From a7838ae2ce2c6543299c65b71f5429458c4541f6 Mon Sep 17 00:00:00 2001 From: Scott Black Date: Sat, 6 Jan 2024 21:31:43 -0700 Subject: [PATCH] add minio policy saving to minio --- .../access_control/policy_generation.py | 74 ++++++++----------- .../app/routers/access_control/router.py | 19 +---- app/api/subsetter/app/routers/argo/router.py | 10 ++- 3 files changed, 39 insertions(+), 64 deletions(-) diff --git a/app/api/subsetter/app/routers/access_control/policy_generation.py b/app/api/subsetter/app/routers/access_control/policy_generation.py index 9cd7b655..5d757e08 100644 --- a/app/api/subsetter/app/routers/access_control/policy_generation.py +++ b/app/api/subsetter/app/routers/access_control/policy_generation.py @@ -1,56 +1,41 @@ -''' -def admin_policy_attach(target, name): - arguments = ['mc', '--config-dir', '/hydroshare/', 'admin', 'policy', 'attach', target, name, '--user', name] - logger.info(arguments) - try: - _output = subprocess.check_output(arguments, user='hydro-service') - logger.info(_output) - except subprocess.CalledProcessError as e: - logger.exception(e.output) - +import copy +import json +import logging as logger +import os import subprocess +import tempfile +from typing import Dict + + def admin_policy_create(target, name, file): - arguments = ['mc', '--config-dir', '/hydroshare/', '--json', 'admin', 'policy', 'create', target, name, file] + arguments = ['mc', '--json', 'admin', 'policy', 'create', target, name, file] logger.info(arguments) try: - _output = subprocess.check_output(arguments, user='hydro-service') + _output = subprocess.check_output(arguments) logger.info(_output) except subprocess.CalledProcessError as e: logger.exception(e.output) - admin_policy_attach(target, name) + def admin_policy_remove(target, name): - arguments = ['mc', '--config-dir', '/hydroshare/', '--json', 'admin', 'policy', 'remove', target, name] + arguments = ['mc', '--json', 'admin', 'policy', 'rm', target, name] logger.info(arguments) try: - _output = subprocess.check_output(arguments, user='hydro-service') + _output = subprocess.check_output(arguments) logger.info(_output) except subprocess.CalledProcessError as e: logger.exception(e.output) -def refresh_minio_policy(user): - policy = minio_policy(user) - logging.info(json.dumps(policy, indent=2)) - if policy["Statement"]: - with tempfile.TemporaryDirectory(dir='/hs_tmp') as tmpdirname: - filepath = os.path.join(tmpdirname, "metadata.json") - fp = open(filepath, "w") - fp.write(json.dumps(policy)) - fp.close() - admin_policy_remove(target='cuahsi', name=user.username) - admin_policy_create(target='cuahsi', name=user.username, file=filepath) - else: - admin_policy_remove(target='cuahsi', name=user.username) -''' - -import copy -from typing import Dict - -def bucket_name(resource_id: str): - # raccess = ResourceAccess.objects.filter(resource__short_id=resource_id).first() - # return raccess.owners.first().username - return "subsetter-outputs" +def refresh_minio_policy(user, policy): + logger.info(json.dumps(policy, indent=2)) + with tempfile.TemporaryDirectory() as tmpdirname: + filepath = os.path.join(tmpdirname, "metadata.json") + fp = open(filepath, "w") + fp.write(json.dumps(policy)) + fp.close() + admin_policy_create(target='cuahsi', name=user.username, file=filepath) + return policy def create_view_statements(user, views: Dict[str, list[str]]) -> list: @@ -67,10 +52,7 @@ def create_view_statements(user, views: Dict[str, list[str]]) -> list: } get_resources = [f"arn:aws:s3:::{user.username}/*"] - view_statement = copy.deepcopy(view_statement_template_listing) - view_statement["Resource"] = [f"arn:aws:s3:::{user.username}"] - del view_statement["Condition"] - list_statements = [view_statement] + list_statements = [] for bucket_owner, resource_paths in views.items(): get_resources = get_resources + [ f"arn:aws:s3:::{bucket_owner}/{resource_path}/*" for resource_path in resource_paths @@ -90,11 +72,15 @@ def create_edit_statements(user, edits: Dict[str, list[str]]) -> list: resources = [] for bucket_owner, resource_paths in edits.items(): resources = resources + [f"arn:aws:s3:::{bucket_owner}/{resource_path}/*" for resource_path in resource_paths] - edit_statement_template["Resource"] = resources - return [edit_statement_template] + if resources: + edit_statement_template["Resource"] = resources + return [edit_statement_template] + else: + return [] def minio_policy(user, owners: Dict[str, list[str]], edits: Dict[str, list[str]], views: Dict[str, list[str]]): - statements = create_view_statements(user, views) + statements = [{"Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": [f"arn:aws:s3:::{user.username}"]}] + statements = statements + create_view_statements(user, views) statements = statements + create_edit_statements(user, edits) return {"Version": "2012-10-17", "Statement": statements} diff --git a/app/api/subsetter/app/routers/access_control/router.py b/app/api/subsetter/app/routers/access_control/router.py index 19aa9089..d0c310fe 100644 --- a/app/api/subsetter/app/routers/access_control/router.py +++ b/app/api/subsetter/app/routers/access_control/router.py @@ -11,6 +11,8 @@ from subsetter.app.routers.access_control.policy_generation import minio_policy from subsetter.app.users import current_active_user +from .policy_generation import refresh_minio_policy + router = APIRouter() @@ -76,22 +78,7 @@ async def refresh_profile(user: User = Depends(current_active_user)): return user -def admin_policy_create(name, policy, target="cuahsi"): - with tempfile.TemporaryDirectory() as tmpdirname: - print(policy) - filepath = os.path.join(tmpdirname, "metadata.json") - fp = open(filepath, "w") - fp.write(json.dumps(policy)) - fp.close() - arguments = ['mc', '--json', 'admin', 'policy', 'create', target, name, filepath] - try: - _output = subprocess.check_output(arguments) - except subprocess.CalledProcessError as e: - raise - - @router.get('/policy/minio/cuahsi') async def generate_and_save_user_policy(user: User = Depends(current_active_user)): user_policy = await generate_user_policy(user) - admin_policy_create(user.username, user_policy) - return user_policy + return refresh_minio_policy(user, user_policy) diff --git a/app/api/subsetter/app/routers/argo/router.py b/app/api/subsetter/app/routers/argo/router.py index e215227c..2b8a8da9 100644 --- a/app/api/subsetter/app/routers/argo/router.py +++ b/app/api/subsetter/app/routers/argo/router.py @@ -18,6 +18,7 @@ ) from subsetter.app.users import current_active_user from subsetter.config import get_minio_client, get_settings + from .transformer import transform_latlon if get_settings().cloud_run: @@ -43,8 +44,9 @@ def parflow_submission_body(hucs: list, username: str, workflow_name: str): "name": workflow_name, "parameters": [ f"output-path=argo_workflows/parflow/{workflow_name}", - f"output-bucket={username}", - "hucs=" + ",".join(hucs)], + f"output-bucket={username}", + "hucs=" + ",".join(hucs), + ], }, } @@ -123,7 +125,7 @@ async def submit_parflow( async def submit_nwm1( y_south: float, x_west: float, y_north: float, x_east: float, user: User = Depends(current_active_user) ) -> SubmissionResponseModel: - #y_south, x_west, y_north, x_east = transform_latlon(y_south, x_west, y_north, x_east) + # y_south, x_west, y_north, x_east = transform_latlon(y_south, x_west, y_north, x_east) workflow_id = str(uuid.uuid4()) api_response = api_instance.submit_workflow( namespace=get_settings().argo_namespace, @@ -139,7 +141,7 @@ async def submit_nwm1( async def submit_nwm2( y_south: float, x_west: float, y_north: float, x_east: float, user: User = Depends(current_active_user) ) -> SubmissionResponseModel: - #y_south, x_west, y_north, x_east = transform_latlon(y_south, x_west, y_north, x_east) + # y_south, x_west, y_north, x_east = transform_latlon(y_south, x_west, y_north, x_east) workflow_id = str(uuid.uuid4()) api_response = api_instance.submit_workflow( namespace=get_settings().argo_namespace,