Gen3 Monthly Release 2022.11 brh.data-commons.org 1669060956

[PlanXCyborg]

Applying version 2022.11 to brh.data-commons.org

[PlanXCyborg]

brh.data-commons.org/manifest.json

Deployment changes

• arborist
  • Replace Travis with a GitHub workflow for CI (Fix lint CI + replace travis with GH workflow arborist#150)
• fence
  • Configure the ALLOWED_DATA_UPLOAD_BUCKETS setting to allow users to upload to buckets other than DATA_UPLOAD_BUCKET (PXP-10361 Allow specifying the upload bucket fence#1051)
  • B/c the default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP, you MUST ensure that an instance that should comply with FedRAMP does NOT override this fence configuration (e.g. it should be 15 minutes) SESSION_TIMEOUT: 900 (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • Requires a Fence DB migration (Client.redirect_uri is now optional) (PXP-10113 Client credentials grant fence#1033)
  • Requires database migration for a new table to Fence, google Access expiration to add new expires column, and to create iss_sub_pair_to_user table Update manifest.json #968 updated BRAIN production data model to 1.0.0 #963 feat(stage-tiered-access): Updated portal versions to fix tiered acce… #973 (Feat/passport fence#964)
  • Requires Arborist >= 2022.04 OR >=3.4.0 (PXP-9480): Support merge param for PUT /resource endpoint arborist#143 (Feat/passport fence#964)
  • To enable Passports -> DRS in an environment you must update Fence Configuration to at a minimum specify GA4GH_PASSPORTS_TO_DRS_ENABLED: true (only do this after coordinating with the environment owner as this has several requirements before it can be enabled, including the need to use Indexd's authz field in ALL records rather than acl) (Feat/passport fence#964)

Breaking changes

• arborist
  • The GET /auth/mapping endpoint does not accept username as a query parameter anymore. It only supports parsing the username from the provided JWT. To specify a username, use the POST /auth/mapping endpoint. (PXP-10229 Client auth mapping arborist#153)
• fence
  • Default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • URL Signing when no_force_sign query param is provided: Previously Fence would make a decision based off if the data was public and no_force_sign provided. Fence will now NEVER sign if no_force_sign is provided (since the concept of "public" data has been abstracted out of Fence. Data access - public or not - is the sole responsibility of the policy engine). In other words, if no_force_sign is provided at the API level, Fence will respect that regardless of whether the resulting URL will actually work. The default Fence behavior should remain the same. chore(jupyter-nde1.1.0) #988 (Feat/passport fence#964)
• indexd
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (fix(migrate): improve acl->authz migration, remove deprecated endpoints indexd#336)

[PlanXCyborg]

brh.data-commons.org/manifest.json

Deployment changes

• arborist
  • Replace Travis with a GitHub workflow for CI (Fix lint CI + replace travis with GH workflow arborist#150)
• fence
  • Configure the ALLOWED_DATA_UPLOAD_BUCKETS setting to allow users to upload to buckets other than DATA_UPLOAD_BUCKET (PXP-10361 Allow specifying the upload bucket fence#1051)
  • B/c the default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP, you MUST ensure that an instance that should comply with FedRAMP does NOT override this fence configuration (e.g. it should be 15 minutes) SESSION_TIMEOUT: 900 (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • Requires a Fence DB migration (Client.redirect_uri is now optional) (PXP-10113 Client credentials grant fence#1033)
  • Requires database migration for a new table to Fence, google Access expiration to add new expires column, and to create iss_sub_pair_to_user table Update manifest.json #968 updated BRAIN production data model to 1.0.0 #963 feat(stage-tiered-access): Updated portal versions to fix tiered acce… #973 (Feat/passport fence#964)
  • Requires Arborist >= 2022.04 OR >=3.4.0 (PXP-9480): Support merge param for PUT /resource endpoint arborist#143 (Feat/passport fence#964)
  • To enable Passports -> DRS in an environment you must update Fence Configuration to at a minimum specify GA4GH_PASSPORTS_TO_DRS_ENABLED: true (only do this after coordinating with the environment owner as this has several requirements before it can be enabled, including the need to use Indexd's authz field in ALL records rather than acl) (Feat/passport fence#964)

Breaking changes

• arborist
  • The GET /auth/mapping endpoint does not accept username as a query parameter anymore. It only supports parsing the username from the provided JWT. To specify a username, use the POST /auth/mapping endpoint. (PXP-10229 Client auth mapping arborist#153)
• fence
  • Default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • URL Signing when no_force_sign query param is provided: Previously Fence would make a decision based off if the data was public and no_force_sign provided. Fence will now NEVER sign if no_force_sign is provided (since the concept of "public" data has been abstracted out of Fence. Data access - public or not - is the sole responsibility of the policy engine). In other words, if no_force_sign is provided at the API level, Fence will respect that regardless of whether the resulting URL will actually work. The default Fence behavior should remain the same. chore(jupyter-nde1.1.0) #988 (Feat/passport fence#964)
• indexd
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (fix(migrate): improve acl->authz migration, remove deprecated endpoints indexd#336)

[PlanXCyborg]

brh.data-commons.org/manifest.json

Deployment changes

• arborist
  • Replace Travis with a GitHub workflow for CI (Fix lint CI + replace travis with GH workflow arborist#150)
• fence
  • Configure the ALLOWED_DATA_UPLOAD_BUCKETS setting to allow users to upload to buckets other than DATA_UPLOAD_BUCKET (PXP-10361 Allow specifying the upload bucket fence#1051)
  • B/c the default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP, you MUST ensure that an instance that should comply with FedRAMP does NOT override this fence configuration (e.g. it should be 15 minutes) SESSION_TIMEOUT: 900 (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • Requires a Fence DB migration (Client.redirect_uri is now optional) (PXP-10113 Client credentials grant fence#1033)
  • Requires database migration for a new table to Fence, google Access expiration to add new expires column, and to create iss_sub_pair_to_user table Update manifest.json #968 updated BRAIN production data model to 1.0.0 #963 feat(stage-tiered-access): Updated portal versions to fix tiered acce… #973 (Feat/passport fence#964)
  • Requires Arborist >= 2022.04 OR >=3.4.0 (PXP-9480): Support merge param for PUT /resource endpoint arborist#143 (Feat/passport fence#964)
  • To enable Passports -> DRS in an environment you must update Fence Configuration to at a minimum specify GA4GH_PASSPORTS_TO_DRS_ENABLED: true (only do this after coordinating with the environment owner as this has several requirements before it can be enabled, including the need to use Indexd's authz field in ALL records rather than acl) (Feat/passport fence#964)
• portal
  • this change assumes WTS is already a core/central service. The dependency is hereby moved to the homepage (instead of the ./workspace page) (Centralize WTS refresh token initialization data-portal#1095)

Breaking changes

• arborist
  • The GET /auth/mapping endpoint does not accept username as a query parameter anymore. It only supports parsing the username from the provided JWT. To specify a username, use the POST /auth/mapping endpoint. (PXP-10229 Client auth mapping arborist#153)
• fence
  • Default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • URL Signing when no_force_sign query param is provided: Previously Fence would make a decision based off if the data was public and no_force_sign provided. Fence will now NEVER sign if no_force_sign is provided (since the concept of "public" data has been abstracted out of Fence. Data access - public or not - is the sole responsibility of the policy engine). In other words, if no_force_sign is provided at the API level, Fence will respect that regardless of whether the resulting URL will actually work. The default Fence behavior should remain the same. chore(jupyter-nde1.1.0) #988 (Feat/passport fence#964)
• indexd
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (Revert "Revert "fix(migrate): improve acl->authz migration, remove de… indexd#338)
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (fix(migrate): improve acl->authz migration, remove deprecated endpoints indexd#336)

[PlanXCyborg]

brh.data-commons.org/manifest.json

Deployment changes

• arborist
  • Replace Travis with a GitHub workflow for CI (Fix lint CI + replace travis with GH workflow arborist#150)
• fence
  • Configure the ALLOWED_DATA_UPLOAD_BUCKETS setting to allow users to upload to buckets other than DATA_UPLOAD_BUCKET (PXP-10361 Allow specifying the upload bucket fence#1051)
  • B/c the default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP, you MUST ensure that an instance that should comply with FedRAMP does NOT override this fence configuration (e.g. it should be 15 minutes) SESSION_TIMEOUT: 900 (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • Requires a Fence DB migration (Client.redirect_uri is now optional) (PXP-10113 Client credentials grant fence#1033)
  • Requires database migration for a new table to Fence, google Access expiration to add new expires column, and to create iss_sub_pair_to_user table Update manifest.json #968 updated BRAIN production data model to 1.0.0 #963 feat(stage-tiered-access): Updated portal versions to fix tiered acce… #973 (Feat/passport fence#964)
  • Requires Arborist >= 2022.04 OR >=3.4.0 (PXP-9480): Support merge param for PUT /resource endpoint arborist#143 (Feat/passport fence#964)
  • To enable Passports -> DRS in an environment you must update Fence Configuration to at a minimum specify GA4GH_PASSPORTS_TO_DRS_ENABLED: true (only do this after coordinating with the environment owner as this has several requirements before it can be enabled, including the need to use Indexd's authz field in ALL records rather than acl) (Feat/passport fence#964)
• portal
  • this change assumes WTS is already a core/central service. The dependency is hereby moved to the homepage (instead of the ./workspace page) (Centralize WTS refresh token initialization data-portal#1095)

Breaking changes

• arborist
  • The GET /auth/mapping endpoint does not accept username as a query parameter anymore. It only supports parsing the username from the provided JWT. To specify a username, use the POST /auth/mapping endpoint. (PXP-10229 Client auth mapping arborist#153)
• fence
  • Default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • URL Signing when no_force_sign query param is provided: Previously Fence would make a decision based off if the data was public and no_force_sign provided. Fence will now NEVER sign if no_force_sign is provided (since the concept of "public" data has been abstracted out of Fence. Data access - public or not - is the sole responsibility of the policy engine). In other words, if no_force_sign is provided at the API level, Fence will respect that regardless of whether the resulting URL will actually work. The default Fence behavior should remain the same. chore(jupyter-nde1.1.0) #988 (Feat/passport fence#964)
• indexd
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (Revert "Revert "fix(migrate): improve acl->authz migration, remove de… indexd#338)
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (fix(migrate): improve acl->authz migration, remove deprecated endpoints indexd#336)

[PlanXCyborg]

brh.data-commons.org/manifest.json

Deployment changes

• arborist
  • Replace Travis with a GitHub workflow for CI (Fix lint CI + replace travis with GH workflow arborist#150)
• fence
  • Configure the ALLOWED_DATA_UPLOAD_BUCKETS setting to allow users to upload to buckets other than DATA_UPLOAD_BUCKET (PXP-10361 Allow specifying the upload bucket fence#1051)
  • B/c the default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP, you MUST ensure that an instance that should comply with FedRAMP does NOT override this fence configuration (e.g. it should be 15 minutes) SESSION_TIMEOUT: 900 (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • Requires a Fence DB migration (Client.redirect_uri is now optional) (PXP-10113 Client credentials grant fence#1033)
  • Requires database migration for a new table to Fence, google Access expiration to add new expires column, and to create iss_sub_pair_to_user table Update manifest.json #968 updated BRAIN production data model to 1.0.0 #963 feat(stage-tiered-access): Updated portal versions to fix tiered acce… #973 (Feat/passport fence#964)
  • Requires Arborist >= 2022.04 OR >=3.4.0 (PXP-9480): Support merge param for PUT /resource endpoint arborist#143 (Feat/passport fence#964)
  • To enable Passports -> DRS in an environment you must update Fence Configuration to at a minimum specify GA4GH_PASSPORTS_TO_DRS_ENABLED: true (only do this after coordinating with the environment owner as this has several requirements before it can be enabled, including the need to use Indexd's authz field in ALL records rather than acl) (Feat/passport fence#964)
• portal
  • this change assumes WTS is already a core/central service. The dependency is hereby moved to the homepage (instead of the ./workspace page) (Centralize WTS refresh token initialization data-portal#1095)

Breaking changes

• arborist
  • The GET /auth/mapping endpoint does not accept username as a query parameter anymore. It only supports parsing the username from the provided JWT. To specify a username, use the POST /auth/mapping endpoint. (PXP-10229 Client auth mapping arborist#153)
• fence
  • Default session expiration changed from 30 minutes to 15 minutes to comply with FedRAMP (feat(session): change default to 15 minutes [PPS-122] fence#1040)
  • URL Signing when no_force_sign query param is provided: Previously Fence would make a decision based off if the data was public and no_force_sign provided. Fence will now NEVER sign if no_force_sign is provided (since the concept of "public" data has been abstracted out of Fence. Data access - public or not - is the sole responsibility of the policy engine). In other words, if no_force_sign is provided at the API level, Fence will respect that regardless of whether the resulting URL will actually work. The default Fence behavior should remain the same. chore(jupyter-nde1.1.0) #988 (Feat/passport fence#964)
• indexd
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (Revert "Revert "fix(migrate): improve acl->authz migration, remove de… indexd#338)
  • Ensure you are using Fence>=2021.10. Remove deprecated GA4GH access endpoints. these have existed (and been used) from the Fence microservice since last year. See cloud automation change here (fix(migrate): improve acl->authz migration, remove deprecated endpoints indexd#336)