feat: link data connectors to projects (#410)

Adds the possibility to link a data connector to a project.

Details:
* Add API to link a data connector to a project
* Add API to list projects connected to a data connector
* Add API to list data connectors connected to a project

Note that `read` permissions are cascaded to direct members of the connected project.

* Creating a link from a private data connector to a project requires the `editor` role on both sides of the link.
* Creating a link from a public data connector to a project requires the `editor` role on the project.
* Removing a link requires either the `editor` role on the project or the `owner` role on the data connector.

Author: leafty

bases/renku_data_services/data_api/app.py

@@ -139,6 +139,7 @@ def register_all_handlers(app: Sanic, config: Config) -> Sanic:
         name="data_connectors",
         url_prefix=url_prefix,
         data_connector_repo=config.data_connector_repo,
+        data_connector_to_project_link_repo=config.data_connector_to_project_link_repo,
         authenticator=config.authenticator,
     )
     app.blueprint(

components/renku_data_services/app_config/config.py

@@ -44,7 +44,7 @@
     ServerOptionsDefaults,
     generate_default_resource_pool,
 )
-from renku_data_services.data_connectors.db import DataConnectorRepository
+from renku_data_services.data_connectors.db import DataConnectorProjectLinkRepository, DataConnectorRepository
 from renku_data_services.db_config import DBConfig
 from renku_data_services.git.gitlab import DummyGitlabAPI, GitlabAPI
 from renku_data_services.k8s.clients import DummyCoreClient, DummySchedulingClient, K8sCoreClient, K8sSchedulingClient
@@ -177,6 +177,9 @@ class Config:
     _git_repositories_repo: GitRepositoriesRepository | None = field(default=None, repr=False, init=False)
     _platform_repo: PlatformRepository | None = field(default=None, repr=False, init=False)
     _data_connector_repo: DataConnectorRepository | None = field(default=None, repr=False, init=False)
+    _data_connector_to_project_link_repo: DataConnectorProjectLinkRepository | None = field(
+        default=None, repr=False, init=False
+    )
 
     def __post_init__(self) -> None:
         spec_file = Path(renku_data_services.crc.__file__).resolve().parent / "api.spec.yaml"
@@ -415,6 +418,15 @@ def data_connector_repo(self) -> DataConnectorRepository:
             )
         return self._data_connector_repo
 
+    @property
+    def data_connector_to_project_link_repo(self) -> DataConnectorProjectLinkRepository:
+        """The DB adapter for data connector to project links."""
+        if not self._data_connector_to_project_link_repo:
+            self._data_connector_to_project_link_repo = DataConnectorProjectLinkRepository(
+                session_maker=self.db.async_session_maker, authz=self.authz
+            )
+        return self._data_connector_to_project_link_repo
+
     @classmethod
     def from_env(cls, prefix: str = "") -> "Config":
         """Create a config from environment variables."""

components/renku_data_services/authz/authz.py

@@ -32,7 +32,7 @@
 from renku_data_services.authz.config import AuthzConfig
 from renku_data_services.authz.models import Change, Member, MembershipChange, Role, Scope, Visibility
 from renku_data_services.base_models.core import InternalServiceAdmin
-from renku_data_services.data_connectors.models import DataConnector, DataConnectorUpdate
+from renku_data_services.data_connectors.models import DataConnector, DataConnectorToProjectLink, DataConnectorUpdate
 from renku_data_services.errors import errors
 from renku_data_services.namespace.models import Group, GroupUpdate, Namespace, NamespaceKind, NamespaceUpdate
 from renku_data_services.project.models import Project, ProjectUpdate
@@ -59,6 +59,7 @@ def authz(self) -> "Authz":
     | list[UserInfo]
     | DataConnector
     | DataConnectorUpdate
+    | DataConnectorToProjectLink
     | None,
 )
 _T = TypeVar("_T")
@@ -97,6 +98,7 @@ class _Relation(StrEnum):
     project_namespace: str = "project_namespace"
     data_connector_platform: str = "data_connector_platform"
     data_connector_namespace: str = "data_connector_namespace"
+    linked_to: str = "linked_to"
 
     @classmethod
     def from_role(cls, role: Role) -> "_Relation":
@@ -140,6 +142,8 @@ class AuthzOperation(StrEnum):
     update: str = "update"
     update_or_insert: str = "update_or_insert"
     insert_many: str = "insert_many"
+    create_link: str = "create_link"
+    delete_link: str = "delete_link"
 
 
 class _AuthzConverter:
@@ -539,6 +543,19 @@ async def _get_authz_change(
                     if result.old.namespace.id != result.new.namespace.id:
                         user = _extract_user_from_args(*func_args, **func_kwargs)
                         authz_change.extend(await db_repo.authz._update_data_connector_namespace(user, result.new))
+                case AuthzOperation.create_link, ResourceType.data_connector if isinstance(
+                    result, DataConnectorToProjectLink
+                ):
+                    user = _extract_user_from_args(*func_args, **func_kwargs)
+                    authz_change = await db_repo.authz._add_data_connector_to_project_link(user, result)
+                case AuthzOperation.delete_link, ResourceType.data_connector if result is None:
+                    # NOTE: This means that the link does not exist in the first place so nothing was deleted
+                    pass
+                case AuthzOperation.delete_link, ResourceType.data_connector if isinstance(
+                    result, DataConnectorToProjectLink
+                ):
+                    user = _extract_user_from_args(*func_args, **func_kwargs)
+                    authz_change = await db_repo.authz._remove_data_connector_to_project_link(user, result)
                 case _:
                     resource_id: str | ULID | None = "unknown"
                     if isinstance(result, (Project, Namespace, Group, DataConnector)):
@@ -664,6 +681,17 @@ async def _remove_project(
             ReadRelationshipsRequest(consistency=consistency, relationship_filter=rel_filter)
         )
         rels: list[Relationship] = []
+        async for response in responses:
+            rels.append(response.relationship)
+        # Project is also a subject for "linked_to" relations
+        rel_filter = RelationshipFilter(
+            optional_subject_filter=SubjectFilter(
+                subject_type=ResourceType.project.value, optional_subject_id=str(project.id)
+            )
+        )
+        responses: AsyncIterable[ReadRelationshipsResponse] = self.client.ReadRelationships(
+            ReadRelationshipsRequest(consistency=consistency, relationship_filter=rel_filter)
+        )
         async for response in responses:
             rels.append(response.relationship)
         apply = WriteRelationshipsRequest(
@@ -1617,3 +1645,82 @@ async def _update_data_connector_namespace(
             ]
         )
         return _AuthzChange(apply=apply_change, undo=undo_change)
+
+    async def _add_data_connector_to_project_link(
+        self, user: base_models.APIUser, link: DataConnectorToProjectLink
+    ) -> _AuthzChange:
+        """Links a data connector to a project."""
+        # NOTE: we manually check for permissions here since it is not trivially expressed through decorators
+        allowed_from = await self.has_permission(
+            user, ResourceType.data_connector, link.data_connector_id, Scope.ADD_LINK
+        )
+        if not allowed_from:
+            raise errors.MissingResourceError(
+                message=f"The user with ID {user.id} cannot perform operation {Scope.ADD_LINK} "
+                f"on {ResourceType.data_connector.value} "
+                f"with ID {link.data_connector_id} or the resource does not exist."
+            )
+        allowed_to = await self.has_permission(user, ResourceType.project, link.project_id, Scope.WRITE)
+        if not allowed_to:
+            raise errors.MissingResourceError(
+                message=f"The user with ID {user.id} cannot perform operation {Scope.WRITE} "
+                f"on {ResourceType.project.value} "
+                f"with ID {link.project_id} or the resource does not exist."
+            )
+
+        data_connector_res = _AuthzConverter.data_connector(link.data_connector_id)
+        project_subject = SubjectReference(object=_AuthzConverter.project(link.project_id))
+        relationship = Relationship(
+            resource=data_connector_res,
+            relation=_Relation.linked_to.value,
+            subject=project_subject,
+        )
+        apply = WriteRelationshipsRequest(
+            updates=[RelationshipUpdate(operation=RelationshipUpdate.OPERATION_TOUCH, relationship=relationship)]
+        )
+        undo = WriteRelationshipsRequest(
+            updates=[RelationshipUpdate(operation=RelationshipUpdate.OPERATION_DELETE, relationship=relationship)]
+        )
+        change = _AuthzChange(
+            apply=apply,
+            undo=undo,
+        )
+        return change
+
+    async def _remove_data_connector_to_project_link(
+        self, user: base_models.APIUser, link: DataConnectorToProjectLink
+    ) -> _AuthzChange:
+        """Remove the relationships associated with the link from a data connector to a project."""
+        # NOTE: we manually check for permissions here since it is not trivially expressed through decorators
+        allowed_from = await self.has_permission(
+            user, ResourceType.data_connector, link.data_connector_id, Scope.DELETE
+        )
+        allowed_to, zed_token = await self._has_permission(user, ResourceType.project, link.project_id, Scope.WRITE)
+        allowed = allowed_from or allowed_to
+        if not allowed:
+            raise errors.MissingResourceError(
+                message=f"The user with ID {user.id} cannot perform operation {AuthzOperation.delete_link}"
+                f"on the data connector to project link with ID {link.id} or the resource does not exist."
+            )
+        consistency = Consistency(at_least_as_fresh=zed_token) if zed_token else Consistency(fully_consistent=True)
+        rel_filter = RelationshipFilter(
+            resource_type=ResourceType.data_connector.value,
+            optional_resource_id=str(link.data_connector_id),
+            optional_relation=_Relation.linked_to.value,
+            optional_subject_filter=SubjectFilter(
+                subject_type=ResourceType.project.value, optional_subject_id=str(link.project_id)
+            ),
+        )
+        responses: AsyncIterable[ReadRelationshipsResponse] = self.client.ReadRelationships(
+            ReadRelationshipsRequest(consistency=consistency, relationship_filter=rel_filter)
+        )
+        rels: list[Relationship] = []
+        async for response in responses:
+            rels.append(response.relationship)
+        apply = WriteRelationshipsRequest(
+            updates=[RelationshipUpdate(operation=RelationshipUpdate.OPERATION_DELETE, relationship=i) for i in rels]
+        )
+        undo = WriteRelationshipsRequest(
+            updates=[RelationshipUpdate(operation=RelationshipUpdate.OPERATION_TOUCH, relationship=i) for i in rels]
+        )
+        return _AuthzChange(apply=apply, undo=undo)

components/renku_data_services/authz/models.py

@@ -50,6 +50,7 @@ class Scope(Enum):
     DELETE: str = "delete"
     CHANGE_MEMBERSHIP: str = "change_membership"
     READ_CHILDREN: str = "read_children"
+    ADD_LINK: str = "add_link"
 
 
 @dataclass

components/renku_data_services/data_connectors/api.spec.yaml

@@ -51,7 +51,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
     post:
       summary: Create a new data connector
       requestBody:
@@ -70,7 +70,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
   /data_connectors/{data_connector_id}:
     parameters:
       - in: path
@@ -97,7 +97,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
     patch:
       summary: Update specific fields of an existing data connector
       parameters:
@@ -124,7 +124,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
     delete:
       summary: Remove a data connector
       responses:
@@ -133,7 +133,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
   /namespaces/{namespace}/data_connectors/{slug}:
     parameters:
       - in: path
@@ -164,8 +164,70 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
-
+        - data_connectors
+  /data_connectors/{data_connector_id}/project_links:
+    parameters:
+      - in: path
+        name: data_connector_id
+        required: true
+        schema:
+          $ref: "#/components/schemas/Ulid"
+        description: the ID of the data connector
+    get:
+      summary: Get all links from a given data connector to projects
+      responses:
+        "200":
+          description: List of data connector to project links
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/DataConnectorToProjectLinksList"
+        default:
+          $ref: "#/components/responses/Error"
+      tags:
+        - data_connectors
+    post:
+      summary: Create a new link from a data connector to a project
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/DataConnectorToProjectLinkPost"
+      responses:
+        "201":
+          description: The data connector was connected to a project
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/DataConnectorToProjectLink"
+        default:
+          $ref: "#/components/responses/Error"
+      tags:
+        - data_connectors
+  /data_connectors/{data_connector_id}/project_links/{link_id}:
+    parameters:
+      - in: path
+        name: data_connector_id
+        required: true
+        schema:
+          $ref: "#/components/schemas/Ulid"
+        description: the ID of the data connector
+      - in: path
+        name: link_id
+        required: true
+        schema:
+          $ref: "#/components/schemas/Ulid"
+        description: the ID of the link between a data connector and a project
+    delete:
+      summary: Remove a link from a data connector to a project
+      responses:
+        "204":
+          description: The data connector was removed or did not exist in the first place
+        default:
+          $ref: "#/components/responses/Error"
+      tags:
+        - data_connectors
   /data_connectors/{data_connector_id}/secrets:
     parameters:
       - in: path
@@ -192,7 +254,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
     post:
       summary: Save secrets for a data connector
       requestBody:
@@ -211,7 +273,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
     delete:
       summary: Remove all saved secrets for a data connector
       responses:
@@ -220,7 +282,7 @@ paths:
         default:
           $ref: "#/components/responses/Error"
       tags:
-        - data connectors
+        - data_connectors
 components:
   schemas:
     DataConnectorsList:
@@ -401,6 +463,41 @@ components:
         - target_path
       example:
         storage_url: s3://giab
+    DataConnectorToProjectLinksList:
+      description: A list of links from a data connector to a project
+      type: array
+      items:
+        $ref: "#/components/schemas/DataConnectorToProjectLink"
+    DataConnectorToProjectLink:
+      description: A link from a data connector to a project in Renku 2.0
+      type: object
+      additionalProperties: false
+      properties:
+        id:
+          $ref: "#/components/schemas/Ulid"
+        data_connector_id:
+          $ref: "#/components/schemas/Ulid"
+        project_id:
+          $ref: "#/components/schemas/Ulid"
+        creation_date:
+          $ref: "#/components/schemas/CreationDate"
+        created_by:
+          $ref: "#/components/schemas/UserId"
+      required:
+        - id
+        - data_connector_id
+        - project_id
+        - creation_date
+        - created_by
+    DataConnectorToProjectLinkPost:
+      description: A link to be created from a data connector to a project in Renku 2.0
+      type: object
+      additionalProperties: false
+      properties:
+        project_id:
+          $ref: "#/components/schemas/Ulid"
+      required:
+        - project_id
     CloudStorageSecretPost:
       type: object
       description: Data for storing secret for a storage field