This is an automated email from the ASF dual-hosted git repository. lfrolov pushed a commit to branch DATALAB-2538 in repository https://gitbox.apache.org/repos/asf/incubator-datalab.git
commit 8b06a9705118c62e65bfea2e8d0026b7767f2bbe Author: leonidfrolov <[email protected]> AuthorDate: Thu Aug 26 12:09:46 2021 +0300 [DATALAB-2538]: added permission boundary for roles creation --- infrastructure-provisioning/scripts/deploy_datalab.py | 1 + infrastructure-provisioning/src/general/conf/datalab.ini | 2 ++ infrastructure-provisioning/src/general/lib/aws/actions_lib.py | 7 ++++++- .../src/general/scripts/aws/common_create_role_policy.py | 3 ++- .../src/general/scripts/aws/dataengine-service_create.py | 6 ++++-- .../src/general/scripts/aws/dataengine-service_prepare.py | 2 ++ .../src/general/scripts/aws/project_prepare.py | 4 ++++ infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py | 2 ++ 8 files changed, 23 insertions(+), 4 deletions(-) diff --git a/infrastructure-provisioning/scripts/deploy_datalab.py b/infrastructure-provisioning/scripts/deploy_datalab.py index 9eba556..01d359c 100644 --- a/infrastructure-provisioning/scripts/deploy_datalab.py +++ b/infrastructure-provisioning/scripts/deploy_datalab.py @@ -95,6 +95,7 @@ parser.add_argument('--aws_job_enabled', type=str, default='false', help='Billin 'true (aws), false(epam)') parser.add_argument('--aws_report_path', type=str, default='', help='The path to billing reports directory in S3 ' 'bucket') +parser.add_argument('--aws_permissions_boundary_arn', type=str, default='', help='Permission boundary to be attached to new roles') parser.add_argument('--azure_resource_group_name', type=str, default='', help='Name of Resource group in Azure') parser.add_argument('--azure_auth_path', type=str, default='', help='Full path to Azure credentials JSON file') parser.add_argument('--azure_datalake_enable', type=str, default='', help='Provision DataLake storage account') diff --git a/infrastructure-provisioning/src/general/conf/datalab.ini b/infrastructure-provisioning/src/general/conf/datalab.ini index 9b049e6..58e4e7b 100644 --- a/infrastructure-provisioning/src/general/conf/datalab.ini +++ b/infrastructure-provisioning/src/general/conf/datalab.ini @@ -144,6 +144,8 @@ redhat_image_name = RHEL-7.4_HVM-20180103-x86_64-2-Hourly2-GP2 # report_path = ### Predefined policies for users instances # user_predefined_s3_policies = +### permissions_boundary_arn +# permissions_boundary_arn = #--- [azure] section contains all common parameters related to Azure ---# diff --git a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py index b3810c2..34916cd 100644 --- a/infrastructure-provisioning/src/general/lib/aws/actions_lib.py +++ b/infrastructure-provisioning/src/general/lib/aws/actions_lib.py @@ -554,7 +554,7 @@ def tag_emr_volume(cluster_id, node_name, billing_tag): traceback.print_exc(file=sys.stdout) -def create_iam_role(role_name, role_profile, region, service='ec2', tag=None, user_tag=None): +def create_iam_role(role_name, role_profile, region, permissions_boundary='', service='ec2', tag=None, user_tag=None): conn = boto3.client('iam') try: if region == 'cn-north-1': @@ -563,6 +563,11 @@ def create_iam_role(role_name, role_profile, region, service='ec2', tag=None, us AssumeRolePolicyDocument= '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service + '.amazonaws.com.cn"]},"Action":["sts:AssumeRole"]}]}') + elif permissions_boundary != '': + conn.create_role( + RoleName=role_name, PermissionsBoundary=permissions_boundary, AssumeRolePolicyDocument= + '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["' + service + + '.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}') else: conn.create_role( RoleName=role_name, AssumeRolePolicyDocument= diff --git a/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py b/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py index 2794e9c..7b80cf7 100644 --- a/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py +++ b/infrastructure-provisioning/src/general/scripts/aws/common_create_role_policy.py @@ -29,6 +29,7 @@ from datalab.meta_lib import * parser = argparse.ArgumentParser() parser.add_argument('--role_name', type=str, default='') parser.add_argument('--role_profile_name', type=str, default='') +parser.add_argument('--permissions_boundary_arn', type=str, default='') parser.add_argument('--policy_name', type=str, default='') parser.add_argument('--policy_arn', type=str, default='') parser.add_argument('--policy_file_name', type=str, default='') @@ -47,7 +48,7 @@ if __name__ == "__main__": tag = {"Key": args.infra_tag_name, "Value": args.infra_tag_value} user_tag = {"Key": "user:tag", "Value": args.user_tag_value} print("Creating role {0}, profile name {1}".format(args.role_name, args.role_profile_name)) - create_iam_role(args.role_name, args.role_profile_name, args.region, tag=tag, user_tag=user_tag) + create_iam_role(args.role_name, args.role_profile_name, args.permissions_boundary_arn, args.region, tag=tag, user_tag=user_tag) else: print("ROLE AND ROLE PROFILE ARE ALREADY CREATED") print("ROLE {} created. IAM group {} created".format(args.role_name, args.role_profile_name)) diff --git a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py index 093cbfd..e304105 100644 --- a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py +++ b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_create.py @@ -54,6 +54,8 @@ parser.add_argument('--service_role', type=str, default='', help='Role name EMR cluster (Default: "EMR_DefaultRole")') parser.add_argument('--ec2_role', type=str, default='', help='Role name for EC2 instances in cluster (Default: "EMR_EC2_DefaultRole")') +parser.add_argument('--permissions_boundary_arn', type=str, default='', + help='permissions boundary to be attached to new roles') parser.add_argument('--ssh_key', type=str, default='') parser.add_argument('--availability_zone', type=str, default='') parser.add_argument('--subnet', type=str, default='', help='Subnet CIDR') @@ -421,7 +423,7 @@ if __name__ == "__main__": print("There is no default EMR service role. Creating...") create_iam_role(args.service_role, args.service_role, - args.region, + args.region, args.permissions_boundary_arn, service='elasticmapreduce') attach_policy(args.service_role, policy_arn='arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole') @@ -429,7 +431,7 @@ if __name__ == "__main__": print("There is no default EMR EC2 role. Creating...") create_iam_role(args.ec2_role, args.ec2_role, - args.region) + args.region, args.permissions_boundary_arn) attach_policy(args.ec2_role, policy_arn='arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role') upload_jars_parser(args) diff --git a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py index bf9da3b..bee05a4 100644 --- a/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/aws/dataengine-service_prepare.py @@ -307,6 +307,8 @@ if __name__ == "__main__": emr_conf['service_base_name'], emr_conf['additional_emr_sg_name'], emr_conf['configurations']) + if 'aws_permissions_boundary_arn' in os.environ: + params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn']) try: subprocess.run("~/scripts/{}.py {}".format('dataengine-service_create', params), shell=True, check=True) except: diff --git a/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py index 48497b2..8fa8836 100644 --- a/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/aws/project_prepare.py @@ -223,6 +223,8 @@ if __name__ == "__main__": .format(project_conf['edge_role_name'], project_conf['edge_role_profile_name'], project_conf['edge_policy_name'], os.environ['aws_region'], project_conf['tag_name'], project_conf['service_base_name'], user_tag) + if 'aws_permissions_boundary_arn' in os.environ: + params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True) except: @@ -243,6 +245,8 @@ if __name__ == "__main__": project_conf['notebook_dataengine_role_profile_name'], project_conf['notebook_dataengine_policy_name'], os.environ['aws_region'], project_conf['tag_name'], project_conf['service_base_name'], user_tag) + if 'aws_permissions_boundary_arn' in os.environ: + params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True) except: diff --git a/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py b/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py index bee2e3f..1482297 100644 --- a/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py +++ b/infrastructure-provisioning/src/general/scripts/aws/ssn_prepare.py @@ -307,6 +307,8 @@ if __name__ == "__main__": format(ssn_conf['role_name'], ssn_conf['role_profile_name'], ssn_conf['policy_name'], ssn_conf['policy_path'], os.environ['aws_region'], ssn_conf['tag_name'], ssn_conf['service_base_name'], ssn_conf['user_tag']) + if 'aws_permissions_boundary_arn' in os.environ: + params = '{} --permissions_boundary_arn {}'.format(params, os.environ['aws_permissions_boundary_arn']) try: subprocess.run("~/scripts/{}.py {}".format('common_create_role_policy', params), shell=True, check=True) except: --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
