forked from EirikHaughom/self-managed-osdu
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manage-user.http
341 lines (275 loc) · 9.2 KB
/
manage-user.http
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
# -------HTTP REST CLIENT -------
# https://marketplace.visualstudio.com/items?itemName=humao.rest-client
## This script provides a few samples for calling entitlements v2.
# https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/blob/master/docs/bootstrap/bootstrap-groups-structure.md
# -----------------------
# OAUTH (Variables)
# -----------------------
###
@login_base = login.microsoftonline.com/{{TENANT_ID}}
@oauth_token_host = {{login_base}}/oauth2/v2.0/token
@scopes = {{CLIENT_ID}}/.default openid profile offline_access
# -----------------------
# OAUTH client_credentials
# -----------------------
###
# @name login
@login_base = login.microsoftonline.com/{{TENANT_ID}}
@oauth_token_host = {{login_base}}/oauth2/token
POST https://{{oauth_token_host}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id={{PRINCIPAL_ID}}
&client_secret={{PRINCIPAL_SECRET}}
&resource={{CLIENT_ID}}
# -----------------------
# API (Variables)
# -----------------------
###
@access_token = {{login.response.body.access_token}}
@ENDPOINT = https://{{OSDU_HOST}}
@ENTITLEMENTS_HOST = {{ENDPOINT}}/api/entitlements/v2
@data_partition_id = opendes
@domain = contoso.com
@user_group = users@{{data_partition_id}}.{{domain}}
# ---------------------------------
# Group Name
# ---------------------------------
# This is the identifier for the group you are adding.
@group_name = app.trusted
# ---------------------------------
# Group Type can be Editor/Admin/Ops/Viewer
# ---------------------------------
@editors_group_type=users.datalake.editors
@admins_group_type=users.datalake.admins
@ops_group_type=users.datalake.ops
@viewers_group_type=users.datalake.viewers
# ---------------------------------
# Group Type Email
# ---------------------------------
@group_type_email = {{admins_group_type}}@{{data_partition_id}}.{{domain}}
# ---------------------------------
# USER EMAIL ADDRESS
# ---------------------------------
# This is the identifier for the user you are adding.
# When using AAD, this is the email for the user if adding an AAD user.
# When using ADD and a Service principal this is the OID of the Service Principal.
@member_email = [email protected]
# -----------------------
# Create Users
# -----------------------
###
# Purpose: Create a new User.
# @name createUser
POST {{ENTITLEMENTS_HOST}}/groups/{{user_group}}/members
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"email": "{{member_email}}",
"role": "MEMBER"
}
# -----------------------
# Manage Roles
# -----------------------
###
# Purpose: Validate that the User has groups.
# @name getUserGroups
GET {{ENTITLEMENTS_HOST}}/members/{{member_email}}/groups?type=none
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: Assign the user to the datalake.viewers Group
# @name assignMemberToViewersGroup
@viewer_group = users.datalake.viewers@{{data_partition_id}}.{{domain}}
POST {{ENTITLEMENTS_HOST}}/groups/{{viewer_group}}/members
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"email": "{{member_email}}",
"role": "MEMBER"
}
###
# Purpose: Assign the user to the datalake.editors Group
# @name assignMemberToEditorsGroup
@editor_group = users.datalake.editors@{{data_partition_id}}.{{domain}}
POST {{ENTITLEMENTS_HOST}}/groups/{{editor_group}}/members
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"email": "{{member_email}}",
"role": "MEMBER"
}
###
# Purpose: Assign the user to the datalake.admins Group
# NOTE: This role can not delete for Legal, Schema or Storage
# @name assignMemberToAdminGroup
@admin_group = users.datalake.admins@{{data_partition_id}}.{{domain}}
POST {{ENTITLEMENTS_HOST}}/groups/{{admin_group}}/members
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"email": "{{member_email}}",
"role": "MEMBER"
}
###
# Purpose: Assign the user to the datalake.ops Group
# NOTE: This role can delete data
# @name assignMemberToOpsGroup
@ops_group = users.datalake.ops@{{data_partition_id}}.{{domain}}
POST {{ENTITLEMENTS_HOST}}/groups/{{ops_group}}/members
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"email": "{{member_email}}",
"role": "MEMBER"
}
###
# Purpose: List the Users with the Role of Reader
# @name listMembersInViewersGroup
GET {{ENTITLEMENTS_HOST}}/groups/{{viewer_group}}/members/
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: List the Users with the Role of Contributor
# @name listMembersInEditorsGroup
GET {{ENTITLEMENTS_HOST}}/groups/{{editor_group}}/members/
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: List the Users with the Role of Admin
# @name listMembersInAdminGroup
GET {{ENTITLEMENTS_HOST}}/groups/{{admin_group}}/members/
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: List the Users with the Role of Owner
# @name listMembersInOpsGropu
GET {{ENTITLEMENTS_HOST}}/groups/{{ops_group}}/members/
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: Remove the Owner Role from a User
# @name removeMemberFromOpsGroup
DELETE {{ENTITLEMENTS_HOST}}/groups/{{ops_group}}/members/{{member_email}}
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: Remove the Admin Role from a User
# @name removeMemberFromAdminsGroup
DELETE {{ENTITLEMENTS_HOST}}/groups/{{admin_group}}/members/{{member_email}}
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: Remove the Contributor Role from a User
# @name removeMemberFromEditorsGroup
DELETE {{ENTITLEMENTS_HOST}}/groups/{{editor_group}}/members/{{member_email}}
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
###
# Purpose: Remove the Reader Role from a User
# @name removeMemberFromViewersGroup
DELETE {{ENTITLEMENTS_HOST}}/groups/{{viewer_group}}/members/{{member_email}}
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
# -----------------------
# Delete Users
# -----------------------
###
# Purpose: Delete User
# @name deleteUser
DELETE {{ENTITLEMENTS_HOST}}/members/{{member_email}}
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
# -----------------------------------------------------------------------------------------------------------------
# These actions are part of deployment processes.
# -----------------------------------------------------------------------------------------------------------------
# ---------------------------------
# Inititalize Users for a Partition
# ---------------------------------
###
# Purpose: Initialize a Partition.
# NOTE: This API can ONLY be called by the application service principal.
# @name tenantInit
POST {{ENTITLEMENTS_HOST}}/tenant-provisioning
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
###
# Purpose: Validate the Owner of the Partition.
# NOTE: The Owner of the partition by default is the service principal.
# @name rootGroups
GET {{ENTITLEMENTS_HOST}}/groups
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
# -----------------------
# Create Group
# -----------------------
###
# Purpose: Create a new Group.
# @name createGroup
POST {{ENTITLEMENTS_HOST}}/groups
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"name": "{{group_name}}",
"description": "My Group"
}
# -----------------------
# Add admin user to group
# -----------------------
###
# Purpose: Allow group type to access the group.
# @name addAccessToGroupType
POST {{ENTITLEMENTS_HOST}}/groups/{{group_name}}@{{data_partition_id}}.{{domain}}/members
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json
{
"email": {{group_type_email}},
"role": "MEMBER"
}
# -----------------------
# Get All groups
# -----------------------
###
# Purpose: Get all Groups.
# @name getAllGroups
GET {{ENTITLEMENTS_HOST}}/groups
Authorization: Bearer {{access_token}}
Accept: application/json
data-partition-id: {{data_partition_id}}
Content-Type: application/json