_LIST}"
- PARTITIONS=("${DATA_PARTITION}" "${PARTITIONS[@]}")
+IFS=',' read -ra PARTITIONS <<< "${DATA_PARTITION_ID_LIST}"
+PARTITIONS=("${PARTITIONS[@]}")
- for PARTITION in "${PARTITIONS[@]}"; do
+for PARTITION in "${PARTITIONS[@]}"; do
create_partition_bundle "${PARTITION}"
- done
-fi
+done
## Uploading bundles to gcs/minio bucket
if [ "${ONPREM_ENABLED}" == "true" ]
diff --git a/devops/gc/bootstrap-osdu-module/templates/search_template.rego b/devops/gc/bootstrap-osdu-module/templates/search_template.rego
new file mode 100644
index 00000000..9f394427
--- /dev/null
+++ b/devops/gc/bootstrap-osdu-module/templates/search_template.rego
@@ -0,0 +1,15 @@
+package osdu.partition["{{dp_id}}"].search
+
+default allow = false
+
+allow = true {
+ input.operation == "view"
+ # At least one user group needs to be in acl viewers
+ input.record.acl.viewers[_]==input.groups[_]
+}
+
+allow = true {
+ input.operation == ["view", "create", "update", "delete", "purge"][_]
+ # At least one user group needs to be in acl owners
+ input.record.acl.owners[_]==input.groups[_]
+}
diff --git a/devops/gc/deploy/templates/opa-configmap.yaml b/devops/gc/deploy/templates/opa-configmap.yaml
index aca6be1c..335a9c78 100644
--- a/devops/gc/deploy/templates/opa-configmap.yaml
+++ b/devops/gc/deploy/templates/opa-configmap.yaml
@@ -15,18 +15,11 @@ data:
gcp_metadata:
scopes:
- "{{ .Values.data.scopes }}"
-
bundles:
osdu/instance:
service: gcs
# NOTE ?alt=media is required
resource: 'bundle.tar.gz?alt=media'
- osdu/partition/{{ .Values.data.dataPartitionId }}:
- service: gcs
- resource: 'bundle-{{ .Values.data.dataPartitionId }}.tar.gz?alt=media'
- polling:
- min_delay_seconds: {{ .Values.conf.minDelaySeconds }}
- max_delay_seconds: {{ .Values.conf.maxDelaySeconds }}
{{- range (compact .Values.data.dataPartitionIdList) }}
osdu/partition/{{ . }}:
service: gcs
@@ -47,9 +40,6 @@ data:
osdu/instance:
service: s3
resource: bundle.tar.gz
- osdu/partition/{{ .Values.data.dataPartitionId }}:
- service: s3
- resource: 'bundle-{{ .Values.data.dataPartitionId }}.tar.gz'
{{- range (compact .Values.data.dataPartitionIdList) }}
osdu/partition/{{ . }}:
service: s3
diff --git a/devops/gc/deploy/values.yaml b/devops/gc/deploy/values.yaml
index 5a199f95..d25a3108 100644
--- a/devops/gc/deploy/values.yaml
+++ b/devops/gc/deploy/values.yaml
@@ -23,7 +23,7 @@ data:
bucketName: ""
useBundles: "yes"
dataPartitionId: ""
- dataPartitionIdList: []
+ dataPartitionIdList: ["osdu"]
scopes: "https://www.googleapis.com/auth/devstorage.read_only"
# baremetal only
minioHost: "http://minio:9000"
--
GitLab