Skip to content
Snippets Groups Projects
Commit 85731c7d authored by Riabokon Stanislav(EPAM)[GCP]'s avatar Riabokon Stanislav(EPAM)[GCP]
Browse files

Merge branch 'gcp-docs' into 'master' 

Gcp docs

See merge request !59
parents feb88a9e 93616e00
No related branches found
No related tags found
1 merge request!59Gcp docs
Pipeline #46590 failed
Stage: .pre
Stage: build
Stage: scan
Hide whitespace changes
Inline Side-by-side
docs/tutorial/gcp/Partition.md 0 → 100644
+ 219
0
View file @ 85731c7d
## Partition Service
## Table of Contents <a name="TOC"></a>
* [Introduction](#introduction)
* [Checking Service Health](#checking-service-health)
* [Partition API access](#partition-api-access)
* [APIs](#apis)
* [Get partition details](#get-partition)
* [Create a new partition](#create-partition)
* [Update an existing partition](#update-partition)
* [Delete an existing partition](#delete-partition)
* [List of partitions](#list-partition)
## Introduction <a name="introduction"></a>
Partition service is responsible for creating and retrieving the partition specific properties (secret and non-secret) on behalf of other services.
## Health Check <a name="checking-service-health"></a>
An endpoint to check if service is up and running.
```
GET api/partition/v1/_ah/liveness_check
```
<details><summary>curl</summary>
```
curl --request GET \
--url 'https://<base_url>/api/partition/v1/_ah/liveness_check'
```
</details>
## Partition API access <a name="partition-api-access"></a>
As Partition service APIs are mostly consumed by other services, API access is limited to service accounts only.
## APIs <a name="apis"></a>
### Get partition details<a name="get-partition"></a>
Consuming services can use this API to get details of a partition. Partition details consists of a set of key-value pairs of properties.
```
GET api/partition/v1/partitions/{partitionId}
```
<details><summary>curl</summary>
```
curl --request GET \
--url 'https://<base_url>/api/partition/v1/partitions/osdu' \
--header 'Authorization: Bearer <JWT>' \
--header 'Content-Type: application/json'
```
</details>
A sample output is shown below.
<details><summary>Sample response</summary>
```
{
"projectId": {
"sensitive": false,
"value": "osdu"
},
"serviceAccount": {
"sensitive": false,
"value": ".iam.gserviceaccount.com"
},
"complianceRuleSet": {
"sensitive": false,
"value": "shared"
},
"dataPartitionId": {
"sensitive": false,
"value": "osdu"
},
"name": {
"sensitive": false,
"value": "osdu"
},
"policy-service-enabled": {
"sensitive": false,
"value": "false"
},
"bucket": {
"sensitive": false,
"value": "bucketName"
},
"crmAccountID": {
"sensitive": false,
"value": "["osdu","osdu"]"
}
}
```
</details>
[Back to Table of Contents](#TOC)
### Create a new partition<a name="create-partition"></a>
This api can be used to create a new partition. A plausible use case would be partition provisioning infrastructure script.
```
POST api/partition/v1/partitions/{partitionId}
```
<details><summary>curl</summary>
```
curl --request POST \
--url 'https://<base_url>/api/partition/v1/partitions/mypartition' \
--header 'Authorization: Bearer <JWT>' \
--header 'Content-Type: application/json' \
--data-raw '{
"properties": {
"projectId": {
"sensitive": false,
"value": "mypartition"
},
"serviceAccount": {
"sensitive": false,
"value": ".iam.gserviceaccount.com"
},
"complianceRuleSet": {
"sensitive": false,
"value": "shared"
},
"dataPartitionId": {
"sensitive": false,
"value": "mypartition"
},
"name": {
"sensitive": false,
"value": "mypartition"
},
"policy-service-enabled": {
"sensitive": false,
"value": "false"
},
"bucket": {
"sensitive": false,
"value": "bucketName"
},
"crmAccountID": {
"sensitive": false,
"value": "["mypartition","mypartition"]"
}
}
}'
```
</details>
[Back to Table of Contents](#TOC)
### Update an existing partition<a name="update-partition"></a>
This api is used to update the properties of an existing partition. With this api, we can modify existing properties or add new ones. Deletion of properties can not be achieved, we'll have to delete the partition and re-create it for the same effect.
```
PATCH api/partition/v1/partitions/{partitionId}
```
<details><summary>curl</summary>
```
curl --request PATCH \
--url 'https://<base_url>/api/partition/v1/partitions/mypartition' \
--header 'Authorization: Bearer <JWT>' \
--header 'Content-Type: application/json' \
--data-raw '{
"properties": {
"bucket": {
"value": "bucket-update-value"
},
"new-key": {
"sensitive": true,
"value": "new-value"
}
}
}'
```
</details>
### Delete an existing partition<a name="delete-partition"></a>
This api is used to delete an existing partition. A plausible use case would be partition teardown infrastructure script.
```
DELETE api/partition/v1/partitions/{partitionId}
```
<details><summary>curl</summary>
```
curl --request DELETE \
--url 'https://<base_url>/api/partition/v1/partitions/mypartition' \
--header 'Authorization: Bearer <JWT>' \
--header 'Content-Type: application/json'
```
</details>
### List partitions <a name="list-partition"></a>
Consuming services can use this API to list all partitions Id.
```
GET api/partition/v1/partitions
```
<details><summary>curl</summary>
```
curl --request GET \
--url 'https://<base_url>/api/partition/v1/partitions' \
--header 'Authorization: Bearer <JWT>' \
--header 'Content-Type: application/json'
```
</details>
A sample output is shown below.
<details><summary>Sample response</summary>
```
[
"default-dev",
"opendes",
"osdu",
"mypartition"
]
```
</details>
[Back to Table of Contents](#TOC)
\ No newline at end of file
provider/partition-gcp/src/main/java/org/opengroup/osdu/partition/provider/gcp/security/AuthorizationService.java
+ 41
38
View file @ 85731c7d
......@@ -39,47 +39,50 @@ import org.springframework.web.context.annotation.RequestScope;
@RequiredArgsConstructor
public class AuthorizationService implements IAuthorizationService {
private final PropertiesConfiguration configuration;
private final PropertiesConfiguration configuration;
private final DpsHeaders headers;
private final DpsHeaders headers;
@Override
public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
try {
GoogleIdTokenVerifier verifier =
new GoogleIdTokenVerifier.Builder(
GoogleNetHttpTransport.newTrustedTransport(),
JacksonFactory.getDefaultInstance())
.setAudience(Collections.singleton(configuration.getGoogleAudiences()))
.build();
@Override
public boolean isDomainAdminServiceAccount() {
if (Objects.isNull(headers.getAuthorization()) || headers.getAuthorization().isEmpty()) {
throw AppException.createUnauthorized("No JWT token. Access is Forbidden");
}
String email = null;
try {
GoogleIdTokenVerifier verifier =
new GoogleIdTokenVerifier.Builder(
GoogleNetHttpTransport.newTrustedTransport(),
JacksonFactory.getDefaultInstance())
.setAudience(Collections.singleton(configuration.getGoogleAudiences()))
.build();
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
String email = googleIdToken.getPayload().getEmail();
String partitionAdminAccount = configuration.getPartitionAdminAccount();
if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
if (email.equals(partitionAdminAccount)) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
} else {
if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
return true;
} else {
throw AppException.createUnauthorized("Unauthorized. The user is not Service Principal");
}
}
} catch (Exception e) {
log.warn("Not valid or expired token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
String authorization = headers.getAuthorization().replace("Bearer ", "");
GoogleIdToken googleIdToken = verifier.verify(authorization);
if (Objects.isNull(googleIdToken)) {
log.warn("Not valid token provided");
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
email = googleIdToken.getPayload().getEmail();
String partitionAdminAccount = configuration.getPartitionAdminAccount();
if (Objects.nonNull(partitionAdminAccount) && !partitionAdminAccount.isEmpty()) {
if (email.equals(partitionAdminAccount)) {
return true;
} else {
throw AppException
.createUnauthorized(String.format("Unauthorized. The user %s is untrusted.", email));
}
} else {
if (StringUtils.endsWithIgnoreCase(email, "gserviceaccount.com")) {
return true;
} else {
throw AppException.createUnauthorized(
String.format("Unauthorized. The user %s is not Service Principal", email));
}
}
} catch (Exception ex) {
log.warn(String.format("User %s is not unauthorized. %s.", email, ex));
throw AppException.createUnauthorized("Unauthorized. The JWT token could not be validated");
}
}
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment