Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As a user, I want to have read-only access to all registry indexes #350

Open
jordanpadams opened this issue Nov 25, 2024 · 11 comments
Open

As a user, I want to have read-only access to all registry indexes #350

jordanpadams opened this issue Nov 25, 2024 · 11 comments
Assignees
@sjoshi-jpl
Labels
B15.1 p.must-have requirement the current issue is a requirement sprint-backlog

Comments

@jordanpadams
Copy link
Member

jordanpadams commented Nov 25, 2024
edited
Loading

Checked for duplicates

Yes - I've already checked

πŸ§‘β€πŸ”¬ User Persona(s)

Node Operator

πŸ’ͺ Motivation

...so that I can run tools against the read-only registry indexes. e.g. run validate-refs against all data in the database

πŸ“– Additional Details

No response

Acceptance Criteria

Given one lidvid that exists in the geo-registry index and one lidvid that exists in the naif-registry index
When I perform a query for each of those lidvids against those registries
Then I expect to be able to retrieve results

βš™οΈ Engineering Details

Blocking #351

πŸŽ‰ I&T

No response
@jordanpadams jordanpadams added needs:triage requirement the current issue is a requirement labels Nov 25, 2024
@jordanpadams jordanpadams self-assigned this Nov 25, 2024
@github-project-automation github-project-automation bot moved this to Sprint Backlog in B15.1 Nov 25, 2024
This was referenced Nov 25, 2024
Open
Open
@al-niessner
Copy link

@jordanpadams @tloubrieu-jpl

There are two ways to do this with harvest, mgr tools, and validate-refs (they all use registry-common):

  1. make an index in AOSS that maps to all the other indices (may not be possible)
  2. make index in the configuration either '.' or ';' or ':' or mix of any separate list instead of a single index. The Java SDK v2 supports assigning multiple indices instead of one. When multiple, make sure operation is read only.

@jordanpadams
Copy link
Member Author

jordanpadams commented Dec 10, 2024
edited
Loading

@al-niessner does the Java SDK support wildcards like *-registry? This is something we can do in Kibana to search across indexes.

@al-niessner
Copy link

al-niessner commented Dec 10, 2024 via email

@tloubrieu-jpl tloubrieu-jpl mentioned this issue Jan 7, 2025
Open
@sjoshi-jpl
Copy link
Contributor

@jordanpadams @viviant100 @tloubrieu-jpl we will need someone from one of the nodes to confirm there Read access to all indexes. The reason we cannot test with users in EN group is because these users are already have read access to all indexes. Who can I reach out to for testing?

@tloubrieu-jpl
Copy link
Member

Hi @sjoshi-jpl , I can volunteer tomorrow to be removed from EN node and be associated to a discipline node.

@sjoshi-jpl
Copy link
Contributor

@tloubrieu-jpl I created a test user, we can test with it tomorrow.

@jordanpadams
Copy link
Member Author

@sjoshi-jpl per this discussion thread on validate, instead of having a read-only role for all indices, could we just create a read-only alias index that maps to all the indices?

@jordanpadams
Copy link
Member Author

jordanpadams commented Jan 14, 2025
edited
Loading

e.g.

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "en-registry",
        "alias": "readall-registry"
      }
    },
    {
      "add": {
        "index": "atm-registry",
        "alias": "readall-registry"
      }
    }
    ...
  ]
}

@tloubrieu-jpl
Copy link
Member

Sorry I missed the comment before, but as a first test result, with test user testuser1 belonging to group GEO, created by @sjoshi-jpl:

  • we can read all the indexes
  • we can write in the geo index:
pds-registry-client '/geo-registry/_create/testttt' --data @/Users/loubrieu/tmp/test_doc.json --pretty
Response returned HTTP201 Created: b'{"_index":"geo-registry","_id":"testttt","_version":1,"result":"created","_shards":{"total":0,"successful":0,"failed":0},"_seq_no":0,"_primary_term":0}'
  • we cannot write in the en index
% pds-registry-client '/en-registry/_create/testttt' --data @/Users/loubrieu/tmp/test_doc.json --pretty
Response returned HTTP403 Forbidden: b'{"error":{"root_cause":[{"type":"security_exception","reason":"Authorization failure for the following indices: [index/pds-mcp-registry-prod/en-registry]"}],"type":"security_exception","reason":"Authorization failure for the following indices: [index/pds-mcp-registry-prod/en-registry]"},"status":403}'

@tloubrieu-jpl
Copy link
Member

@sjoshi-jpl the initial scope of the ticket is validated. Can you look at the new request of Jordan, regarding having a virtual index aggregating the others ?

We would also need to document how the authorization is managed, in the wiki or in terraform.

@jordanpadams
Copy link
Member Author

@sjoshi-jpl @tloubrieu-jpl I am OK with not pursuing this alias index. It seems like a more concise approach for handling the authorization, but if it is not, then we can continue with the route @tloubrieu-jpl just tested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjoshi-jpl sjoshi-jpl

Labels
B15.1 p.must-have requirement the current issue is a requirement sprint-backlog
Projects
B15.1
Status: ToDo
EN Portfolio Backlog
Status: ToDo
Milestone
No milestone
Development

No branches or pull requests
4 participants
@al-niessner @jordanpadams @tloubrieu-jpl @sjoshi-jpl