feat: use service account for tiled insertion

[ZohebShaikh]

AuthZ Changes here

[codecov]

Codecov Report

❌ Patch coverage is 96.87500% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 95.16%. Comparing base (7881b4f) to head (a7095e1).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
src/blueapi/service/interface.py	80.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1398      +/-   ##
==========================================
+ Coverage   95.04%   95.16%   +0.12%     
==========================================
  Files          43       43              
  Lines        2786     3042     +256     
==========================================
+ Hits         2648     2895     +247     
- Misses        138      147       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tpoliaw]

Running plans seems to work ok but I'm getting a 500 Internal Server Error when trying to access tiled through its docs UI.

Not sure if it's a bug on our side or theirs but from the tiled logs it's coming from the dls.py module

[...]
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/router.py", line 329, in search
tiled-1  |     entry = await get_entry(
tiled-1  |             ^^^^^^^^^^^^^^^^
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/dependencies.py", line 49, in get_entry
tiled-1  |     entry = await filter_for_access(
tiled-1  |             ^^^^^^^^^^^^^^^^^^^^^^^^
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/utils.py", line 104, in filter_for_access
tiled-1  |     await access_policy.allowed_scopes(
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/access_control/access_policies.py", line 562, in allowed_scopes
tiled-1  |     self.build_input(
tiled-1  |   File "/deploy/config/dls.py", line 101, in build_input
tiled-1  |     principal.type is PrincipalType.external
tiled-1  |     ^^^^^^^^^^^^^^
tiled-1  | AttributeError: 'NoneType' object has no attribute 'type'

[tpoliaw]

This should wait for the authz update before it's merged

[tpoliaw]

When running a plan with an unexpected instrument session, eg cm12345-2 I'm getting an error from blueapi that appears to come from tiled. Is the local compose environment using a service account or still relying on user authorisation?

Error: server error with this message: 403: Access policy rejects the provided access blob.
Permission denied not able to add the node http://localhost:8407/api/v1/metadata/

[ZohebShaikh]

Running plans seems to work ok but I'm getting a 500 Internal Server Error when trying to access tiled through its docs UI.

Not sure if it's a bug on our side or theirs but from the tiled logs it's coming from the dls.py module

[...]
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/router.py", line 329, in search
tiled-1  |     entry = await get_entry(
tiled-1  |             ^^^^^^^^^^^^^^^^
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/dependencies.py", line 49, in get_entry
tiled-1  |     entry = await filter_for_access(
tiled-1  |             ^^^^^^^^^^^^^^^^^^^^^^^^
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/server/utils.py", line 104, in filter_for_access
tiled-1  |     await access_policy.allowed_scopes(
tiled-1  |   File "/app/lib/python3.12/site-packages/tiled/access_control/access_policies.py", line 562, in allowed_scopes
tiled-1  |     self.build_input(
tiled-1  |   File "/deploy/config/dls.py", line 101, in build_input
tiled-1  |     principal.type is PrincipalType.external
tiled-1  |     ^^^^^^^^^^^^^^
tiled-1  | AttributeError: 'NoneType' object has no attribute 'type'

Try going to localhost:4181 for tiled authenticated access

[ZohebShaikh]

When running a plan with an unexpected instrument session, eg cm12345-2 I'm getting an error from blueapi that appears to come from tiled. Is the local compose environment using a service account or still relying on user authorisation?

Error: server error with this message: 403: Access policy rejects the provided access blob.
Permission denied not able to add the node http://localhost:8407/api/v1/metadata/

The service account only has permission for proposal 1 so this looks correct to me

[tpoliaw]

Try going to localhost:4181 for tiled authenticated access

Sure but I'd expect a 401/403 rather than a 500

The service account only has permission for proposal 1 so this looks correct to me

I think I've misunderstood the premise here. I thought the service account could write anything.

[ZohebShaikh]

The service account can written data should only for a particular beamline or particular proposal or and the permissions can be set here If we give a beamline permission to write to anything they can potential delete stuff from any beamline as well

The 500 error , I can fix as it coming from dls.py