Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: limit dataset role permissions #497

Merged
merged 13 commits into from
Jun 9, 2023
Merged

feat: limit dataset role permissions #497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e9c64d7
fix: Fix typo that destroys storage locations (#481)
dlpzx May 26, 2023
9fc84bf
Update CDK Version to v2.77.0 to fix issue with CDK Pipeline role (#484)
gmuslia May 30, 2023
7844c1f
Clean-up dataset IAM role permissions - missing Glue crawling ones
dlpzx Jun 1, 2023
8ece706
Clean-up dataset IAM role permissions - removed Glue crawling ones
dlpzx Jun 1, 2023
fa45abd
fix: safe removal of consumption roles with open share requests (#485)
dlpzx Jun 1, 2023
02f6cde
Merge branch 'main-upstream' into v1m6m0
dlpzx Jun 6, 2023
7330e20
Merge remote-tracking branch 'origin/feature/limit-dataset-role-permi…
dlpzx Jun 6, 2023
2d61bea
Allowing glue crawler and restricting bucket permissions
dlpzx Jun 6, 2023
36e8e33
Finish restriction for users in dataset roles + enforced crawler + ch…
dlpzx Jun 7, 2023
4117f94
Additional permissions for Glue crawler in dataset role
dlpzx Jun 7, 2023
d8b067f
Issue with database name in Glue permissions
dlpzx Jun 7, 2023
2c5d361
Linting
dlpzx Jun 7, 2023
bbd0fcc
Added createlog permissions to dataset role
dlpzx Jun 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions backend/dataall/aws/handlers/glue.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,7 +473,7 @@ def start_glue_crawler(data):
glue = session.client('glue', region_name=data.get('region', 'eu-west-1'))
if data.get('location'):
Glue._update_existing_crawler(
glue, accountid, crawler_name, targets, database
glue, crawler_name, targets, database
)
crawler = Glue._get_crawler(glue, crawler_name)
glue.start_crawler(Name=crawler_name)
Expand All @@ -496,7 +496,7 @@ def _get_crawler(glue, crawler_name):
return crawler.get('Crawler') if crawler else None

@staticmethod
def _update_existing_crawler(glue, accountid, crawler_name, targets, database):
def _update_existing_crawler(glue, crawler_name, targets, database):
try:
glue.stop_crawler(Name=crawler_name)
except ClientError as e:
Expand All @@ -508,7 +508,6 @@ def _update_existing_crawler(glue, accountid, crawler_name, targets, database):
try:
glue.update_crawler(
Name=crawler_name,
Role=SessionHelper.get_delegation_role_arn(accountid=accountid),
DatabaseName=database,
Targets=targets,
)
Expand Down
2 changes: 1 addition & 1 deletion backend/dataall/aws/handlers/lakeformation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from .sts import SessionHelper

log = logging.getLogger('aws:lakeformation')
PIVOT_ROLE_NAME_PREFIX = "datallPivotRole"
PIVOT_ROLE_NAME_PREFIX = "dataallPivotRole"


class LakeFormation:
Expand Down
2 changes: 1 addition & 1 deletion backend/dataall/cdkproxy/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
aws-cdk-lib==2.61.1
aws-cdk-lib==2.77.0
aws_cdk.aws_redshift_alpha==2.14.0a0
boto3==1.24.85
boto3-stubs==1.24.85
Expand Down
137 changes: 81 additions & 56 deletions backend/dataall/cdkproxy/stacks/dataset.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,91 +194,125 @@ def __init__(self, scope, id, target_uri: str = None, **kwargs):
policy_name=dataset.S3BucketName,
statements=[
iam.PolicyStatement(
actions=['s3:List*'], resources=['*'], effect=iam.Effect.ALLOW
),
iam.PolicyStatement(
actions=['logs:*'], resources=['*'], effect=iam.Effect.ALLOW
),
iam.PolicyStatement(
actions=['tag:*'], resources=['*'], effect=iam.Effect.ALLOW
sid="ListAll",
actions=[
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
],
resources=["*"],
effect=iam.Effect.ALLOW
),
iam.PolicyStatement(
actions=['s3:List*', 's3:Get*'],
sid="ListDatasetBucket",
actions=[
"s3:ListBucket",
"s3:GetBucketLocation"
],
resources=[dataset_bucket.bucket_arn],
effect=iam.Effect.ALLOW,
),
iam.PolicyStatement(
actions=['s3:*'],
sid="ReadWriteDatasetBucket",
actions=[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
effect=iam.Effect.ALLOW,
resources=[dataset_bucket.bucket_arn + '/*'],
),
iam.PolicyStatement(
sid="KMSAccess",
actions=[
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
effect=iam.Effect.ALLOW,
resources=[dataset_key.key_arn],
),
iam.PolicyStatement(
sid="ReadAccessPointsDatasetBucket",
actions=[
's3:GetAccessPoint',
's3:GetAccessPointPolicy',
's3:ListAccessPoints',
's3:CreateAccessPoint',
's3:DeleteAccessPoint',
's3:GetAccessPointPolicyStatus',
's3:DeleteAccessPointPolicy',
's3:PutAccessPointPolicy',
],
effect=iam.Effect.ALLOW,
resources=[
f'arn:aws:s3:{dataset.region}:{dataset.AwsAccountId}:accesspoint/*',
f'arn:aws:s3:{dataset.region}:{dataset.AwsAccountId}:accesspoint/{dataset.datasetUri}*',
],
),
iam.PolicyStatement(
actions=['s3:List*', 's3:Get*'],
resources=[f'arn:aws:s3:::{env.EnvironmentDefaultBucketName}'],
effect=iam.Effect.ALLOW,
),
iam.PolicyStatement(
actions=['s3:*'],
effect=iam.Effect.ALLOW,
resources=[f'arn:aws:s3:::{env.EnvironmentDefaultBucketName}/*'],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=['arn:aws:s3:::aws-glue-*'],
actions=['s3:CreateBucket'],
),
iam.PolicyStatement(
actions=['s3:GetObject', 's3:PutObject', 's3:DeleteObject'],
sid="GlueAccessCrawler",
actions=[
"glue:GetDatabase",
"glue:GetTableVersion",
"glue:CreateTable",
"glue:GetTables",
"glue:GetTableVersions",
"glue:UpdateTable",
"glue:DeleteTableVersion",
"glue:DeleteTable",
"glue:GetTable"
],
effect=iam.Effect.ALLOW,
resources=[
'arn:aws:s3:::aws-glue-*/*',
'arn:aws:s3:::*/*aws-glue-*/*',
],
f"arn:aws:glue:*:{dataset.AwsAccountId}:catalog",
f"arn:aws:glue:{dataset.region}:{dataset.AwsAccountId}:database/{dataset.GlueDatabaseName}",
f"arn:aws:glue:{dataset.region}:{dataset.AwsAccountId}:table/{dataset.GlueDatabaseName}/*"
]
),
iam.PolicyStatement(
actions=['s3:GetObject'],
sid="CreateLoggingGlueCrawler",
actions=[
'logs:CreateLogGroup',
'logs:CreateLogStream',
],
effect=iam.Effect.ALLOW,
resources=[
'arn:aws:s3:::crawler-public*',
'arn:aws:s3:::aws-glue-*',
f'arn:aws:logs:{dataset.region}:{dataset.AwsAccountId}:log-group:/aws-glue/crawlers*',
],
),
iam.PolicyStatement(
sid="LoggingGlueCrawler",
actions=[
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
],
dlpzx marked this conversation as resolved.
Show resolved Hide resolved
effect=iam.Effect.ALLOW,
resources=['arn:aws:logs:*:*:/aws-glue/*'],
resources=[
f'arn:aws:logs:{dataset.region}:{dataset.AwsAccountId}:log-group:/aws-glue/crawlers:log-stream:{dataset.GlueCrawlerName}',
],
),
iam.PolicyStatement(
actions=['kms:*'], effect=iam.Effect.ALLOW, resources=['*']
actions=['s3:ListEnvironmentBucket'],
resources=[f'arn:aws:s3:::{env.EnvironmentDefaultBucketName}'],
effect=iam.Effect.ALLOW,
),
iam.PolicyStatement(
actions=['glue:*', 'athena:*', 'lakeformation:*'],
resources=['*'],
sid="ReadEnvironmentBucketProfiling",
actions=[
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion"
],
effect=iam.Effect.ALLOW,
resources=[f'arn:aws:s3:::{env.EnvironmentDefaultBucketName}/profiling*'],
),
iam.PolicyStatement(
actions=['cloudformation:*'],
resources=['*'],
sid="ReadWriteEnvironmentBucketProfiling",
actions=[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
resources=[f'arn:aws:s3:::{env.EnvironmentDefaultBucketName}/profiling/results/{dataset.datasetUri}/*'],
effect=iam.Effect.ALLOW,
),
],
Expand All @@ -290,17 +324,10 @@ def __init__(self, scope, id, target_uri: str = None, **kwargs):
'DatasetAdminRole',
role_name=dataset.IAMDatasetAdminRoleArn.split('/')[-1],
assumed_by=iam.CompositePrincipal(
iam.ServicePrincipal('glue.amazonaws.com'),
iam.ServicePrincipal('lakeformation.amazonaws.com'),
iam.ServicePrincipal('athena.amazonaws.com'),
iam.ServicePrincipal('sagemaker.amazonaws.com'),
iam.ServicePrincipal('lambda.amazonaws.com'),
iam.ServicePrincipal('ec2.amazonaws.com'),
iam.AccountPrincipal(str(os.environ.get('CURRENT_AWS_ACCOUNT'))),
iam.AccountPrincipal(dataset.AwsAccountId),
iam.ArnPrincipal(
f'arn:aws:iam::{dataset.AwsAccountId}:role/{self.pivot_role_name}'
),
iam.ServicePrincipal('glue.amazonaws.com'),
),
)
dataset_admin_policy.attach_to_role(dataset_admin_role)
Expand Down Expand Up @@ -441,9 +468,7 @@ def __init__(self, scope, id, target_uri: str = None, **kwargs):
self,
'DatasetGlueProfilingJob',
name=dataset.GlueProfilingJobName,
role=iam.ArnPrincipal(
f'arn:aws:iam::{env.AwsAccountId}:role/{self.pivot_role_name}'
).arn,
role=dataset_admin_role.role_arn,
allocated_capacity=10,
execution_property=glue.CfnJob.ExecutionPropertyProperty(
max_concurrent_runs=100
Expand Down
34 changes: 34 additions & 0 deletions backend/dataall/db/api/environment.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,23 @@ def remove_group(session, username, groups, uri, data=None, check_perm=None):
message=f'Team: {group} has created {group_env_objects_count} resources on this environment.',
)

shares_count = (
session.query(models.ShareObject)
.filter(
and_(
models.ShareObject.principalId == group,
models.ShareObject.principalType == PrincipalType.Group.value
)
)
.count()
)

if shares_count > 0:
raise exceptions.EnvironmentResourcesFound(
action='Remove Team',
message=f'Team: {group} has created {shares_count} share requests on this environment.',
)

group_membership = Environment.find_environment_group(
session, group, environment.environmentUri
)
Expand Down Expand Up @@ -529,6 +546,23 @@ def remove_consumption_role(session, username, groups, uri, data=None, check_per

consumption_role = Environment.get_environment_consumption_role(session, uri, data.get('environmentUri'))

shares_count = (
session.query(models.ShareObject)
.filter(
and_(
models.ShareObject.principalId == uri,
models.ShareObject.principalType == PrincipalType.ConsumptionRole.value
)
)
.count()
)

if shares_count > 0:
raise exceptions.EnvironmentResourcesFound(
action='Remove Consumption Role',
message=f'Consumption role: {consumption_role.consumptionRoleName} has created {shares_count} share requests on this environment.',
)

if consumption_role:
session.delete(consumption_role)
session.commit()
Expand Down
2 changes: 1 addition & 1 deletion deploy/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
aws-cdk-lib==2.61.1
aws-cdk-lib==2.77.0
boto3-stubs==1.20.20
boto3==1.24.85
botocore==1.27.85
Expand Down