-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'releases/v17' into add-beacon-network-config
- Loading branch information
Showing
30 changed files
with
795 additions
and
114 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
# Migrating to Bento v17 | ||
|
||
Key points: | ||
|
||
* Bento now has observability tools to help monitor the services (Grafana). Some setup is required for this feature to | ||
work. | ||
* Katsu discovery endpoints now have an authorization layer. | ||
* Data that used to be completely public by default (i.e., | ||
censored counts) now requires a permission (`query:project_level_counts` and/or `query:dataset_level_counts`), and | ||
thus a grant in the authorization service. | ||
* Beacon now requires a client ID/secret and an authorization service grant to access uncensored data. | ||
* Katsu discovery is now more granular, and can be configured to the project or dataset level, in addition to the | ||
instance level. See the [Public data discovery configuration](./public_discovery.md) document for more information. | ||
* ... | ||
|
||
|
||
## 1. Stop Bento | ||
|
||
```bash | ||
./bentoctl.bash stop | ||
``` | ||
|
||
|
||
## 2. Update images | ||
|
||
```bash | ||
./bentoctl.bash pull | ||
``` | ||
|
||
|
||
## 3. Set up credentials for aggregation/Beacon and, optionally, set up Grafana | ||
|
||
If you wish to enable Grafana, you first must enable the monitoring feature in your `local.env` file: | ||
|
||
```bash | ||
BENTO_MONITORING_ENABLED='true' | ||
``` | ||
|
||
To create the client secrets for aggregation/Beacon and Grafana (if the latter is enabled), run the following commands: | ||
|
||
```bash | ||
./bentoctl.bash start auth | ||
./bentoctl.bash init-auth | ||
``` | ||
|
||
**Reminder:** Make sure to put the client secret(s) generated by `init-auth` into your `local.env` file! | ||
|
||
Aggregation/Beacon data access authorization will not work until an authorization service grant is configured; | ||
see step 4 below. | ||
|
||
|
||
## 4. Set up aggregation/Beacon permissions and public data access grants | ||
|
||
Now that Beacon uses a client ID/secret to get authorized, uncensored data access for discovery, a grant must be | ||
configured to give the aggregation/Beacon client data access. | ||
|
||
Another change to permissions: starting from Bento v17, anonymous visitors do not have access to see censored counts | ||
data by default, even if a discovery configuration has been set up. For anonymous visitors to access data, a level | ||
(`bool`, `counts`, `full`) must be chosen and passed to the `bento_authz` CLI command below. | ||
|
||
```bash | ||
./bentoctl.bash shell authz | ||
|
||
# Configure aggregation/Beacon permissions | ||
# ---------------------------------------- | ||
# This assumes the aggregation/Beacon client ID is "aggregation". | ||
# <ISSUER_HERE> MUST be replaced with your actual issuer value. | ||
# - The query:data permission gives access to Katsu endpoints which are properly authz-enabled. | ||
# - The view:private_portal permission gives access to Katsu and Gohan endpoints where the proxy still manages access. | ||
# This permission will be removed in an uncoming version. | ||
bento_authz create grant \ | ||
'{"iss": "<ISSUER_HERE>", "client": "aggregation"}' \ | ||
'{"everything": true}' \ | ||
'query:data' 'view:private_portal' | ||
|
||
# Configure public data access | ||
# ---------------------------- | ||
# The level below ("counts") preserves previous functionality. Other possible options are: | ||
# - none - will do nothing. | ||
# - bool - for censored true/false discovery, but in effect right now forbids access. | ||
# - counts - for censored count discovery. | ||
# - full - allows full data access (record-level, including sensitive data such as IDs), uncensored counts, etc. | ||
bento_authz public-data-access counts | ||
``` | ||
|
||
|
||
## 5. Start Bento | ||
|
||
```bash | ||
./bentoctl.bash start | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# Public data discovery configuration | ||
|
||
New in Bento v17. | ||
|
||
Previously, the public data configuration given to Katsu (`lib/katsu/config.json`) was applied on all the metadata | ||
contained in the service. This configuration declares which fields can be queried publicly for discovery purposes, | ||
which charts to display and which censorship rules to apply on the results. | ||
|
||
Katsu can hold multiple projects/datasets that may use different fields, require specific charts or custom | ||
`extra_properties` schemas at the project level. | ||
Therefore, there is a need to tailor the discovery configuration at different levels to properly represent the | ||
particularities in the information of a project or dataset. | ||
|
||
Bento v17 gives the ability to specify a scoped Discovery configuration at the following levels: | ||
- Dataset | ||
- Optional at dataset creation | ||
- For scoped queries on public endpoints targeting a project and dataset: | ||
- Katsu will use the dataset's discovery configuration, if one exists. | ||
- If no configuration is found, falls back to the parent project's discovery. | ||
- Project | ||
- Optional at project creation | ||
- For scoped queries on public endpoints targeting a project only: | ||
- Katsu will use the project's discovery configuration, if one exists. | ||
- If no configuration is found, falls back to the node's config. | ||
- Node | ||
- Optional during Katsu deployment | ||
- Uses the legacy `lib/katsu/config.json` file mount | ||
- For non-scoped queries on public endpoints: | ||
- Katsu will use the node's discovery, if one exists. | ||
- If no node configuration is found, Katsu will respond with a 404 status. | ||
- For scoped queries on public endpoints: | ||
- Katsu will fallback on the node's discovery if the project and/or dataset in the scope don't have one | ||
- If no node configuration is found, Katsu will respond with a 404 status. | ||
|
||
|
||
## Creating a discovery configuration file. | ||
|
||
Follow these steps in order to add public discovery for a given scope. | ||
|
||
1. Decide at which level the discovery configuration will be applied. | ||
2. Create a copy of `etc/katsu.config.example.json`, use it as a base template | ||
3. Modify the `fields` section so that it includes the fields of interest. | ||
4. Modify the `search` section, include the fields from the previous section to make them searchable | ||
5. Modify the `overview` section in order to specify which fields should be rendered as charts and how. | ||
6. Set the desired censorship rules in the `rules` section. | ||
|
||
The resulting JSON file needs to respect the JSON-schema defined in Katsu [here](https://github.com/bento-platform/katsu/blob/develop/chord_metadata_service/discovery/schemas.py). | ||
|
||
## Using a discovery configuration file. | ||
|
||
With the valid discovery configuration file in hand, you can now add it to Katsu. | ||
|
||
### Apply the discovery configuration at the node level: | ||
|
||
This operation must be done by a Bento node administrator. | ||
```bash | ||
# Move the file to Katsu's config volume | ||
cp <discovery config JSON file> ./lib/katsu/config.json | ||
|
||
# restart Katsu to load the config. | ||
./bentoctl.bash restart katsu | ||
``` | ||
|
||
### Apply the discovery configuration at the project or dataset level | ||
|
||
These operations must be performed in `bento_web` by an authenticated user | ||
with the `edit:dataset`, `create:dataset`, `edit:project`, `create:project` permissions. | ||
|
||
Before creating/editing a project/dataset to specify a discovery configuration, | ||
make sure that the JSON file is in Bento's dropbox. | ||
|
||
At project/dataset creation, leaving the discovery field empty is permitted. | ||
Specify a discovery config by selecting the desired file from the drop-down options. | ||
|
||
![Specifying a discovery at project creation.](./img/discovery_proj_creation.png) | ||
|
||
During project/dataset editing, three radio buttons are shown, allowing the user to pick the existing value, | ||
a new value from file, or none. The 'none' option is equivalent to leaving the field empty at creation. | ||
|
||
![Modifying the discovery when editing a project](./img/discovery_proj_edit.png) |
Oops, something went wrong.