Changed the service account setup

AMRC-FactoryPlus · Sep 9, 2024 · 2345368 · 2345368
1 parent 2b6bd17
commit 2345368
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 19 deletions.
diff --git a/acs-service-setup/dumps/uns.yaml b/acs-service-setup/dumps/uns.yaml
@@ -10,9 +10,6 @@ objects:
   !u ACS.Class.Permission:
     - !u ACS.Perm.MQTT.WriteToEntireUNS
     - !u ACS.Perm.MQTT.ReadEntireUNS
-  !u ACS.Class.ServiceAccount:
-    - !u ACS.ServiceAccount.SparkplugIngester
-    - !u ACS.ServiceAccount.HistorianUNS
 configs:
   !u UUIDs.App.Info:
     !u ACS.Perm.MQTT.WriteToEntireUNS: { name: "MQTT: Write to entire UNS" }
@@ -25,24 +22,13 @@ configs:
 ---
 service: !u UUIDs.Service.Authentication
 version: 1
-principals:
-  - uuid: !u ACS.ServiceAccount.SparkplugIngester
-    kerberos: sv1sparkplugingester@{{realm}}
-  - uuid: !u ACS.ServiceAccount.HistorianUNS
-    kerberos: sv1historianuns@{{realm}}
 aces:
-  - principal: !u ACS.ServiceAccount.SparkplugIngester
-    permission: !u ACS.Perm.MQTT.WriteToEntireUNS
-    target: !u UUIDs.Special.Null
-  - principal: !u ACS.ServiceAccount.SparkplugIngester
-    permission: !u ACS.Perm.MQTT.ReadWholeNamespace
-    target: !u UUIDs.Special.Null
-  - principal: !u ACS.ServiceAccount.SparkplugIngester
-    permission: !u UUIDs.Permission.CmdEsc.Rebirth
-    target: !u UUIDs.Special.Null
-  - principal: !u ACS.ServiceAccount.HistorianUNS
+  - principal: !u ACS.Group.HistorianUNS
     permission: !u ACS.Perm.MQTT.ReadEntireUNS
     target: !u UUIDs.Special.Null
+  - principal: !u ACS.Group.SparkplugIngesters
+    permission: !u ACS.Perm.MQTT.WriteToEntireUNS
+    target: !u UUIDs.Special.Self
 groups:
   !u ACS.Group.GlobalDebuggers:
-    - !u ACS.Perm.MQTT.ReadEntireUNS
+    - !u ACS.Group.SparkplugIngesters
diff --git a/acs-service-setup/lib/uuids.js b/acs-service-setup/lib/uuids.js
@@ -23,6 +23,8 @@ export const ACS = {
         EdgeGroups:         "9ba0de4b-056f-4b5e-b966-2d5d85d07767",
         EdgePermissions:    "7594cd71-e5b9-4467-88c0-b11a66d47fec",
         CentralMonitor:     "1bc3dbca-68fe-48d2-9590-3a528c111827",
+        SparkplugIngesters: "e414d355-b991-429b-8f5d-97e823ff71f5",
+        HistorianUNS:       "03f5f08a-f61e-4134-8f66-b2951e3bbb69",
     },
     Perm: {
         MQTT: {

diff --git a/deploy/templates/auth/principals/service-clients.yaml b/deploy/templates/auth/principals/service-clients.yaml
@@ -133,6 +133,15 @@ spec:
   type: Random
   principal: sv1sparkplugingester@{{ .Values.identity.realm | required "values.identity.realm is required!" }}
   secret: uns-ingester-sparkplug-keytabs/client
+  account:
+    class: e463b4ae-a322-46cc-8976-4ba76838e908
+    name: Sparkplug Ingester
+    groups:
+      - e414d355-b991-429b-8f5d-97e823ff71f5
+    sparkplug:
+      group: {{ .Values.acs.organisation }}-Service-Core
+      node: SparkplugIngester
+
 {{- end }}
 ---
 # In the future if we have any more ingesters then this should be
@@ -147,4 +156,13 @@ spec:
   type: Random
   principal: sv1historianuns@{{ .Values.identity.realm | required "values.identity.realm is required!" }}
   secret: historian-uns-keytabs/client
+  account:
+    class: e463b4ae-a322-46cc-8976-4ba76838e908
+    name: Historian UNS
+    groups:
+      - 03f5f08a-f61e-4134-8f66-b2951e3bbb69
+    sparkplug:
+      group: {{ .Values.acs.organisation }}-Service-Core
+      node: HistorianUNS
+
 {{- end }}