Skip to content

feature(GH-1613)- New policy management types #1762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

feature(GH-1613)- New policy management types #1762

wants to merge 13 commits into from

Conversation

TejasRGitHub
Copy link
Collaborator

@TejasRGitHub TejasRGitHub commented Feb 12, 2025
edited
Loading

Feature or Bugfix

  • Feature

Detail

Relates

Testing

  1. Adding consumption role with Fully, Partially and Externally Managed management types ✅
  2. Created a share with each type ✅
  3. For partially managed, removed share policy and ran share verifier and got unhealthy message complaining policy not attached. Ran reapplier and check that the policy was not attached ( as should be the case for partially managed role ) ✅
  4. For fully managed, did exactly as test 3 and checked that the policy is attached ✅
  5. For Externally managed, the policy was not attached when the share was created :check and after running share verifier the verifier didn't mark the share as unhealhy ✅
  6. On the Environment Consumption Roles page, updated the Policy Management of the consumption roles ✅ . When changing consumption role from externally / partially managed to fully managed, checked that the share policy is attached. ✅

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

  • Does this PR introduce or modify any input fields or queries - this includes
    fetching data from storage outside the application (e.g. a database, an S3 bucket)? Yes
    • Is the input sanitized? Yes
    • What precautions are you taking before deserializing the data you consume? Using gql wrapper defined in data.all
    • Is injection prevented by parametrizing queries? yes
    • Have you ensured no eval or similar functions are used? Yes
  • Does this PR introduce any functionality or component that requires authorization? N/A
    • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
    • Are you logging failed auth attempts?
  • Are you using or adding any cryptographic features? N/A
    • Do you use a standard proven implementations?
    • Are the used keys controlled by the customer? Where are they stored?
  • Are you introducing any new policies/roles/users? No
    • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@TejasRGitHub TejasRGitHub marked this pull request as ready for review February 12, 2025 20:45
TejasRGitHub
TejasRGitHub commented Feb 12, 2025
View reviewed changes
backend/dataall/core/environment/db/environment_repositories.py
@@ -160,7 +160,6 @@ def query_user_environment_consumption_roles(session, groups, uri, filter) -> Qu
)
)
if filter and filter.get('groupUri'):
print('filter group')
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removing print statement

TejasRGitHub
TejasRGitHub commented Feb 12, 2025
View reviewed changes
backend/dataall/core/environment/services/environment_service.py
# If environment role is created in environment stack, then data.all should attach the policies in the env stack
# If environment role is imported, then data.all should attach the policies at import time ( Fully Managed )
# If environment role is created in environment stack, then data.all should attach the policies in the env stack ( Partially Managed - Here policy will be created but won't be attached )
policy_management: str = (
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Earlier, when the dataallManaged = True, then share policies were getting attached via the API calls. But when dataallManaged = False, then the share policies were not attached via API calls instead are attached via CF templates.

Mapping this logic to the new policy management types and keeping the functionality same

TejasRGitHub
TejasRGitHub commented Feb 12, 2025
View reviewed changes
backend/dataall/core/environment/services/environment_service.py
consumption_role: ConsumptionRole = EnvironmentService.get_consumption_role(session, uri=principal_id)
return consumption_role.dataallManaged

return PolicyManagementOptions.FULLY_MANAGED.value
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the role is not a consumption role, then all other roles( i.e. env groups ,etc ) are treated as Fully Managed

TejasRGitHub
TejasRGitHub commented Feb 12, 2025
View reviewed changes
backend/dataall/core/environment/services/environment_service.py

@staticmethod
@ResourcePolicyService.has_resource_permission(environment_permissions.GET_ENVIRONMENT)
def get_consumption_role_by_name(uri, IAMRoleName):
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

get_consumption_role_by_name , remving this static method as it was not used any where

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TejasRGitHub