[TOAZ-126] Add Sam API for pet managed identities #737
Conversation
rtitle
force-pushed
the
rt-uami
branch
4 times, most recently
from
4962144 to
4e6e802
Compare
|
jenkins retest |
| #!/bin/bash | ||
|
|
||
| # TODO: Add Janitor secrets here | ||
| # https://broadworkbench.atlassian.net/browse/ID-96 |
There was a problem hiding this comment.
I fleshed out the https://broadworkbench.atlassian.net/browse/ID-96 description a bit more
| @@ -336,18 +337,22 @@ object Boot extends IOApp with LazyLogging { | |||
| val managedGroupService = | |||
| new ManagedGroupService(resourceService, policyEvaluatorService, resourceTypeMap, accessPolicyDAO, directoryDAO, cloudExtensionsInitializer.cloudExtensions, config.emailDomain) | |||
| val samApplication = SamApplication(userService, resourceService, statusService, tosService) | |||
|
|
|||
| val azureRoutes = config.azureServicesConfig.map { config => | |||
There was a problem hiding this comment.
Note the azureServicesConfig is optional. We won't add the AzureRoutes if it's not present.
This is NOT using the existing CloudExtensionRoutes pattern in Sam. CloudExtensionRoutes doesn't really fit this use case -- Sam code is structured to only have 1 cloud extension, and it mostly deals with Google group stuff which is not relevant on Azure.
There was a problem hiding this comment.
Sounds like a renaming/refactoring opportunity to make sure other people don't get confused in the future.
There was a problem hiding this comment.
Its disappointing that it's structured this way, but I think it makes sense to do it like this for the sake of expediency.
| content: | ||
| application/json: | ||
| schema: | ||
| type: string |
There was a problem hiding this comment.
Currently this just returns the managed identity objectId as a String. This fits the Leo/WSM use case. I debated returning more information in a JSON object but keeping it simple for now.
| @@ -116,6 +116,12 @@ testStuff = { | |||
| reuseIds = false | |||
| } | |||
| } | |||
| # Test MRG in which to create managed identities | |||
There was a problem hiding this comment.
We commonly use this MRG for testing in WSM, Leo, etc
| "AzureService" should "create a pet managed identity" taggedAs ConnectedTest in { | ||
| val azureServicesConfig = appConfig.azureServicesConfig | ||
|
|
||
| assume(azureServicesConfig.isDefined, "-- skipping Azure test") |
There was a problem hiding this comment.
Note these tests only run if render-test-config.sh was run. This doesn't happen in CI/CD, so these tests are skipped. Part of https://broadworkbench.atlassian.net/browse/ID-96 should be enabling these tests in CI/CD.
|
|
||
| import scala.jdk.CollectionConverters._ | ||
|
|
||
| object MockCrlService extends MockitoSugar { |
There was a problem hiding this comment.
Hopefully this mockito usage isn't too horrible. 😂 Azure SDKs are mock-able, but create a lot of intermediate classes which need to be mocked. (FWIW WSM tests Azure SDK the same way with mocks.)
| * 4. Get the managed app "plan" id | ||
| * 4. Validate the plan id matches the configured value | ||
| */ | ||
| private def validateManagedResourceGroup(request: GetOrCreatePetManagedIdentityRequest): IO[Unit] = { |
There was a problem hiding this comment.
This is a separate check than user access control -- it essentially validates the MRG was created from the Terra managed app.
|
@tlangs I cleaned this up and added tests -- I think it's working well. I moved out of draft mode and requested review. Feel free to assign others too as needed. I tried to annotate the PR a bit above. Happy to answer any further questions. And I punted on Janitor integration as we discussed -- added some context to https://broadworkbench.atlassian.net/browse/ID-96 as a follow-on task. Thanks! (And I know it's Friday 4:45pm before a long weekend -- I don't expect you to see this until next week 😄 ) |
rtitle
changed the title
|
jenkins retest |
|
jenkins retest |
|
seems like a spurious rawls failure, jenkins retest |
|
jenkins retest |
| @@ -336,18 +337,22 @@ object Boot extends IOApp with LazyLogging { | |||
| val managedGroupService = | |||
| new ManagedGroupService(resourceService, policyEvaluatorService, resourceTypeMap, accessPolicyDAO, directoryDAO, cloudExtensionsInitializer.cloudExtensions, config.emailDomain) | |||
| val samApplication = SamApplication(userService, resourceService, statusService, tosService) | |||
|
|
|||
| val azureRoutes = config.azureServicesConfig.map { config => | |||
There was a problem hiding this comment.
Sounds like a renaming/refactoring opportunity to make sure other people don't get confused in the future.
src/main/scala/org/broadinstitute/dsde/workbench/sam/api/SamRoutes.scala
Outdated
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala
Outdated
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/AzureService.scala
Outdated
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/AzureService.scala
Outdated
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/AzureService.scala
Outdated
Show resolved
Hide resolved
| xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.4.xsd"> | ||
|
|
||
| <changeSet logicalFilePath="dummy" author="rtitle" id="pet_user_assigned_managed_identity"> | ||
| <createTable tableName="SAM_PET_MANAGED_IDENTITY"> |
There was a problem hiding this comment.
Do we want to make this named SAM_AZURE_MANAGED_IDENTITY_PET for clarity?
There was a problem hiding this comment.
I followed the pattern of the pre-existing SAM_PET_SERVICE_ACCOUNT table.
We could throw "azure" in there: SAM_PET_AZURE_MANAGED_IDENTITY. wdyt?
There was a problem hiding this comment.
Ehhh, I'll leave it. MANAGED_IDENTITY and SERVICE_ACCOUNT are Microsoft & Google concepts respectively, so it just requires that knowledge.
| @@ -336,18 +337,22 @@ object Boot extends IOApp with LazyLogging { | |||
| val managedGroupService = | |||
| new ManagedGroupService(resourceService, policyEvaluatorService, resourceTypeMap, accessPolicyDAO, directoryDAO, cloudExtensionsInitializer.cloudExtensions, config.emailDomain) | |||
| val samApplication = SamApplication(userService, resourceService, statusService, tosService) | |||
|
|
|||
| val azureRoutes = config.azureServicesConfig.map { config => | |||
There was a problem hiding this comment.
Its disappointing that it's structured this way, but I think it makes sense to do it like this for the sake of expediency.
src/main/scala/org/broadinstitute/dsde/workbench/sam/api/StandardSamUserDirectives.scala
Outdated
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/AzureService.scala
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/AzureService.scala
Outdated
Show resolved
Hide resolved
src/main/scala/org/broadinstitute/dsde/workbench/sam/azure/AzureService.scala
Outdated
Show resolved
Hide resolved
|
Thanks for the reviews @gpolumbo-broad and @tlangs! Some good comments above -- will do another pass and ping you when ready for another look. |
…enapi-generated client
|
Kudos, SonarCloud Quality Gate passed!
|
| @@ -73,6 +73,11 @@ paths: | |||
| required: true | |||
| schema: | |||
| type: string | |||
| requestBody: | |||
There was a problem hiding this comment.
These changes are to work around an OpenAPI codegen bug which surfaced in Workspace Manager: OpenAPITools/openapi-generator#11833
Basically if PUT/POST requests don't have a request body and thus have a null content-type, the generated client throws a NPE. It used to default to application/json but this changed when we upgraded openapi in this PR.
To work around I simply set the content-type for each affected PUT/POST method in swagger. This doesn't affect the actual backend routes -- it's just a client fix.
An alternative fix would be to patch the codegen logic in the mustache code, but I don't know all the implications of that, and this change seems reasonable enough.
Let me know if you have other thoughts..
|
jenkins retest |
|
Hey @tlangs @gpolumbo-broad, sorry for the delay -- I think I addressed all comments, can you take another look at this? Thanks. |
JIRA: https://broadworkbench.atlassian.net/browse/TOAZ-126
Design doc: https://docs.google.com/document/d/1cyrRTibpvMbu0DtAjDsXeQp6-U2RftO66hHNb3nw_h4/edit#heading=h.focnnsveczp4
Demo recording: https://drive.google.com/file/d/1HiiAxQDVteaznwlRQLuFrXfm9PkSJDyU/view?usp=drive_web
Friends with: https://github.com/broadinstitute/firecloud-develop/pull/2991 (but the PRs are independent)
Overview:
AzureRoutesandAzureServiceclasses to SamPOST /api/azure/v1/user/petManagedIdentityAPI which gets or creates a pet-UAMISAM_PET_MANAGED_IDENTITYSQL table and associated queriesStandardUserInfoDirectivesto handle requests from pet UAMIs and switch back to the owning userPR checklist