ID-1300 Admin Get Users by ID #1498
Conversation
| @@ -53,6 +54,13 @@ trait ServiceAdminRoutes extends SecurityDirectives with SamRequestContextDirect | |||
| .map(users => (if (users.nonEmpty) OK else NotFound) -> users) | |||
| } | |||
| } | |||
| } ~ | |||
| postWithTelemetry(samRequestContext) { | |||
There was a problem hiding this comment.
shouldnt this be get?
There was a problem hiding this comment.
I'm thinking POST, since the number of IDs could get pretty unwieldy in a url.
| complete { | ||
| userService.getUsersByIds(samUserIds, samRequestContext) | ||
| } | ||
| } |
There was a problem hiding this comment.
Should we have a limit on how many you can get at one time?
| // Assert | ||
| assert(response.isEmpty, "Getting a nonexistent user should not find a user") | ||
| } | ||
| } |
There was a problem hiding this comment.
should we have any test cases that assert the admin only functionality or is that properly covered by other tests?
There was a problem hiding this comment.
I believe this is covered by other tests, but I'll check.
There was a problem hiding this comment.
Found the test, but it was just named slightly wrong. It tests that only authorized service accounts can call the API
| $ref: '#/components/schemas/User' | ||
| 403: | ||
| description: You do not have service admin privileges | ||
| content: { } |
There was a problem hiding this comment.
Why isn't this #/components/schemas/ErrorReport like the 500 error?
| type: array | ||
| items: | ||
| $ref: '#/components/schemas/User' | ||
| 403: |
There was a problem hiding this comment.
I think you also need a block for a 400 response here (if someone requests > 1000 users)
|
Ticket: https://broadworkbench.atlassian.net/browse/ID-1300
In order for Orchestration to modify group membership using Sam User ID from ECM, it needs to be able to add users from the response to Sam Groups. Since Sam Group Endpoints only deal in email addresses, we need a way to get emails from Sam User IDs.
This is an admin-only functionality, as Sam User IDs should not be discoverable by other users. IE: A user can know their own Sam User ID, but should not be able to find out the Sam User IDs of others. Because of this, only authorized Terra Services will be able to call this API endpoint. In this case, its Thurloe and Orch.
Another idea is to make a V2 Sam Group API, which deals only in Sam User IDs, but that’s a much larger change and not necessary to accomplish the goal of deprecating Shibboleth and Thurloe.
PR checklist