DT-1202: Allow creating datasnapshot as a child resource of dataset #1640
Conversation
pshapiro4broad
changed the title
pshapiro4broad
changed the title
| @@ -1435,11 +1438,14 @@ resourceTypes = { | |||
| add_child = { | |||
| description = "add a child resource" | |||
| } | |||
| create_with_parent = { | |||
There was a problem hiding this comment.
What is this action for? I think you probably want set_parent. https://github.com/broadinstitute/sam/blob/develop/README.md#resource-and-policy-management
There was a problem hiding this comment.
I got it from https://github.com/broadinstitute/sam/blob/develop/src/main/scala/org/broadinstitute/dsde/workbench/sam/model/SamModel.scala#L34
which is used by requireCreateWithOptionalParent:
// parents are allowed for a resource type if the owner role contains the SamResourceActions.setParent or SamResourceActions.createWithParent action
val parentAllowed = resourceType.roles
.find(_.roleName == resourceType.ownerRoleName)
.exists(role => role.actions.contains(SamResourceActions.setParent) || role.actions.contains(SamResourceActions.createWithParent))
There was a problem hiding this comment.
It looks like when this was added in #1441, the README wasn't updated. I can switch to using set_parent if that's preferred. Relevant slack thread: https://broadinstitute.slack.com/archives/C03GMG4DUSE/p1715026844061349
There was a problem hiding this comment.
Interesting. I guess you can keep your create_with_parent. If I had been paying attention, I might have suggested that they use set_parent but not grant remove_child on the parent.
There was a problem hiding this comment.
I might have suggested that they use set_parent but not grant remove_child on the parent.
Well, TDR is the only user of create_with_parent so we could stop doing it if you want us to. I don't have a strong opinion one way or the other.
# Conflicts: # src/main/resources/reference.conf
| } | ||
| ownerRoleName = "steward" | ||
| roles = { | ||
| steward = { | ||
| roleActions = ["share_policy::steward", "share_policy::custodian", "update_passport_identifier", "view_journal"] | ||
| roleActions = ["share_policy::steward", "share_policy::custodian", "update_passport_identifier", "view_journal", "create_with_parent"] |
There was a problem hiding this comment.
You don't actually need to grant create_with_parent to anyone. The action's existence on the resource type is used only as a flag to allow resources to be created with a parent
There was a problem hiding this comment.
When I tested this change in a bee, I found that it didn't work until I added create_with_parent as an action on the steward (owner) role.
I also tried adding create_with_parent as an action on custodian, which is included by steward, but that didn't work.
Looking at the Scala code, in SecurityDirectives.requireCreateWithOptionalParent():
// parents are allowed for a resource type if the owner role contains the SamResourceActions.setParent or SamResourceActions.createWithParent action
val parentAllowed = resourceType.roles
.find(_.roleName == resourceType.ownerRoleName)
.exists(role => role.actions.contains(SamResourceActions.setParent) || role.actions.contains(SamResourceActions.createWithParent))
It appears that this is what the code is requiring -- the action must directly be on the owner role.
There was a problem hiding this comment.
I'm wondering if the failure of this to work with included roles is a bug. Looking at the code path for the set_parent operation (ResourceRoutes.setResourceParent()), the code uses SecurityDirectives.requireAction() which looks like it does support included roles.
… the parent/child state of resources can be interrogated by steward and custodian
| includedRoles = ["custodian"] | ||
| descendantRoles = { | ||
| snapshot-builder-request = ["approver"] | ||
| } | ||
| } | ||
| custodian = { | ||
| roleActions = ["delete", "edit_datasnapshot", "update_snapshot", "share_policy::reader", "share_policy::aggregate_data_reader", "share_policy::discoverer", "read_policies", "set_public", "update_auth_domain", "lock_resource", "unlock_resource"] | ||
| roleActions = ["delete", "edit_datasnapshot", "update_snapshot", "share_policy::reader", "share_policy::aggregate_data_reader", "share_policy::discoverer", "read_policies", "set_public", "update_auth_domain", "lock_resource", "unlock_resource", "get_parent"] |
There was a problem hiding this comment.
Why do we need "get_parent"?
There was a problem hiding this comment.
I think we'll need it in the UI, to find out of a snapshot has a parent dataset which is providing steward users to the snapshot. The UI can use this to fetch and show the dataset custodian users as "inherited" stewards in the Roles & Memberships tab.
|
Jira ticket: https://broadworkbench.atlassian.net/browse/DT-1202
What:
To support inheriting dataset custodian role as steward on a snapshot, we need to allow
datasnapshotwith a parent resource (create_with_parent)dataset(add_child)Also, we need to specify that
datasetcustodianorstewardarestewardondatasnapshot, if the parent resource is set.Why:
This is support the goal of avoiding adding dataset custodians to every snapshot, to prevent hitting GCP quota limits.
How:
With this change
snapshot_creatoror greater role ondatasetcanadd_childtodatasetcustodianor greater role ondatasetcanlist_childrenstewardrole cancreate_with_parenttodatasnapshot, andget_parentdatasetcustodianor greater role arestewardon childdatasnapshots.PR checklist