From 1a79dbe1f6cd34944ed46b58a14dab1d50b16941 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Fri, 8 Nov 2024 08:48:37 -0700 Subject: [PATCH] updating the default user.yaml so it passes validation --- .secrets.baseline | 4 +- helm/fence/Chart.yaml | 2 +- helm/fence/README.md | 4 +- helm/fence/values.yaml | 1023 +++++++--------------------------------- helm/gen3/Chart.yaml | 4 +- helm/gen3/README.md | 4 +- 6 files changed, 190 insertions(+), 851 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index e6651717..67c46195 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-11-05T18:59:51Z", + "generated_at": "2024-11-08T15:48:27Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -321,7 +321,7 @@ "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db", "is_secret": false, "is_verified": false, - "line_number": 1956, + "line_number": 1295, "type": "Secret Keyword" } ], diff --git a/helm/fence/Chart.yaml b/helm/fence/Chart.yaml index b591966e..f69ccd11 100644 --- a/helm/fence/Chart.yaml +++ b/helm/fence/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.23 +version: 0.1.24 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/fence/README.md b/helm/fence/README.md index 3a5f4b18..521aed4a 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -1,6 +1,6 @@ # fence -![Version: 0.1.23](https://img.shields.io/badge/Version-0.1.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Fence @@ -70,7 +70,7 @@ A Helm chart for gen3 Fence | FENCE_CONFIG.USER_ALLOWED_SCOPES | list | `["fence","openid","user","data","admin","google_credentials","google_service_account","google_link","ga4gh_passport_v1"]` | these are the scopes that CAN be included in a user's own access_token | | FENCE_CONFIG.WTF_CSRF_SECRET_KEY | str | `"{{ENCRYPTION_KEY}}"` | signing key for WTForms to sign CSRF tokens with | | FENCE_CONFIG_PUBLIC | map | `{}` | Public configuration settings for Fence app | -| USER_YAML | string | `"cloud_providers: {}\ngroups: {}\nauthz:\n # policies automatically given to anyone, even if they haven't authenticated\n anonymous_policies: ['open_data_reader', 'full_open_access']\n\n # policies automatically given to authenticated users (in addition to their other\n # policies)\n all_users_policies: ['open_data_reader', 'authn_open_access']\n\n user_project_to_resource:\n QA: /programs/QA\n DEV: /programs/DEV\n test: /programs/QA/projects/test\n jenkins: /programs/jnkns/projects/jenkins\n jenkins2: /programs/jnkns/projects/jenkins2\n jnkns: /programs/jnkns\n\n policies:\n # General Access\n - id: 'workspace'\n description: 'be able to use workspace'\n resource_paths: ['/workspace']\n role_ids: ['workspace_user']\n - id: 'dashboard'\n description: 'be able to use the commons dashboard'\n resource_paths: ['/dashboard']\n role_ids: ['dashboard_user']\n - id: 'prometheus'\n description: 'be able to use prometheus'\n resource_paths: ['/prometheus']\n role_ids: ['prometheus_user']\n - id: 'ttyadmin'\n description: 'be able to use the admin tty'\n resource_paths: ['/ttyadmin']\n role_ids: ['ttyadmin_user']\n - id: 'mds_admin'\n description: 'be able to use metadata service'\n resource_paths: ['/mds_gateway']\n role_ids: ['mds_user']\n - id: 'data_upload'\n description: 'upload raw data files to S3'\n role_ids: ['file_uploader']\n resource_paths: ['/data_file']\n - description: be able to use sower job\n id: sower\n resource_paths: [/sower]\n role_ids: [sower_user]\n - id: 'mariner_admin'\n description: 'full access to mariner API'\n resource_paths: ['/mariner']\n role_ids: ['mariner_admin']\n - id: audit_reader\n role_ids:\n - audit_reader\n resource_paths:\n - /services/audit\n - id: audit_login_reader\n role_ids:\n - audit_reader\n resource_paths:\n - /services/audit/login\n - id: audit_presigned_url_reader\n role_ids:\n - audit_reader\n resource_paths:\n - /services/audit/presigned_url\n - id: requestor_admin\n role_ids:\n - requestor_admin\n resource_paths:\n - /programs\n - id: requestor_reader\n role_ids:\n - requestor_reader\n resource_paths:\n - /programs\n - id: requestor_creator\n role_ids:\n - requestor_creator\n resource_paths:\n - /programs\n - id: requestor_updater\n role_ids:\n - requestor_updater\n resource_paths:\n - /programs\n - id: requestor_deleter\n role_ids:\n - requestor_deleter\n resource_paths:\n - /programs\n # Data Access\n\n # All programs policy\n - id: 'all_programs_reader'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths: ['/programs']\n\n # # example if need access to write to storage\n # - id: 'programs.jnkns-storage_writer'\n # description: ''\n # role_ids:\n # - 'storage_writer'\n # resource_paths: ['/programs/jnkns']\n\n - id: 'programs.jnkns-admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n resource_paths:\n - '/programs/jnkns'\n - '/gen3/programs/jnkns'\n\n - id: 'programs.jnkns-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/programs/jnkns'\n - '/gen3/programs/jnkns'\n\n\n - id: 'programs.QA-admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n resource_paths:\n - '/programs/QA'\n - '/gen3/programs/QA'\n\n - id: 'programs.QA-admin-no-storage'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n resource_paths:\n - '/programs/QA'\n - '/gen3/programs/QA'\n\n - id: 'programs.QA-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/programs/QA'\n - '/gen3/programs/QA'\n\n - id: 'programs.DEV-admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n - 'storage_writer'\n resource_paths:\n - '/programs/DEV'\n - '/gen3/programs/DEV'\n\n - id: 'programs.DEV-storage_writer'\n description: ''\n role_ids:\n - 'storage_writer'\n resource_paths: ['/programs/DEV']\n\n - id: 'programs.DEV-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/programs/DEV'\n - '/gen3/programs/DEV'\n\n - id: 'programs.test-admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n resource_paths:\n - '/programs/test'\n - '/gen3/programs/test'\n\n - id: 'programs.test-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/programs/test'\n - '/gen3/programs/test'\n\n - id: 'abc-admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n resource_paths:\n - '/abc'\n\n - id: 'gen3-admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n resource_paths:\n - '/gen3'\n\n - id: 'gen3-hmb-researcher'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_reader'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n - '/consents/GRU_CC'\n - '/consents/HMB'\n - '/gen3'\n\n - id: 'abc.programs.test_program.projects.test_project1-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/abc/programs/test_program/projects/test_project1'\n\n - id: 'abc.programs.test_program.projects.test_project2-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/abc/programs/test_program/projects/test_project2'\n\n - id: 'abc.programs.test_program2.projects.test_project3-viewer'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths:\n - '/abc/programs/test_program2/projects/test_project3'\n\n # Open data policies\n - id: 'authn_open_access'\n resource_paths: ['/programs/open/projects/authnRequired']\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n - id: 'full_open_access'\n resource_paths: ['/programs/open/projects/1000G']\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n - id: 'open_data_reader'\n description: ''\n role_ids:\n - 'reader'\n - 'storage_reader'\n resource_paths: ['/open']\n - id: 'open_data_admin'\n description: ''\n role_ids:\n - 'creator'\n - 'reader'\n - 'updater'\n - 'deleter'\n - 'storage_writer'\n - 'storage_reader'\n resource_paths: ['/open']\n\n # Consent Code Policies\n - id: 'not-for-profit-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NPU'\n\n - id: 'publication-required-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/PUB'\n\n - id: 'gru-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n\n - id: 'gru-cc-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n - '/consents/GRU_CC'\n\n - id: 'hmb-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n - '/consents/GRU_CC'\n - '/consents/HMB'\n\n - id: 'poa-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n - '/consents/GRU_CC'\n - '/consents/POA'\n\n - id: 'ds-lung-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n - '/consents/GRU_CC'\n - '/consents/HMB'\n - '/consents/DS_LungDisease'\n\n - id: 'ds-chronic-obstructive-pulmonary-disease-researcher'\n description: ''\n role_ids:\n - 'admin'\n resource_paths:\n - '/consents/NRES'\n - '/consents/GRU'\n - '/consents/GRU_CC'\n - '/consents/HMB'\n - '/consents/DS_ChronicObstructivePulmonaryDisease'\n\n - id: 'services.sheepdog-admin'\n description: 'CRUD access to programs and projects'\n role_ids:\n - 'sheepdog_admin'\n resource_paths:\n - '/services/sheepdog/submission/program'\n - '/services/sheepdog/submission/project'\n\n # indexd\n - id: 'indexd_admin'\n description: 'full access to indexd API'\n role_ids:\n - 'indexd_admin'\n resource_paths:\n - '/programs'\n - '/services/indexd/admin'\n # # TODO resource path '/' is not valid right now in arborist, trying to decide\n # # how to handle all resources\n # - id: 'indexd_admin'\n # description: ''\n # role_ids:\n # - 'indexd_record_creator'\n # - 'indexd_record_reader'\n # - 'indexd_record_updater'\n # - 'indexd_delete_record'\n # - 'indexd_storage_reader'\n # - 'indexd_storage_writer'\n # resource_paths: ['/']\n # - id: 'indexd_record_reader'\n # description: ''\n # role_ids:\n # - 'indexd_record_reader'\n # resource_paths: ['/']\n # - id: 'indexd_record_editor'\n # description: ''\n # role_ids:\n # - 'indexd_record_creator'\n # - 'indexd_record_reader'\n # - 'indexd_record_updater'\n # - 'indexd_delete_record'\n # resource_paths: ['/']\n # - id: 'indexd_storage_reader'\n # description: ''\n # role_ids:\n # - 'indexd_storage_reader'\n # resource_paths: ['/']\n # - id: 'indexd_storage_editor'\n # description: ''\n # role_ids:\n # - 'indexd_storage_reader'\n # - 'indexd_storage_writer'\n # resource_paths: ['/']\n\n # argo\n - id: argo\n description: be able to use argo\n resource_paths: [/argo]\n role_ids: [argo_user]\n\n resources:\n # General Access\n - name: 'data_file'\n description: 'data files, stored in S3'\n - name: 'dashboard'\n description: 'commons /dashboard'\n - name: 'mds_gateway'\n description: 'commons /mds-admin'\n - name: 'prometheus'\n description: 'commons /prometheus and /grafana'\n - name: 'ttyadmin'\n description: 'commons /ttyadmin'\n - name: 'workspace'\n - name: \"sower\"\n - name: 'mariner'\n description: 'workflow execution service'\n - name: argo\n\n # OLD Data\n - name: 'programs'\n subresources:\n - name: 'open'\n subresources:\n - name: 'projects'\n subresources:\n - name: '1000G'\n - name: 'authnRequired'\n - name: 'QA'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test'\n - name: 'DEV'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test'\n - name: 'jnkns'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'jenkins'\n - name: 'jenkins2'\n - name: 'test'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test'\n\n # NEW Data WITH PREFIX\n - name: 'gen3'\n subresources:\n - name: 'programs'\n subresources:\n - name: 'QA'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test'\n - name: 'DEV'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test'\n - name: 'jnkns'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'jenkins'\n - name: 'jenkins2'\n - name: 'test'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test'\n\n # consents obtained from DUO and NIH\n # https://github.com/EBISPOT/DUO\n # https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4721915/\n - name: 'consents'\n subresources:\n - name: 'NRES'\n description: 'no restriction'\n - name: 'GRU'\n description: 'general research use'\n - name: 'GRU_CC'\n description: 'general research use and clinical care'\n - name: 'HMB'\n description: 'health/medical/biomedical research'\n - name: 'POA'\n description: 'population origins or ancestry research'\n - name: 'NMDS'\n description: 'no general methods research'\n - name: 'NPU'\n description: 'not-for-profit use only'\n - name: 'PUB'\n description: 'publication required'\n - name: 'DS_LungDisease'\n description: 'disease-specific research for lung disease'\n - name: 'DS_ChronicObstructivePulmonaryDisease'\n description: 'disease-specific research for chronic obstructive pulmonary disease'\n\n - name: 'abc'\n subresources:\n - name: 'programs'\n subresources:\n - name: 'foo'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'bar'\n - name: 'test_program'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test_project1'\n - name: 'test_project2'\n - name: 'test_program2'\n subresources:\n - name: 'projects'\n subresources:\n - name: 'test_project3'\n\n\n # \"Sheepdog admin\" resources\n - name: 'services'\n subresources:\n - name: 'sheepdog'\n subresources:\n - name: 'submission'\n subresources:\n - name: 'program'\n - name: 'project'\n - name: 'indexd'\n subresources:\n - name: 'admin'\n - name: 'bundles'\n - name: audit\n subresources:\n - name: presigned_url\n - name: login\n\n\n - name: 'open'\n\n # action/methods:\n # create, read, update, delete, read-storage, write-storage,\n # file_upload, access\n roles:\n # General Access\n - id: 'file_uploader'\n description: 'can upload data files'\n permissions:\n - id: 'file_upload'\n action:\n service: '*'\n method: 'file_upload'\n - id: 'workspace_user'\n permissions:\n - id: 'workspace_access'\n action:\n service: 'jupyterhub'\n method: 'access'\n - id: 'dashboard_user'\n permissions:\n - id: 'dashboard_access'\n action:\n service: 'dashboard'\n method: 'access'\n - id: 'mds_user'\n permissions:\n - id: 'mds_access'\n action:\n service: 'mds_gateway'\n method: 'access'\n - id: 'prometheus_user'\n permissions:\n - id: 'prometheus_access'\n action:\n service: 'prometheus'\n method: 'access'\n - id: 'ttyadmin_user'\n permissions:\n - id: 'ttyadmin_access'\n action:\n service: 'ttyadmin'\n method: 'access'\n - id: 'sower_user'\n permissions:\n - id: 'sower_access'\n action:\n service: 'job'\n method: 'access'\n - id: 'mariner_admin'\n permissions:\n - id: 'mariner_access'\n action:\n service: 'mariner'\n method: 'access'\n - id: audit_reader\n permissions:\n - id: audit_reader_action\n action:\n service: audit\n method: read\n\n # All services\n - id: 'admin'\n description: ''\n permissions:\n - id: 'admin'\n action:\n service: '*'\n method: '*'\n - id: 'creator'\n description: ''\n permissions:\n - id: 'creator'\n action:\n service: '*'\n method: 'create'\n - id: 'reader'\n description: ''\n permissions:\n - id: 'reader'\n action:\n service: '*'\n method: 'read'\n - id: 'updater'\n description: ''\n permissions:\n - id: 'updater'\n action:\n service: '*'\n method: 'update'\n - id: 'deleter'\n description: ''\n permissions:\n - id: 'deleter'\n action:\n service: '*'\n method: 'delete'\n - id: 'storage_writer'\n description: ''\n permissions:\n - id: 'storage_writer'\n action:\n service: '*'\n method: 'write-storage'\n - id: 'storage_reader'\n description: ''\n permissions:\n - id: 'storage_reader'\n action:\n service: '*'\n method: 'read-storage'\n\n\n # Sheepdog admin role\n - id: 'sheepdog_admin'\n description: 'sheepdog admin role for program project crud'\n permissions:\n - id: 'sheepdog_admin_action'\n action:\n service: 'sheepdog'\n method: '*'\n\n\n # indexd\n - id: 'indexd_admin'\n # this only works if indexd.arborist is enabled in manifest!\n description: 'full access to indexd API'\n permissions:\n - id: 'indexd_admin'\n action:\n service: 'indexd'\n method: '*'\n - id: 'indexd_record_creator'\n description: ''\n permissions:\n - id: 'indexd_record_creator'\n action:\n service: 'indexd'\n method: 'create'\n - id: 'indexd_record_reader'\n description: ''\n permissions:\n - id: 'indexd_record_reader'\n action:\n service: 'indexd'\n method: 'read'\n - id: 'indexd_record_updater'\n description: ''\n permissions:\n - id: 'indexd_record_updater'\n action:\n service: 'indexd'\n method: 'update'\n - id: 'indexd_delete_record'\n description: ''\n permissions:\n - id: 'indexd_delete_record'\n action:\n service: 'indexd'\n method: 'delete'\n - id: 'indexd_storage_reader'\n description: ''\n permissions:\n - id: 'indexd_storage_reader'\n action:\n service: 'indexd'\n method: 'read-storage'\n - id: 'indexd_storage_writer'\n description: ''\n permissions:\n - id: 'indexd_storage_writer'\n action:\n service: 'indexd'\n method: 'write-storage'\n\n # arborist\n - id: 'arborist_creator'\n description: ''\n permissions:\n - id: 'arborist_creator'\n action:\n service: 'arborist'\n method: 'create'\n - id: 'arborist_reader'\n description: ''\n permissions:\n - id: 'arborist_reader'\n action:\n service: 'arborist'\n method: 'read'\n - id: 'arborist_updater'\n description: ''\n permissions:\n - id: 'arborist_updater'\n action:\n service: 'arborist'\n method: 'update'\n - id: 'arborist_deleter'\n description: ''\n permissions:\n - id: 'arborist_deleter'\n action:\n service: 'arborist'\n method: 'delete'\n\n # requestor\n - id: requestor_admin\n permissions:\n - id: requestor_admin_action\n action:\n service: requestor\n method: '*'\n - id: requestor_reader\n permissions:\n - id: requestor_reader_action\n action:\n service: requestor\n method: read\n - id: requestor_creator\n permissions:\n - id: requestor_creator_action\n action:\n service: requestor\n method: create\n - id: requestor_updater\n permissions:\n - id: requestor_updater_action\n action:\n service: requestor\n method: update\n - id: requestor_deleter\n permissions:\n - id: requestor_deleter_action\n action:\n service: requestor\n method: delete\n # argo\n - id: argo_user\n permissions:\n - id: argo_access\n action:\n service: argo\n method: access\n\nclients:\n basic-test-client:\n policies:\n - abc-admin\n - gen3-admin\n basic-test-abc-client:\n policies:\n - abc-admin\n wts:\n policies:\n - all_programs_reader\n - workspace\n\nusers:\n ### BEGIN INTERNS SECTION ###\n ### END INTERNS SECTION ###\n qureshi@uchicago.edu:\n admin: true\n policies:\n - data_upload\n - workspace\n - dashboard\n - mds_admin\n - prometheus\n - sower\n - services.sheepdog-admin\n - programs.QA-admin\n - programs.test-admin\n - programs.DEV-admin\n - programs.jnkns-admin\n - indexd_admin\n - ttyadmin\n projects:\n - auth_id: QA\n privilege: [create, read, update, delete, upload, read-storage]\n - auth_id: test\n privilege: [create, read, update, delete, upload, read-storage]\n - auth_id: DEV\n privilege: [create, read, update, delete, upload, read-storage]\n - auth_id: jenkins\n privilege: [create, read, update, delete, upload, read-storage]\n - auth_id: jenkins2\n privilege: [create, read, update, delete, upload, read-storage]\n - auth_id: jnkns\n privilege: [create, read, update, delete, upload, read-storage]\n"` | USER YAML. Passed in as a multiline string. | +| USER_YAML | string | `"cloud_providers: {}\nauthz:\n # policies automatically given to anyone, even if they are not authenticated\n anonymous_policies:\n - open_data_reader\n\n # policies automatically given to authenticated users (in addition to their other policies)\n all_users_policies: []\n\n groups:\n # can CRUD programs and projects and upload data files\n - name: data_submitters\n policies:\n - services.sheepdog-admin\n - data_upload\n - MyFirstProject_submitter\n users:\n - username1@gmail.com\n\n # can create/update/delete indexd records\n - name: indexd_admins\n policies:\n - indexd_admin\n users:\n - username1@gmail.com\n\n resources:\n - name: workspace\n - name: data_file\n - name: services\n subresources:\n - name: sheepdog\n subresources:\n - name: submission\n subresources:\n - name: program\n - name: project\n - name: 'indexd'\n subresources:\n - name: 'admin'\n - name: audit\n subresources:\n - name: presigned_url\n - name: login\n - name: open\n - name: programs\n subresources:\n - name: MyFirstProgram\n subresources:\n - name: projects\n subresources:\n - name: MyFirstProject\n\n policies:\n - id: workspace\n description: be able to use workspace\n resource_paths:\n - /workspace\n role_ids:\n - workspace_user\n - id: data_upload\n description: upload raw data files to S3\n role_ids:\n - file_uploader\n resource_paths:\n - /data_file\n - id: services.sheepdog-admin\n description: CRUD access to programs and projects\n role_ids:\n - sheepdog_admin\n resource_paths:\n - /services/sheepdog/submission/program\n - /services/sheepdog/submission/project\n - id: indexd_admin\n description: full access to indexd API\n role_ids:\n - indexd_admin\n resource_paths:\n - /programs\n - id: open_data_reader\n role_ids:\n - peregrine_reader\n - guppy_reader\n - fence_storage_reader\n resource_paths:\n - /open\n - id: all_programs_reader\n role_ids:\n - peregrine_reader\n - guppy_reader\n - fence_storage_reader\n resource_paths:\n - /programs\n - id: MyFirstProject_submitter\n role_ids:\n - reader\n - creator\n - updater\n - deleter\n - storage_reader\n - storage_writer\n resource_paths:\n - /programs/MyFirstProgram/projects/MyFirstProject\n\n roles:\n - id: file_uploader\n permissions:\n - id: file_upload\n action:\n service: fence\n method: file_upload\n - id: workspace_user\n permissions:\n - id: workspace_access\n action:\n service: jupyterhub\n method: access\n - id: sheepdog_admin\n description: CRUD access to programs and projects\n permissions:\n - id: sheepdog_admin_action\n action:\n service: sheepdog\n method: '*'\n - id: indexd_admin\n description: full access to indexd API\n permissions:\n - id: indexd_admin\n action:\n service: indexd\n method: '*'\n - id: admin\n permissions:\n - id: admin\n action:\n service: '*'\n method: '*'\n - id: creator\n permissions:\n - id: creator\n action:\n service: '*'\n method: create\n - id: reader\n permissions:\n - id: reader\n action:\n service: '*'\n method: read\n - id: updater\n permissions:\n - id: updater\n action:\n service: '*'\n method: update\n - id: deleter\n permissions:\n - id: deleter\n action:\n service: '*'\n method: delete\n - id: storage_writer\n permissions:\n - id: storage_creator\n action:\n service: '*'\n method: write-storage\n - id: storage_reader\n permissions:\n - id: storage_reader\n action:\n service: '*'\n method: read-storage\n - id: peregrine_reader\n permissions:\n - id: peregrine_reader\n action:\n method: read\n service: peregrine\n - id: guppy_reader\n permissions:\n - id: guppy_reader\n action:\n method: read\n service: guppy\n - id: fence_storage_reader\n permissions:\n - id: fence_storage_reader\n action:\n method: read-storage\n service: fence\n\nclients:\n wts:\n policies:\n - all_programs_reader\n - open_data_reader\n\nusers:\n username1@gmail.com: {}\n username2:\n tags:\n name: John Doe\n email: johndoe@gmail.com\n policies:\n - MyFirstProject_submitter\n\ncloud_providers: {}\ngroups: {}\n"` | USER YAML. Passed in as a multiline string. | | affinity | map | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["fence"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity to use for the deployment. | | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution | map | `[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["fence"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]` | Option for scheduling to be required or preferred. | | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0] | int | `{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["fence"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}` | Weight value for preferred scheduling. | diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml index 026811a7..3919a20d 100644 --- a/helm/fence/values.yaml +++ b/helm/fence/values.yaml @@ -516,875 +516,214 @@ projects: # -- (string) USER YAML. Passed in as a multiline string. USER_YAML: | cloud_providers: {} - groups: {} authz: - # policies automatically given to anyone, even if they haven't authenticated - anonymous_policies: ['open_data_reader', 'full_open_access'] + # policies automatically given to anyone, even if they are not authenticated + anonymous_policies: + - open_data_reader - # policies automatically given to authenticated users (in addition to their other - # policies) - all_users_policies: ['open_data_reader', 'authn_open_access'] + # policies automatically given to authenticated users (in addition to their other policies) + all_users_policies: [] - user_project_to_resource: - QA: /programs/QA - DEV: /programs/DEV - test: /programs/QA/projects/test - jenkins: /programs/jnkns/projects/jenkins - jenkins2: /programs/jnkns/projects/jenkins2 - jnkns: /programs/jnkns + groups: + # can CRUD programs and projects and upload data files + - name: data_submitters + policies: + - services.sheepdog-admin + - data_upload + - MyFirstProject_submitter + users: + - username1@gmail.com - policies: - # General Access - - id: 'workspace' - description: 'be able to use workspace' - resource_paths: ['/workspace'] - role_ids: ['workspace_user'] - - id: 'dashboard' - description: 'be able to use the commons dashboard' - resource_paths: ['/dashboard'] - role_ids: ['dashboard_user'] - - id: 'prometheus' - description: 'be able to use prometheus' - resource_paths: ['/prometheus'] - role_ids: ['prometheus_user'] - - id: 'ttyadmin' - description: 'be able to use the admin tty' - resource_paths: ['/ttyadmin'] - role_ids: ['ttyadmin_user'] - - id: 'mds_admin' - description: 'be able to use metadata service' - resource_paths: ['/mds_gateway'] - role_ids: ['mds_user'] - - id: 'data_upload' - description: 'upload raw data files to S3' - role_ids: ['file_uploader'] - resource_paths: ['/data_file'] - - description: be able to use sower job - id: sower - resource_paths: [/sower] - role_ids: [sower_user] - - id: 'mariner_admin' - description: 'full access to mariner API' - resource_paths: ['/mariner'] - role_ids: ['mariner_admin'] - - id: audit_reader - role_ids: - - audit_reader - resource_paths: - - /services/audit - - id: audit_login_reader - role_ids: - - audit_reader - resource_paths: - - /services/audit/login - - id: audit_presigned_url_reader - role_ids: - - audit_reader - resource_paths: - - /services/audit/presigned_url - - id: requestor_admin - role_ids: - - requestor_admin - resource_paths: - - /programs - - id: requestor_reader - role_ids: - - requestor_reader - resource_paths: - - /programs - - id: requestor_creator - role_ids: - - requestor_creator - resource_paths: - - /programs - - id: requestor_updater - role_ids: - - requestor_updater - resource_paths: - - /programs - - id: requestor_deleter - role_ids: - - requestor_deleter - resource_paths: - - /programs - # Data Access - - # All programs policy - - id: 'all_programs_reader' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: ['/programs'] - - # # example if need access to write to storage - # - id: 'programs.jnkns-storage_writer' - # description: '' - # role_ids: - # - 'storage_writer' - # resource_paths: ['/programs/jnkns'] - - - id: 'programs.jnkns-admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - resource_paths: - - '/programs/jnkns' - - '/gen3/programs/jnkns' - - - id: 'programs.jnkns-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/programs/jnkns' - - '/gen3/programs/jnkns' - - - - id: 'programs.QA-admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - resource_paths: - - '/programs/QA' - - '/gen3/programs/QA' - - - id: 'programs.QA-admin-no-storage' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - resource_paths: - - '/programs/QA' - - '/gen3/programs/QA' - - - id: 'programs.QA-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/programs/QA' - - '/gen3/programs/QA' - - - id: 'programs.DEV-admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - - 'storage_writer' - resource_paths: - - '/programs/DEV' - - '/gen3/programs/DEV' - - - id: 'programs.DEV-storage_writer' - description: '' - role_ids: - - 'storage_writer' - resource_paths: ['/programs/DEV'] - - - id: 'programs.DEV-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/programs/DEV' - - '/gen3/programs/DEV' - - - id: 'programs.test-admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - resource_paths: - - '/programs/test' - - '/gen3/programs/test' - - - id: 'programs.test-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/programs/test' - - '/gen3/programs/test' - - - id: 'abc-admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - resource_paths: - - '/abc' - - - id: 'gen3-admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - resource_paths: - - '/gen3' - - - id: 'gen3-hmb-researcher' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_reader' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - '/consents/GRU_CC' - - '/consents/HMB' - - '/gen3' - - - id: 'abc.programs.test_program.projects.test_project1-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/abc/programs/test_program/projects/test_project1' - - - id: 'abc.programs.test_program.projects.test_project2-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/abc/programs/test_program/projects/test_project2' - - - id: 'abc.programs.test_program2.projects.test_project3-viewer' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: - - '/abc/programs/test_program2/projects/test_project3' - - # Open data policies - - id: 'authn_open_access' - resource_paths: ['/programs/open/projects/authnRequired'] - description: '' - role_ids: - - 'reader' - - 'storage_reader' - - id: 'full_open_access' - resource_paths: ['/programs/open/projects/1000G'] - description: '' - role_ids: - - 'reader' - - 'storage_reader' - - id: 'open_data_reader' - description: '' - role_ids: - - 'reader' - - 'storage_reader' - resource_paths: ['/open'] - - id: 'open_data_admin' - description: '' - role_ids: - - 'creator' - - 'reader' - - 'updater' - - 'deleter' - - 'storage_writer' - - 'storage_reader' - resource_paths: ['/open'] - - # Consent Code Policies - - id: 'not-for-profit-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NPU' - - - id: 'publication-required-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/PUB' - - - id: 'gru-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - - id: 'gru-cc-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - '/consents/GRU_CC' - - - id: 'hmb-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - '/consents/GRU_CC' - - '/consents/HMB' - - - id: 'poa-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - '/consents/GRU_CC' - - '/consents/POA' - - - id: 'ds-lung-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - '/consents/GRU_CC' - - '/consents/HMB' - - '/consents/DS_LungDisease' - - - id: 'ds-chronic-obstructive-pulmonary-disease-researcher' - description: '' - role_ids: - - 'admin' - resource_paths: - - '/consents/NRES' - - '/consents/GRU' - - '/consents/GRU_CC' - - '/consents/HMB' - - '/consents/DS_ChronicObstructivePulmonaryDisease' - - - id: 'services.sheepdog-admin' - description: 'CRUD access to programs and projects' - role_ids: - - 'sheepdog_admin' - resource_paths: - - '/services/sheepdog/submission/program' - - '/services/sheepdog/submission/project' - - # indexd - - id: 'indexd_admin' - description: 'full access to indexd API' - role_ids: - - 'indexd_admin' - resource_paths: - - '/programs' - - '/services/indexd/admin' - # # TODO resource path '/' is not valid right now in arborist, trying to decide - # # how to handle all resources - # - id: 'indexd_admin' - # description: '' - # role_ids: - # - 'indexd_record_creator' - # - 'indexd_record_reader' - # - 'indexd_record_updater' - # - 'indexd_delete_record' - # - 'indexd_storage_reader' - # - 'indexd_storage_writer' - # resource_paths: ['/'] - # - id: 'indexd_record_reader' - # description: '' - # role_ids: - # - 'indexd_record_reader' - # resource_paths: ['/'] - # - id: 'indexd_record_editor' - # description: '' - # role_ids: - # - 'indexd_record_creator' - # - 'indexd_record_reader' - # - 'indexd_record_updater' - # - 'indexd_delete_record' - # resource_paths: ['/'] - # - id: 'indexd_storage_reader' - # description: '' - # role_ids: - # - 'indexd_storage_reader' - # resource_paths: ['/'] - # - id: 'indexd_storage_editor' - # description: '' - # role_ids: - # - 'indexd_storage_reader' - # - 'indexd_storage_writer' - # resource_paths: ['/'] - - # argo - - id: argo - description: be able to use argo - resource_paths: [/argo] - role_ids: [argo_user] + # can create/update/delete indexd records + - name: indexd_admins + policies: + - indexd_admin + users: + - username1@gmail.com resources: - # General Access - - name: 'data_file' - description: 'data files, stored in S3' - - name: 'dashboard' - description: 'commons /dashboard' - - name: 'mds_gateway' - description: 'commons /mds-admin' - - name: 'prometheus' - description: 'commons /prometheus and /grafana' - - name: 'ttyadmin' - description: 'commons /ttyadmin' - - name: 'workspace' - - name: "sower" - - name: 'mariner' - description: 'workflow execution service' - - name: argo - - # OLD Data - - name: 'programs' + - name: workspace + - name: data_file + - name: services + subresources: + - name: sheepdog subresources: - - name: 'open' - subresources: - - name: 'projects' - subresources: - - name: '1000G' - - name: 'authnRequired' - - name: 'QA' - subresources: - - name: 'projects' - subresources: - - name: 'test' - - name: 'DEV' - subresources: - - name: 'projects' - subresources: - - name: 'test' - - name: 'jnkns' - subresources: - - name: 'projects' - subresources: - - name: 'jenkins' - - name: 'jenkins2' - - name: 'test' - subresources: - - name: 'projects' - subresources: - - name: 'test' - - # NEW Data WITH PREFIX - - name: 'gen3' + - name: submission + subresources: + - name: program + - name: project + - name: 'indexd' subresources: - - name: 'programs' - subresources: - - name: 'QA' - subresources: - - name: 'projects' - subresources: - - name: 'test' - - name: 'DEV' - subresources: - - name: 'projects' - subresources: - - name: 'test' - - name: 'jnkns' - subresources: - - name: 'projects' - subresources: - - name: 'jenkins' - - name: 'jenkins2' - - name: 'test' - subresources: - - name: 'projects' - subresources: - - name: 'test' - - # consents obtained from DUO and NIH - # https://github.com/EBISPOT/DUO - # https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4721915/ - - name: 'consents' + - name: 'admin' + - name: audit subresources: - - name: 'NRES' - description: 'no restriction' - - name: 'GRU' - description: 'general research use' - - name: 'GRU_CC' - description: 'general research use and clinical care' - - name: 'HMB' - description: 'health/medical/biomedical research' - - name: 'POA' - description: 'population origins or ancestry research' - - name: 'NMDS' - description: 'no general methods research' - - name: 'NPU' - description: 'not-for-profit use only' - - name: 'PUB' - description: 'publication required' - - name: 'DS_LungDisease' - description: 'disease-specific research for lung disease' - - name: 'DS_ChronicObstructivePulmonaryDisease' - description: 'disease-specific research for chronic obstructive pulmonary disease' - - - name: 'abc' + - name: presigned_url + - name: login + - name: open + - name: programs + subresources: + - name: MyFirstProgram subresources: - - name: 'programs' - subresources: - - name: 'foo' - subresources: - - name: 'projects' - subresources: - - name: 'bar' - - name: 'test_program' - subresources: - - name: 'projects' - subresources: - - name: 'test_project1' - - name: 'test_project2' - - name: 'test_program2' - subresources: - - name: 'projects' - subresources: - - name: 'test_project3' - - - # "Sheepdog admin" resources - - name: 'services' - subresources: - - name: 'sheepdog' - subresources: - - name: 'submission' - subresources: - - name: 'program' - - name: 'project' - - name: 'indexd' - subresources: - - name: 'admin' - - name: 'bundles' - - name: audit - subresources: - - name: presigned_url - - name: login - - - - name: 'open' - - # action/methods: - # create, read, update, delete, read-storage, write-storage, - # file_upload, access + - name: projects + subresources: + - name: MyFirstProject + + policies: + - id: workspace + description: be able to use workspace + resource_paths: + - /workspace + role_ids: + - workspace_user + - id: data_upload + description: upload raw data files to S3 + role_ids: + - file_uploader + resource_paths: + - /data_file + - id: services.sheepdog-admin + description: CRUD access to programs and projects + role_ids: + - sheepdog_admin + resource_paths: + - /services/sheepdog/submission/program + - /services/sheepdog/submission/project + - id: indexd_admin + description: full access to indexd API + role_ids: + - indexd_admin + resource_paths: + - /programs + - id: open_data_reader + role_ids: + - peregrine_reader + - guppy_reader + - fence_storage_reader + resource_paths: + - /open + - id: all_programs_reader + role_ids: + - peregrine_reader + - guppy_reader + - fence_storage_reader + resource_paths: + - /programs + - id: MyFirstProject_submitter + role_ids: + - reader + - creator + - updater + - deleter + - storage_reader + - storage_writer + resource_paths: + - /programs/MyFirstProgram/projects/MyFirstProject + roles: - # General Access - - id: 'file_uploader' - description: 'can upload data files' - permissions: - - id: 'file_upload' - action: - service: '*' - method: 'file_upload' - - id: 'workspace_user' - permissions: - - id: 'workspace_access' - action: - service: 'jupyterhub' - method: 'access' - - id: 'dashboard_user' - permissions: - - id: 'dashboard_access' - action: - service: 'dashboard' - method: 'access' - - id: 'mds_user' - permissions: - - id: 'mds_access' - action: - service: 'mds_gateway' - method: 'access' - - id: 'prometheus_user' - permissions: - - id: 'prometheus_access' - action: - service: 'prometheus' - method: 'access' - - id: 'ttyadmin_user' - permissions: - - id: 'ttyadmin_access' - action: - service: 'ttyadmin' - method: 'access' - - id: 'sower_user' - permissions: - - id: 'sower_access' - action: - service: 'job' - method: 'access' - - id: 'mariner_admin' - permissions: - - id: 'mariner_access' - action: - service: 'mariner' - method: 'access' - - id: audit_reader - permissions: - - id: audit_reader_action - action: - service: audit - method: read - - # All services - - id: 'admin' - description: '' - permissions: - - id: 'admin' - action: - service: '*' - method: '*' - - id: 'creator' - description: '' - permissions: - - id: 'creator' - action: - service: '*' - method: 'create' - - id: 'reader' - description: '' - permissions: - - id: 'reader' - action: - service: '*' - method: 'read' - - id: 'updater' - description: '' - permissions: - - id: 'updater' - action: - service: '*' - method: 'update' - - id: 'deleter' - description: '' - permissions: - - id: 'deleter' - action: - service: '*' - method: 'delete' - - id: 'storage_writer' - description: '' - permissions: - - id: 'storage_writer' - action: - service: '*' - method: 'write-storage' - - id: 'storage_reader' - description: '' - permissions: - - id: 'storage_reader' - action: - service: '*' - method: 'read-storage' - - - # Sheepdog admin role - - id: 'sheepdog_admin' - description: 'sheepdog admin role for program project crud' - permissions: - - id: 'sheepdog_admin_action' - action: - service: 'sheepdog' - method: '*' - - - # indexd - - id: 'indexd_admin' - # this only works if indexd.arborist is enabled in manifest! - description: 'full access to indexd API' - permissions: - - id: 'indexd_admin' - action: - service: 'indexd' - method: '*' - - id: 'indexd_record_creator' - description: '' - permissions: - - id: 'indexd_record_creator' - action: - service: 'indexd' - method: 'create' - - id: 'indexd_record_reader' - description: '' - permissions: - - id: 'indexd_record_reader' - action: - service: 'indexd' - method: 'read' - - id: 'indexd_record_updater' - description: '' - permissions: - - id: 'indexd_record_updater' - action: - service: 'indexd' - method: 'update' - - id: 'indexd_delete_record' - description: '' - permissions: - - id: 'indexd_delete_record' - action: - service: 'indexd' - method: 'delete' - - id: 'indexd_storage_reader' - description: '' - permissions: - - id: 'indexd_storage_reader' - action: - service: 'indexd' - method: 'read-storage' - - id: 'indexd_storage_writer' - description: '' - permissions: - - id: 'indexd_storage_writer' - action: - service: 'indexd' - method: 'write-storage' - - # arborist - - id: 'arborist_creator' - description: '' - permissions: - - id: 'arborist_creator' - action: - service: 'arborist' - method: 'create' - - id: 'arborist_reader' - description: '' - permissions: - - id: 'arborist_reader' - action: - service: 'arborist' - method: 'read' - - id: 'arborist_updater' - description: '' - permissions: - - id: 'arborist_updater' - action: - service: 'arborist' - method: 'update' - - id: 'arborist_deleter' - description: '' - permissions: - - id: 'arborist_deleter' - action: - service: 'arborist' - method: 'delete' - - # requestor - - id: requestor_admin - permissions: - - id: requestor_admin_action + - id: file_uploader + permissions: + - id: file_upload + action: + service: fence + method: file_upload + - id: workspace_user + permissions: + - id: workspace_access + action: + service: jupyterhub + method: access + - id: sheepdog_admin + description: CRUD access to programs and projects + permissions: + - id: sheepdog_admin_action + action: + service: sheepdog + method: '*' + - id: indexd_admin + description: full access to indexd API + permissions: + - id: indexd_admin + action: + service: indexd + method: '*' + - id: admin + permissions: + - id: admin action: - service: requestor + service: '*' method: '*' - - id: requestor_reader - permissions: - - id: requestor_reader_action - action: - service: requestor - method: read - - id: requestor_creator - permissions: - - id: requestor_creator_action + - id: creator + permissions: + - id: creator action: - service: requestor + service: '*' method: create - - id: requestor_updater - permissions: - - id: requestor_updater_action + - id: reader + permissions: + - id: reader + action: + service: '*' + method: read + - id: updater + permissions: + - id: updater action: - service: requestor + service: '*' method: update - - id: requestor_deleter - permissions: - - id: requestor_deleter_action + - id: deleter + permissions: + - id: deleter action: - service: requestor + service: '*' method: delete - # argo - - id: argo_user - permissions: - - id: argo_access - action: - service: argo - method: access + - id: storage_writer + permissions: + - id: storage_creator + action: + service: '*' + method: write-storage + - id: storage_reader + permissions: + - id: storage_reader + action: + service: '*' + method: read-storage + - id: peregrine_reader + permissions: + - id: peregrine_reader + action: + method: read + service: peregrine + - id: guppy_reader + permissions: + - id: guppy_reader + action: + method: read + service: guppy + - id: fence_storage_reader + permissions: + - id: fence_storage_reader + action: + method: read-storage + service: fence clients: - basic-test-client: - policies: - - abc-admin - - gen3-admin - basic-test-abc-client: - policies: - - abc-admin wts: policies: - all_programs_reader - - workspace + - open_data_reader users: - ### BEGIN INTERNS SECTION ### - ### END INTERNS SECTION ### - qureshi@uchicago.edu: - admin: true + username1@gmail.com: {} + username2: + tags: + name: John Doe + email: johndoe@gmail.com policies: - - data_upload - - workspace - - dashboard - - mds_admin - - prometheus - - sower - - services.sheepdog-admin - - programs.QA-admin - - programs.test-admin - - programs.DEV-admin - - programs.jnkns-admin - - indexd_admin - - ttyadmin - projects: - - auth_id: QA - privilege: [create, read, update, delete, upload, read-storage] - - auth_id: test - privilege: [create, read, update, delete, upload, read-storage] - - auth_id: DEV - privilege: [create, read, update, delete, upload, read-storage] - - auth_id: jenkins - privilege: [create, read, update, delete, upload, read-storage] - - auth_id: jenkins2 - privilege: [create, read, update, delete, upload, read-storage] - - auth_id: jnkns - privilege: [create, read, update, delete, upload, read-storage] + - MyFirstProject_submitter + + cloud_providers: {} + groups: {} # -- (map) Public configuration settings for Fence app FENCE_CONFIG_PUBLIC: {} diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index 54cdc771..278de71a 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -36,7 +36,7 @@ dependencies: repository: "file://../frontend-framework" condition: frontend-framework.enabled - name: fence - version: 0.1.23 + version: 0.1.24 repository: "file://../fence" condition: fence.enabled - name: guppy @@ -128,7 +128,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.45 +version: 0.1.46 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3/README.md b/helm/gen3/README.md index 7dc8787e..3038a36a 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -1,6 +1,6 @@ # gen3 -![Version: 0.1.45](https://img.shields.io/badge/Version-0.1.45-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.46](https://img.shields.io/badge/Version-0.1.46-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) Helm chart to deploy Gen3 Data Commons @@ -25,7 +25,7 @@ Helm chart to deploy Gen3 Data Commons | file://../aws-es-proxy | aws-es-proxy | 0.1.10 | | file://../common | common | 0.1.14 | | file://../etl | etl | 0.1.3 | -| file://../fence | fence | 0.1.23 | +| file://../fence | fence | 0.1.24 | | file://../frontend-framework | frontend-framework | 0.1.3 | | file://../guppy | guppy | 0.1.13 | | file://../hatchery | hatchery | 0.1.10 |