Update unit security roles

brent-hartwig commented 1 month ago

[!NOTE] Nothing for UAT. Developer needs to verify.

[!NOTE] Revised description and scope based on need and requirements known on 3 Sep 24.

We already have reader and endpoint consumer roles for YCBA, YPM, and YUAG (defined here).

As of 3 Sep 24, the admin.sources array could also have values for ILS, IPCH, and PMC (lowercased), thereby necessitating at least reader roles for them. Note: "ILS" was selected over "YUL".

Only YPM requires an endpoint consumer role, which also means only YPM needs unit-specific configurations (#277).

ML Gradle configuration file changes:

[x] Add tenant-specific reader roles for a couple values the data pipeline may include and the transform doesn't otherwise like: 'create' and 'update'
[x] Add tenant-specific reader roles for ILS, IPCH, and PMC.
[x] Add tenant-specific endpoint consumer role for IPCH.
[x] Remove the tenant-specific endpoint consumer roles for YCBA and YUAG.

(Of the units, only IPCH and YPM are to have endpoint consumer roles at this time.)

Please also see this comment for manual changes that may be required in each environment and tenant.

cc: @azaroth42, @roamye, and @clarkepeterf

clarkepeterf commented 1 month ago

@brent-hartwig not sure if we want to lump this together, but I've also been meaning to make this change to only use allowed values in admin.sources, as set via a gradle property

https://github.com/project-lux/lux-marklogic/compare/a8c8016..ignore-create-update-document-transforms?expand=1

with some additional changes as you suggested:

Changing the property name to allowedSourceNames or allowedSources, to be closer to the property name.

Lowercasing and removing all spaces from the property value before splitting. The latter makes the property value more readable: allowedSources=ypm, ycba, etc.. This would mean the code wouldn't support names with spaces in them.

Lowercasing name before the includes check.

brent-hartwig commented 4 weeks ago

Looks good, @clarkepeterf. For #277, I am introducing the endpointAccessUnitNames property and believe it serves a unique purpose. Below is the inline documentation. There's more in the Unit Portal documentation (link is to #277's branch). I changed my mind a bit since providing feedback to you: I'm purposely not lowercasing the values and am supporting anything between lux- and -endpoint-consumer in the role name; please see getCurrentUserUnitName (another #277 branch link). I plan to PR this today so perhaps we can lock in identical treatment of these two properties beforehand.

# List the units that intend to consume the backend endpoints *and* expect their data and configuration
# to be restricted to their data and shared data.  This will likely be a subset of values found in the 
# /admin/sources array.
#
# Unit names are to be separated by commas and match "[unitName]" in its "lux-[unitName]-endpoint-consumer"
# role name (case-sensitive).  Spaces may be included for readability; e.g.:
#
# endpointAccessUnitNames=pmc, ypm
#
endpointAccessUnitNames=ypm

brent-hartwig commented 1 week ago

@roamye, @jffcamp, and @prowns, I needed to create these roles for tonight's load into SBX, and thus bypassed prioritization review.

jffcamp commented 1 week ago

[like] Campbell, Jeffrey reacted to your message:

From: Brent Hartwig @.> Sent: Tuesday, September 3, 2024 9:19:23 PM To: project-lux/lux-marklogic @.> Cc: Campbell, Jeffrey @.>; Mention @.> Subject: Re: [project-lux/lux-marklogic] Provide roles for the PMC, IPCH, and YUL (Issue #280)

@roamyehttps://github.com/roamye, @jffcamphttps://github.com/jffcamp, and @prownshttps://github.com/prowns, I needed to create these roles for tonight's load into SBX, and thus bypassed prioritization review.

— Reply to this email directly, view it on GitHubhttps://github.com/project-lux/lux-marklogic/issues/280#issuecomment-2327455075, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A4H4TPBBP4CTQEO4DQOSXMTZUYRVXAVCNFSM6AAAAABMRBXF2CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRXGQ2TKMBXGU. You are receiving this because you were mentioned.Message ID: @.***>

brent-hartwig commented 1 week ago

Each tenant should have:

Reader roles for the main tenant, ILS, IPCH, PMC, YCBA, YPM, and YUAG.
Endpoint consumer roles for the main tenant, IPCH, and YPM.
The main tenant is to have additional roles neither impacted by this ticket nor enumerated herein.
At least until the document permission-setting transform better deals with values in the admin.sources array that do not have a corresponding reader role, each tenant should also have:
- %%mlAppName%%-create-reader
- %%mlAppName%%-update-reader

Tenants should no longer have:

Base nobody, reader, and endpoint consumer roles (#227).
%%mlAppName%%-admin roles.
%%mlAppName%%-ml-admin roles.
%%mlAppName%%-nobody roles.
The generic create-reader and update-reader roles.
Roles with names that start with "ycba", "ypm", or "yuag" are to no longer exist.
All remaining reader roles are to have no privileges or roles; they are for document permissions and to be inherited by other roles.

As a sanity check, each tenant should have 15 roles and --when there is a dash in the tenant's name-- the tenant name should appear 34 times on the roles page. When the tenant name is just "lux", expect 34 times outside of DEV and (34 * no. of tenants) + 2 in DEV.

Environment / tenant status as of 6 Sep 24:

Env	Tenant	Status
SBX	n/a	Complete
DEV	Original	Complete
DEV	By Unit	Complete
DEV	Data	Complete
Green	n/a	Complete
Blue	n/a	Waiting for next blue/green switch, when it returns to TST.

Misc:

Also deleted the lux_consumer_sbx and lux_deployer_sbx roles from SBX.
Also deleted the lux_consumer_dev and lux_deployer_dev roles from DEV.

brent-hartwig commented 1 week ago

Implemented in PRs #307, #308, and #310.

project-lux / lux-marklogic

Update unit security roles #280