forked from kubeflow/kubeflow
-
Notifications
You must be signed in to change notification settings - Fork 0
/
initHandler.go
72 lines (64 loc) · 1.99 KB
/
initHandler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package app
import (
"github.com/go-kit/kit/endpoint"
log "github.com/sirupsen/logrus"
"golang.org/x/net/context"
"golang.org/x/oauth2"
"google.golang.org/api/cloudresourcemanager/v1"
)
const IAM_ADMIN_ROLE = "roles/resourcemanager.projectIamAdmin"
type InitProjectRequest struct {
Project string
ProjectNumber string
Token string
}
// TODO: migrate service enabling logic to initHandler
func makeInitProjectEndpoint(svc KsService) endpoint.Endpoint {
return func(ctx context.Context, request interface{}) (interface{}, error) {
req := request.(InitProjectRequest)
dmServiceAccount := req.ProjectNumber + "@cloudservices.gserviceaccount.com"
err := svc.BindRole(ctx, req.Project, req.Token, dmServiceAccount)
r := &basicServerResponse{}
if err != nil {
r.Err = err.Error()
}
return r, nil
}
}
func (s *ksServer) BindRole(ctx context.Context, project string, token string, serviceAccount string) error {
ts := oauth2.StaticTokenSource(&oauth2.Token{
AccessToken: token,
})
resourcManger, err := cloudresourcemanager.New(oauth2.NewClient(ctx, ts))
if err != nil {
log.Errorf("Cannot create resourc manger client: %v", err)
return err
}
// Even with lock here, there's still very small chance that updating project iam policy will fail
// if other users are editing policy directly at the same time.
projLock := s.GetProjectLock(project)
projLock.Lock()
defer projLock.Unlock()
saPolicy, err := resourcManger.Projects.GetIamPolicy(
project,
&cloudresourcemanager.GetIamPolicyRequest{}).Do()
if err != nil {
log.Errorf("Cannot get current ploicy: %v", err)
return err
}
saPolicy.Bindings = append(saPolicy.Bindings,
&cloudresourcemanager.Binding{
Members: []string{"serviceAccount:" + serviceAccount},
Role: IAM_ADMIN_ROLE,
})
_, err = resourcManger.Projects.SetIamPolicy(
project,
&cloudresourcemanager.SetIamPolicyRequest{
Policy: saPolicy,
}).Do()
if err != nil {
log.Errorf("Cannot set new ploicy: %v", err)
return err
}
return nil
}