Partner network | BPDM service is not accessible

[mounirol]

Current Behavior

We are not able to access the BPDM service. We tried with all the possible roles and permissions but none has worked for us. We get always 403.

Expected Behavior

We should be able to access the BPDM service with an appropriate role.

Steps To Reproduce

Check the Partner Network in the portal or try to access the BPDM service APIs.

[evegufy]

Hi @mounirol, thanks for opening the issue. As discussed in the EF Chat: I checked this, and AFAI can say right now, there might be a mismatch between the rights and roles concept and the bpdm implementation: the implementation excepts the read_partner role https://github.com/eclipse-tractusx/bpdm/blob/v6.0.0/bpdm-pool/src/main/kotlin/org/eclipse/tractusx/bpdm/pool/config/PermissionConfigProperties.kt#L28 but according the rights and role concept this role should not be assigned https://github.com/eclipse-tractusx/portal-iam/blob/v3.0.0/docs/technical%20documentation/06.%20Roles%20%26%20Rights%20Concept.md#255-bpdm-pool. I can't say if the bpdm implementation or the the R&R concept is correct, and we'll need to discuss this with @jjeroch ones she's back from vacation.

[jjeroch]

Looking into this by today

[jjeroch]

It was expected (and we thought successfully tested) that following assignment is enough:

However this is not enough; additionally the following permission needs to get assigned:

(note: this is a HF only; not a longterm solution) - BPDM is currently validating other solutions to access the data.

@evegufy can you take this up?

[evegufy]

read_partner from Cl7-CX-BPDM added BPDM Pool Consumer on int, dev and rc.dev
TODO: update of template instances and documentation

[mounirol]

@evegufy The Partner network is accessible from the portal, but it is not possible to access the BPDM APIs using the Technical user. Will this also be fixed?

[evegufy]

@mounirol could you please provide an example?

[evegufy]

@mounirol the examples which you showed me are technical users with roles for the BPDM Gate assigned, I assume you need to create a technical user with a role that provides access to the BPDM API like BPDM Pool Consumer

cc: @jjeroch

[jjeroch]

@Sebastian-Wurm seems like the new BPDM solution is not well known to the teams. We need a user documentation for this. Please take this up.

To be answered:

• Explanation by when a customer should use technical user role "xxx" and when "xxx"
• Is it really planned to create this tech user from the consumer side or is BPDM operator providing the user?

Note my expectation is the following:

1. App Provider (such as mounirol) need to update their app offering inside the portal marketplace and configure inside the technical user profile the permission
   • BPDM Sharing Output Consumer
2. The app provider must successfully negotiate the BPDM Access data offering in the name of the customer
3. As part of the successful negotiation, the app provider will receive the API endpoint to retrieve BPDM data
4. With the technical user of #1 the app provider can now access the BPDM endpoint and retrieve member data

...please confirm.

@evegufy in the current state of the ticket, I suggest to move the ticket to BPDM - I dont see a technical change needed on our side.

[Sebastian-Wurm]

@mounirol, @jjeroch:

• Permission groups are explained in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#bpdm-permission-groups
• To access BPDM services, an EDC connection is required as described in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#edc-communication
• So, technical users must be created by the BPDM operator. They are only used by the EDC data plane and must not be known outside of the operating environment
• Consequently, app providers must not configure any technical users for accessing the BPDM services, but need to use an EDC connection on behalf of their customer / with the BPNL of their customer

[Sebastian-Wurm]

@evegufy, @jjeroch:

• read_partner permission is not required to get business partners from the BPDM Pool for the Portal Partner Network
• read_partner_member of permission group "Cx Member" (which corresponds to CX User Portal role) must be sufficient, as only Catena-X members should be displayed by the Portal Partner Network (not the whole BPDM Pool).
• Either there is a bug in the implementation of read_partner_member / isCatenaXMemberData or there are no business partners flagged with isCatenaXMemberData, if the Partner Network in the Portal shows no business partners
• @nicoprow: Can you please confirm.

[nicoprow]

As far as I can see the problem is that the Portal invokes the endpoint "pool/v6/legal-entities" and receives (rightfully) a 403 since this is the endpoint to query all legal entities. Since version 6 of the API we introduced the members endpoint which returns only the Catena-X business partner member data: pool/v6/members/legal-entities/search

So from the BPDM side this behaviour is expected, but the Portal would need to integrate the members endpoint instead.

Users of the Portal should have the permission to view Catena-X member data but not all data.

[Sebastian-Wurm]

@evegufy, @jjeroch: also R&R needs to be adapted to include read_partner_member for all roles that refer to BPDM permission group "Cx Member".

[evegufy]

@Sebastian-Wurm @nicoprow If you see a need for adjustments, I suggest you open an issue in the sig-release repo with a title like "BPDM | Consolidate Rights and Roles" and mark it with the bdpm portal and prep24.12 labels, so we can refine it for the next release, the following should be made transparent on sig-release level as well #154 (comment)
Changes aren't possible anymore for 24.08 as Testing is ending.
We already did the E2E Tests for 24.08 with read_partner from Cl7-CX-BPDM added to BPDM Pool Consumer.
As I didn't close the 3.0.1 of portal-iam yet, I could remove the role again, so that there appears a 403 error again, should I do that?

[Sebastian-Wurm]

@evegufy: Best would be use the other endpoint, as @nicoprow described above. Either we do that in the reference implementation of the Portal or the Operating Company has to do that in their implementation of the Portal, if they want to provide the correct Partner Network functionality for Jupiter release. The fix with read_partner is definitely wrong, so it makes sense to remove it. Wouldn't this change in portal-iam also make a general retest necessary as IAM is a cross-cutting aspect?

@maximilianong, @jjeroch any recommendations from your side?

[MaximilianHauer]

@mounirol, @jjeroch:

• Permission groups are explained in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/arc42/arc42-bpdm.md#permissions-by-permission-group
• To access BPDM services, an EDC connection is required as described in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/arc42/arc42-bpdm.md#edc-communication
• So, technical users must be created by the BPDM operator. They are only used by the EDC data plane and must not be known outside of the operating environment
• Consequently, app providers must not configure any technical users for accessing the BPDM services, but need to use an EDC connection on behalf of their customer / with the BPNL of their customer

The provided urls do not seem to work for me , could you please verify @Sebastian-Wurm

[nicoprow]

@MaximilianHauer the arc42 just moved folders to be compatible to the TRGs. I corrected the URLs above

Permission groups are explained in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#bpdm-permission-groups
To access BPDM services, an EDC connection is required as described in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#edc-communication

[MaximilianHauer]

Hi all,

we aligned to remove the bugfix from this release.
We will now align on how to proceed and if we can fix it before 24.12.

[jjeroch]

@mounirol, @jjeroch:

• Permission groups are explained in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#bpdm-permission-groups
• To access BPDM services, an EDC connection is required as described in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#edc-communication
• So, technical users must be created by the BPDM operator. They are only used by the EDC data plane and must not be known outside of the operating environment
• Consequently, app providers must not configure any technical users for accessing the BPDM services, but need to use an EDC connection on behalf of their customer / with the BPNL of their customer

Important note:
The documentation does not fit to the tested version of 24.05. and 24.08. release. This should have been documented inside the BPDM changeLog @nicoprow as we spoke in the last release, the Orchestrator havn't been part of the release we should not document a setup in future which does not exists. In this case either the documentation must get removed or should well mention that this is just a proposal while its not yet tested or implemented.

@nicoprow & @evegufy please add this in the 24.08. release documentation of BPDM.

Any further steps to be managed with the release 24.12. as mentioned by @MaximilianHauer

[evegufy]

@evegufy: Best would be use the other endpoint, as @nicoprow described above. Either we do that in the reference implementation of the Portal or the Operating Company has to do that in their implementation of the Portal, if they want to provide the correct Partner Network functionality for Jupiter release. The fix with read_partner is definitely wrong, so it makes sense to remove it. Wouldn't this change in portal-iam also make a general retest necessary as IAM is a cross-cutting aspect?

@maximilianong, @jjeroch any recommendations from your side?

The wrong workaround/fix with adding read_partner from Cl7-CX-BPDM to BPDM Pool Consumer did not make it into release 24.08.

This issue eclipse-tractusx/portal-frontend#980 was created the api change in the portal frontend.

I suggest to do the change mentioned here #132 (comment) as part of #154.

With this all points of this issue should be addressed and I suggest to close this issue.

[evegufy]

@mounirol, @jjeroch:

• Permission groups are explained in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#bpdm-permission-groups
• To access BPDM services, an EDC connection is required as described in the Arc42 document: https://github.com/eclipse-tractusx/bpdm/blob/main/docs/architecture/08_Crosscutting_Concepts.md#edc-communication
• So, technical users must be created by the BPDM operator. They are only used by the EDC data plane and must not be known outside of the operating environment
• Consequently, app providers must not configure any technical users for accessing the BPDM services, but need to use an EDC connection on behalf of their customer / with the BPNL of their customer

Important note: The documentation does not fit to the tested version of 24.05. and 24.08. release. This should have been documented inside the BPDM changeLog @nicoprow as we spoke in the last release, the Orchestrator havn't been part of the release we should not document a setup in future which does not exists. In this case either the documentation must get removed or should well mention that this is just a proposal while its not yet tested or implemented.

@nicoprow & @evegufy please add this in the 24.08. release documentation of BPDM.

Any further steps to be managed with the release 24.12. as mentioned by @MaximilianHauer

was added to known knowns for R24.08