You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@datalab.apache.org by lf...@apache.org on 2021/08/26 09:10:06 UTC
[incubator-datalab] 01/01: [DATALAB-2538]: added permission
boundary for roles creation
This is an automated email from the ASF dual-hosted git repository.
lfrolov pushed a commit to branch DATALAB-2538
in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
commit 8b06a9705118c62e65bfea2e8d0026b7767f2bbe
Author: leonidfrolov <fr...@gmail.com>
AuthorDate: Thu Aug 26 12:09:46 2021 +0300
[DATALAB-2538]: added permission boundary for roles creation
---
infrastructure-provisioning/scripts/deploy_datalab.py | 1 +
infrastructure-provisioning/src/general/conf/datalab.ini | 2 ++
infrastructure-provisioning/src/general/lib/aws/actions_lib.py | 7 ++++++-
.../src/general/scripts/aws/common_create_role_policy.py | 3 ++-
.../src/general/scripts/aws/dataengine-service_create.py | 6 ++++--
.../src/general/scripts/aws/dataengine-service_prepare.py | 2 ++
.../src/general/scripts/aws/project_prepare.py | 4 ++++
infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py | 2 ++
8 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/infrastructure-provisioning/scripts/deploy_datalab.py b/infrastructure-provisioning/scripts/deploy_datalab.py
index 9eba556..01d359c 100644
--- a/infrastructure-provisioning/scripts/deploy_datalab.py
+++ b/infrastructure-provisioning/scripts/deploy_datalab.py
@@ -95,6 +95,7 @@ parser.add_argument('--aws_job_enabled', type=str, default='false', help='Billin
'true (aws), false(epam)')
parser.add_argument('--aws_report_path', type=str, default='', help='The path to billing reports directory in S3 '
'bucket')
+parser.add_argument('--aws_permissions_boundary_arn', type=str, default='', help='Permission boundary to be attached to new roles')
parser.add_argument('--azure_resource_group_name', type=str, default='', help='Name of Resource group in Azure')
parser.add_argument('--azure_auth_path', type=str, default='', help='Full path to Azure credentials JSON file')
parser.add_argument('--azure_datalake_enable', type=str, default='', help='Provision DataLake storage account')
diff --git a/infrastructure-provisioning/src/general/conf/datalab.ini b/infrastructure-provisioning/src/general/conf/datalab.ini
index 9b049e6..58e4e7b 100644
--- a/infrastructure-provisioning/src/general/conf/datalab.ini
+++ b/infrastructure-provisioning/src/general/conf/datalab.ini
@@ -144,6 +144,8 @@ redhat_image_name = RHEL-7.4_HVM-20180103-x86_64-2-Hourly2-GP2
# report_path =
### Predefined policies for users instances
# user_predefined_s3_policies =
+### permissions_boundary_arn
+# permissions_boundary_arn =
#--- [azure] section contains all common parameters related to Azure ---#
diff --git a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
index b3810c2..34916cd 100644
--- a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
+++ b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py
@@ -554,7 +554,7 @@ def tag_emr_volume(cluster_id, node_name, billing_tag):
traceback.print_exc(file=sys.stdout)
-def create_iam_role(role_name, role_profile, region, service='ec2', tag=None, user_tag=None):
+def create_iam_role(role_name, role_profile, region, permissions_boundary='', service='ec2', tag=None, user_tag=None):
conn = boto3.client('iam')
try:
if region == 'cn-north-1':
@@ -563,6 +563,11 @@ def create_iam_role(role_name, role_profile, region, service='ec2', tag=None, us
AssumeRolePolicyDocument=
'{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service +
'.amazonaws.com.cn"]},"Action":["sts:AssumeRole"]}]}')
+ elif permissions_boundary != '':
+ conn.create_role(
+ RoleName=role_name, PermissionsBoundary=permissions_boundary, AssumeRolePolicyDocument=
+ '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service +
+ '.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}')
else:
conn.create_role(
RoleName=role_name, AssumeRolePolicyDocument=
diff --git a/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py b/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py
index 2794e9c..7b80cf7 100644
--- a/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py
+++ b/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py
@@ -29,6 +29,7 @@ from datalab.meta_lib import *
parser = argparse.ArgumentParser()
parser.add_argument('--role_name', type=str, default='')
parser.add_argument('--role_profile_name', type=str, default='')
+parser.add_argument('--permissions_boundary_arn', type=str, default='')
parser.add_argument('--policy_name', type=str, default='')
parser.add_argument('--policy_arn', type=str, default='')
parser.add_argument('--policy_file_name', type=str, default='')
@@ -47,7 +48,7 @@ if __name__ == "__main__":
tag = {"Key": args.infra_tag_name, "Value": args.infra_tag_value}
user_tag = {"Key": "user:tag", "Value": args.user_tag_value}
print("Creating role {0}, profile name {1}".format(args.role_name, args.role_profile_name))
- create_iam_role(args.role_name, args.role_profile_name, args.region, tag=tag, user_tag=user_tag)
+ create_iam_role(args.role_name, args.role_profile_name, args.permissions_boundary_arn, args.region, tag=tag, user_tag=user_tag)
else:
print("ROLE AND ROLE PROFILE ARE ALREADY CREATED")
print("ROLE {} created. IAM group {} created".format(args.role_name, args.role_profile_name))
diff --git a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py
index 093cbfd..e304105 100644
--- a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py
+++ b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py
@@ -54,6 +54,8 @@ parser.add_argument('--service_role', type=str, default='',
help='Role name EMR cluster (Default: "EMR_DefaultRole")')
parser.add_argument('--ec2_role', type=str, default='',
help='Role name for EC2 instances in cluster (Default: "EMR_EC2_DefaultRole")')
+parser.add_argument('--permissions_boundary_arn', type=str, default='',
+ help='permissions boundary to be attached to new roles')
parser.add_argument('--ssh_key', type=str, default='')
parser.add_argument('--availability_zone', type=str, default='')
parser.add_argument('--subnet', type=str, default='', help='Subnet CIDR')
@@ -421,7 +423,7 @@ if __name__ == "__main__":
print("There is no default EMR service role. Creating...")
create_iam_role(args.service_role,
args.service_role,
- args.region,
+ args.region, args.permissions_boundary_arn,
service='elasticmapreduce')
attach_policy(args.service_role,
policy_arn='arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole')
@@ -429,7 +431,7 @@ if __name__ == "__main__":
print("There is no default EMR EC2 role. Creating...")
create_iam_role(args.ec2_role,
args.ec2_role,
- args.region)
+ args.region, args.permissions_boundary_arn)
attach_policy(args.ec2_role,
policy_arn='arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role')
upload_jars_parser(args)
diff --git a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py
index bf9da3b..bee05a4 100644
--- a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py
+++ b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py
@@ -307,6 +307,8 @@ if __name__ == "__main__":
emr_conf['service_base_name'],
emr_conf['additional_emr_sg_name'],
emr_conf['configurations'])
+ if 'aws_permissions_boundary_arn' in os.environ:
+ params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn'])
try:
subprocess.run("~/scripts/{}.py {}".format('dataengine-service_create', params), shell=True, check=True)
except:
diff --git a/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py
index 48497b2..8fa8836 100644
--- a/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py
+++ b/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py
@@ -223,6 +223,8 @@ if __name__ == "__main__":
.format(project_conf['edge_role_name'], project_conf['edge_role_profile_name'],
project_conf['edge_policy_name'], os.environ['aws_region'], project_conf['tag_name'],
project_conf['service_base_name'], user_tag)
+ if 'aws_permissions_boundary_arn' in os.environ:
+ params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn'])
try:
subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True)
except:
@@ -243,6 +245,8 @@ if __name__ == "__main__":
project_conf['notebook_dataengine_role_profile_name'],
project_conf['notebook_dataengine_policy_name'], os.environ['aws_region'],
project_conf['tag_name'], project_conf['service_base_name'], user_tag)
+ if 'aws_permissions_boundary_arn' in os.environ:
+ params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn'])
try:
subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True)
except:
diff --git a/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py
index bee2e3f..1482297 100644
--- a/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py
+++ b/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py
@@ -307,6 +307,8 @@ if __name__ == "__main__":
format(ssn_conf['role_name'], ssn_conf['role_profile_name'], ssn_conf['policy_name'],
ssn_conf['policy_path'], os.environ['aws_region'], ssn_conf['tag_name'],
ssn_conf['service_base_name'], ssn_conf['user_tag'])
+ if 'aws_permissions_boundary_arn' in os.environ:
+ params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn'])
try:
subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True)
except:
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@datalab.apache.org
For additional commands, e-mail: commits-help@datalab.apache.org