Commit c268ce6c authored by neelesh thakur's avatar neelesh thakur
Browse files

rebase

parents ca84f557 d6bcdb9b
Pipeline #49779 failed with stages
in 46 minutes and 19 seconds
This diff is collapsed.
......@@ -23,6 +23,7 @@ Here are steps to enable Policy service for a provider:
- Add and provide values for following runtime configuration in `application.properties`
```
service.policy.enabled=true
service.policy.id=search //policy_id from ${policy_service_endpoint}/api/policy/v1/policies.
service.policy.endpoint=${policy_service_endpoint}
policy.cache.timeout=<timeout_in_minutes>
PARTITION_API=${partition_service_endpoint}
......@@ -31,4 +32,4 @@ Here are steps to enable Policy service for a provider:
- This is an experimental feature and at this moment has following limitations
1. If the query has `returnedFields` set, it must contain all `acl, kind, legal` and `id`
2. In the current implementation, totalCount represents the number of records matching user query before the search policy is applied
3. Because the policy auth filter is applied outside of query handles, cursor may not point to the accurate data entry when using `query_with_cursor`
\ No newline at end of file
3. Because the policy auth filter is applied outside of query handles, cursor may not point to the accurate data entry when using `query_with_cursor`
......@@ -30,7 +30,9 @@ In order to run the service locally or remotely, you will need to have the follo
| `GOOGLE_APPLICATION_CREDENTIALS` | ex `/path/to/directory/service-key.json` | Service account credentials, you only need this if running locally | yes | https://console.cloud.google.com/iam-admin/serviceaccounts |
| `SECURITY_HTTPS_CERTIFICATE_TRUST` | ex `false` | Elastic client connection uses TrustSelfSignedStrategy(), if it is 'true' | false | output of infrastructure deployment |
| `SERVICE_PARTITION_ENABLED` | `true` OR `false` | Allow to configure TenantInfo provision by Partition service | no | - |
| `PARTITION_API` | ex `http://localhost:8080/api/partition/v1` | Partition service endpoint | no | - |
| `PARTITION_API` | ex `http://localhost:8080/api/partition/v1` | Partition service endpoint | no | output of infrastructure deployment |
| `POLICY_API` | ex `http://localhost:8080/api/policy/v1/` | Police service endpoint | no | output of infrastructure deployment |
| `POLICY_ID` | ex `search` | policeId from ex `http://localhost:8080/api/policy/v1/policies`. Look at `POLICY_API` | no | - |
### Run Locally
Check that maven is installed:
......@@ -190,9 +192,9 @@ Create king ring and key in the ***master project***
--purpose encryption
```
Add **Cloud KMS CryptoKey Encrypter/Decrypter** role to the **App Engine default service account** of the ***master project*** through IAM - Role tab
Add **Cloud KMS CryptoKey Encrypter/Decrypter** role to the **default service account** of the ***master project*** through IAM - Role tab
Add **Cloud KMS Encrypt/Decrypt** role to the **App Engine default service account** of ***master project***
Add **Cloud KMS Encrypt/Decrypt** role to the **default service account** of ***master project*** through IAM - Role tab
#### Memory Store (Redis Instance) Setup
......@@ -218,4 +220,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
\ No newline at end of file
limitations under the License.
......@@ -57,6 +57,11 @@
<version>0.10.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-core</artifactId>
<version>1.38.1</version>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-datastore</artifactId>
......@@ -65,7 +70,7 @@
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-logging</artifactId>
<version>1.72.0</version>
<version>2.3.1</version>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
......
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.search.provider.gcp.provider.persistence;
import java.util.Date;
import org.apache.commons.lang3.time.DateUtils;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.Iam.Projects.ServiceAccounts.SignJwt;
import com.google.api.services.iam.v1.model.SignJwtRequest;
import com.google.api.services.iam.v1.model.SignJwtResponse;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.gson.JsonObject;
import org.opengroup.osdu.core.common.util.Crc32c;
import org.opengroup.osdu.core.common.model.tenant.TenantInfo;
import org.opengroup.osdu.search.provider.gcp.cache.DatastoreCredentialCache;
public class DatastoreCredential extends GoogleCredentials {
private static final long serialVersionUID = 8344377091688956815L;
private static final JsonFactory JSON_FACTORY = new JacksonFactory();
private Iam iam;
private final TenantInfo tenant;
private final DatastoreCredentialCache cache;
protected DatastoreCredential(TenantInfo tenant, DatastoreCredentialCache cache) {
this.tenant = tenant;
this.cache = cache;
}
@Override
public AccessToken refreshAccessToken() {
String cacheKey = this.getCacheKey();
AccessToken accessToken = this.cache.get(cacheKey);
if (accessToken != null) {
return accessToken;
}
try {
SignJwtRequest signJwtRequest = new SignJwtRequest();
signJwtRequest.setPayload(this.getPayload());
String serviceAccountName = String.format("projects/-/serviceAccounts/%s", this.tenant.getServiceAccount());
SignJwt signJwt = this.getIam().projects().serviceAccounts().signJwt(serviceAccountName, signJwtRequest);
SignJwtResponse signJwtResponse = signJwt.execute();
String signedJwt = signJwtResponse.getSignedJwt();
accessToken = new AccessToken(signedJwt, DateUtils.addSeconds(new Date(), 3600));
this.cache.put(cacheKey, accessToken);
return accessToken;
} catch (Exception e) {
throw new RuntimeException("Error creating datastore credential", e);
}
}
private String getPayload() {
JsonObject payload = new JsonObject();
payload.addProperty("iss", this.tenant.getServiceAccount());
payload.addProperty("sub", this.tenant.getServiceAccount());
payload.addProperty("aud", "https://datastore.googleapis.com/google.datastore.v1.Datastore");
payload.addProperty("iat", System.currentTimeMillis() / 1000);
return payload.toString();
}
protected void setIam(Iam iam) {
this.iam = iam;
}
private Iam getIam() throws Exception {
if (this.iam == null) {
Iam.Builder builder = new Iam.Builder(GoogleNetHttpTransport.newTrustedTransport(), JSON_FACTORY,
GoogleCredential.getApplicationDefault()).setApplicationName("Search Service");
this.iam = builder.build();
}
return this.iam;
}
private String getCacheKey() {
return Crc32c.hashToBase64EncodedString(String.format("datastoreCredential:%s", this.tenant.getName()));
}
}
\ No newline at end of file
......@@ -23,6 +23,7 @@ import java.util.HashMap;
import java.util.Map;
import javax.inject.Inject;
import org.opengroup.osdu.core.common.model.tenant.TenantInfo;
import org.opengroup.osdu.core.gcp.multitenancy.credentials.DatastoreCredential;
import org.opengroup.osdu.search.provider.gcp.cache.DatastoreCredentialCache;
import org.springframework.stereotype.Component;
import org.threeten.bp.Duration;
......@@ -53,7 +54,7 @@ public class DatastoreFactory {
public Datastore getDatastoreInstance(TenantInfo tenantInfo) {
if (datastoreClients.get(tenantInfo.getName()) == null) {
Datastore googleDatastore = DatastoreOptions.newBuilder()
.setCredentials(new DatastoreCredential(tenantInfo, this.cache))
.setCredentials(new DatastoreCredential(tenantInfo))
.setRetrySettings(RETRY_SETTINGS)
.setTransportOptions(TRANSPORT_OPTIONS)
.setNamespace(tenantInfo.getName())
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment