Add required roles and permissions required for group role enforcement.

mpereira · mpereira · commit 510676ed48f7 · 2019-10-07T20:58:54.000+02:00
diff --git a/testing/sdk_security.py b/testing/sdk_security.py
@@ -79,7 +79,7 @@ def _revoke(user: str, acl: str, description: str, action: str = "create") -> No
     log.info("Want to delete {user}+{acl}".format(user=user, acl=acl))
 
 
-def get_permissions(service_account_name: str, role: str, linux_user: str) -> typing.List[dict]:
+def get_role_permissions(service_account_name: str, role: str) -> typing.List[dict]:
     return [
         # registration permissions
         {
@@ -89,6 +89,27 @@ def get_permissions(service_account_name: str, role: str, linux_user: str) -> ty
                 service_account_name, role
             ),
         },
+        # resource permissions
+        {
+            "user": service_account_name,
+            "acl": "dcos:mesos:master:reservation:role:{}".format(role),
+            "description": "Service {} may reserve Mesos resources with role={}".format(
+                service_account_name, role
+            ),
+        },
+        # volume permissions
+        {
+            "user": service_account_name,
+            "acl": "dcos:mesos:master:volume:role:{}".format(role),
+            "description": "Service {} may create Mesos volumes with role={}".format(
+                service_account_name, role
+            ),
+        },
+    ]
+
+
+def get_permissions(service_account_name: str, linux_user: str) -> typing.List[dict]:
+    return [
         # task execution permissions
         {
             "user": service_account_name,
@@ -108,13 +129,6 @@ def get_permissions(service_account_name: str, role: str, linux_user: str) -> ty
             ),
         },
         # resource permissions
-        {
-            "user": service_account_name,
-            "acl": "dcos:mesos:master:reservation:role:{}".format(role),
-            "description": "Service {} may reserve Mesos resources with role={}".format(
-                service_account_name, role
-            ),
-        },
         {
             "user": service_account_name,
             "acl": "dcos:mesos:master:reservation:principal:{}".format(service_account_name),
@@ -124,13 +138,6 @@ def get_permissions(service_account_name: str, role: str, linux_user: str) -> ty
             "action": "delete",
         },
         # volume permissions
-        {
-            "user": service_account_name,
-            "acl": "dcos:mesos:master:volume:role:{}".format(role),
-            "description": "Service {} may create Mesos volumes with role={}".format(
-                service_account_name, role
-            ),
-        },
         {
             "user": service_account_name,
             "acl": "dcos:mesos:master:volume:principal:{}".format(service_account_name),
@@ -142,19 +149,42 @@ def get_permissions(service_account_name: str, role: str, linux_user: str) -> ty
     ]
 
 
-def grant_permissions(linux_user: str, role_name: str, service_account_name: str) -> None:
+def grant_permissions(
+    linux_user: str,
+    role_name: str = "",
+    service_account_name: str = "",
+    role_list: typing.List[str] = [],
+) -> None:
     log.info("Granting permissions to {account}".format(account=service_account_name))
-    permissions = get_permissions(service_account_name, role_name, linux_user)
+
+    permissions = get_permissions(service_account_name, linux_user)
+
+    if not role_list:
+        role_list = [role_name]
+
+    for role in role_list:
+        permissions += get_role_permissions(service_account_name, role)
+
     for permission in permissions:
         _grant(**permission)
+
     log.info("Permission setup completed for {account}".format(account=service_account_name))
 
 
 def revoke_permissions(linux_user: str, role_name: str, service_account_name: str) -> None:
     log.info("Revoking permissions to {account}".format(account=service_account_name))
-    permissions = get_permissions(service_account_name, role_name, linux_user)
+
+    permissions = get_permissions(service_account_name, linux_user)
+
+    if not role_list:
+        role_list = [role_name]
+
+    for role in role_list:
+        permissions += get_role_permissions(service_account_name, role)
+
     for permission in permissions:
         _revoke(**permission)
+
     log.info("Permission cleanup completed for {account}".format(account=service_account_name))
 
 
@@ -228,13 +258,24 @@ def delete_secret(secret: str) -> None:
 
 
 def _get_role_list(service_name: str) -> typing.List[str]:
-    # TODO: spark_utils uses:
-    # app_id_encoded = urllib.parse.quote(
-    #     urllib.parse.quote(app_id, safe=''),
-    #     safe=''
-    # )
     role_basename = service_name.replace("/", "__")
-    return ["{}-role".format(role_basename), "slave_public%252F{}-role".format(role_basename)]
+
+    roles = []
+
+    # Grant roles on each group components.
+    path_components = service_name.split("/")
+    role_path = ""
+    for component in path_components[:-1]:
+        if role_path != "":
+            role_path += "__"
+        role_path += component
+
+        roles.append(role_path)
+
+    return roles + [
+        "{}-role".format(role_basename),
+        "slave_public%252F{}-role".format(role_basename),
+    ]
 
 
 def setup_security(
@@ -263,10 +304,11 @@ def setup_security(
 
     service_account_info["roles"] = _get_role_list(service_name)
 
-    for role_name in service_account_info["roles"]:
-        grant_permissions(
-            linux_user=linux_user, role_name=role_name, service_account_name=service_account
-        )
+    grant_permissions(
+        linux_user=linux_user,
+        role_list=service_account_info["roles"],
+        service_account_name=service_account,
+    )
 
     log.info("Finished setting up strict-mode security")
 
@@ -284,10 +326,9 @@ def cleanup_security(service_name: str, service_account_info: typing.Dict) -> No
         roles = service_account_info.get("roles", _get_role_list(service_name))
         linux_user = service_account_info.get("linux_user", "nobody")
 
-        for role_name in roles:
-            revoke_permissions(
-                linux_user=linux_user, role_name=role_name, service_account_name=service_account
-            )
+        revoke_permissions(
+            linux_user=linux_user, role_list=roles, service_account_name=service_account
+        )
 
     delete_service_account(service_account, service_account_secret)
 
