[DC-1206] Add endpoints to list, add, and delete members from Sam group associated with Snapshots byRequestId #1810
Conversation
cinyecai
requested review from
rushtong and
fboulnois
and removed request for
a team
| deleteSnapshotAccessRequestGroupMember(UUID id, String memberEmail) { | ||
| AuthenticatedUserRequest userRequest = getAuthenticatedInfo(); | ||
| iamService.verifyAuthorization( | ||
| userRequest, IamResourceType.SNAPSHOT_BUILDER_REQUEST, id.toString(), IamAction.APPROVE); |
There was a problem hiding this comment.
These look good! I wonder if we need to make a new IAmAction for these actions or if its okay to extend the use of APPROVE for now.
There was a problem hiding this comment.
I agree, maybe create another ticket to add this action? Something like manage_collaborators to handle both add and delete?
| List<String> removeGroupPolicyEmail( | ||
| String accessToken, String groupName, String policyName, String memberEmail) | ||
| throws InterruptedException; | ||
|
|
There was a problem hiding this comment.
I think some documentation on these would be great. I like that the add and remove email return the new list of emails in the group, I think that mirrors the other policy member methods, but some documentation explaining what is returned would be helpful.
| public List<String> removeEmailFromGroup(String groupName, String policyName, String email) { | ||
| String tdrSaAccessToken = googleCredentialsService.getApplicationDefaultAccessToken(SCOPES); | ||
| return callProvider( | ||
| () -> iamProvider.removeGroupPolicyEmail(tdrSaAccessToken, groupName, policyName, email)); |
There was a problem hiding this comment.
maybe some javadoc for these as well
| groupName, | ||
| policyName, | ||
| memberEmail, | ||
| new Object()); // Not sure what should be here for object |
There was a problem hiding this comment.
It looks like addPolicyMemberInner passes in a null instead of a new Object maybe we could just follow that pattern
| public SnapshotAccessRequestMembersResponse deleteGroupMember(UUID id, String memberEmail) { | ||
| SnapshotAccessRequestModel model = snapshotRequestDao.getById(id); | ||
| return new SnapshotAccessRequestMembersResponse() | ||
| .members(iamService.removeEmailFromGroup(model.samGroupName(), "member", memberEmail)); |
There was a problem hiding this comment.
For all of these, do we only want people with the member role? Is there a way to get people of any role?
There was a problem hiding this comment.
We should only ever add users as members to the sam group. Only the TDR service account will be an admin.
| description: Get the members in the DAC group | ||
| operationId: getSnapshotAccessRequestGroupMembers | ||
| parameters: | ||
| - $ref: '#/components/parameters/Id' |
There was a problem hiding this comment.
I think the reuse of an existing object is a good idea, but Id specifies that the format of the string is a UUID and this will not match that format because it will be an email. So if that type doesn't exist yet maybe adding a new email type would be good
There was a problem hiding this comment.
I think this is the snapshot request ID, so isn't that a UUID?
There was a problem hiding this comment.
Yes, I think for the GET, it's passing in the UUID of the snapshot access request whose group members you want to get
| schema: | ||
| $ref: '#/components/schemas/ErrorModel' | ||
| 404: | ||
| description: No dataset found that meets the request parameters. |
There was a problem hiding this comment.
for all error code descriptions, the language needs to be updated slightly so it matches the use case
| deleteSnapshotAccessRequestGroupMember(UUID id, String memberEmail) { | ||
| AuthenticatedUserRequest userRequest = getAuthenticatedInfo(); | ||
| iamService.verifyAuthorization( | ||
| userRequest, IamResourceType.SNAPSHOT_BUILDER_REQUEST, id.toString(), IamAction.APPROVE); |
There was a problem hiding this comment.
I agree, maybe create another ticket to add this action? Something like manage_collaborators to handle both add and delete?
| public SnapshotAccessRequestMembersResponse getGroupMembers(UUID id) { | ||
| SnapshotAccessRequestModel model = snapshotRequestDao.getById(id); | ||
| return new SnapshotAccessRequestMembersResponse() | ||
| .members(iamService.getGroupPolicyEmails(model.samGroupName(), "member")); |
There was a problem hiding this comment.
Instead of "member" this should use a constant. I see we have IamRole.MEMBER, could that work here?
| description: Get the members in the DAC group | ||
| operationId: getSnapshotAccessRequestGroupMembers | ||
| parameters: | ||
| - $ref: '#/components/parameters/Id' |
There was a problem hiding this comment.
I think this is the snapshot request ID, so isn't that a UUID?
| - name: memberEmail | ||
| in: query | ||
| description: The email of the user to add | ||
| required: true | ||
| schema: | ||
| type: string |
There was a problem hiding this comment.
It's confusing to me that this API takes both memberEmail and PolicyMemberRequest, I would expect the API to only accept one or the other. Is there a need for both in this API? If you only need one, I would use requestBody, as that is more typical for POST than query.
| operationId: deleteSnapshotAccessRequestGroupMember | ||
| parameters: | ||
| - $ref: '#/components/parameters/Id' | ||
| - name: memberEmail |
There was a problem hiding this comment.
Since we don't have an openapi type for email (e.g. we could define a type with a regex to match only emails) I think we need to validate the request. One way to do that is to use ValidationUtils.isValidEmail().
|
Jira ticket: https://broadworkbench.atlassian.net/browse/DC-1206
Summary of changes
[ROUGH DRAFT]
Added get, post, and delete endpoints for group members on snapshot access requests
I used examples I found around TDR to help me write all the code, so I don't have the greatest understanding of everything and I'm not sure if there are things that need adjusting to this specific ticket. I'm looking forward to everyone's feedback!
Testing Strategy
I'm not sure the appropriate way to test these changes. Guidance on that would be appreciated!