use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidator method validateStorageAccount.
private void validateStorageAccount(AzureClient client, Set<Identity> identities, String location, CloudIdentityType cloudIdentityType, ValidationResultBuilder resultBuilder) {
AdlsGen2Config adlsGen2Config = adlsGen2ConfigGenerator.generateStorageConfig(location);
String storageAccountName = adlsGen2Config.getAccount();
Optional<String> storageAccountIdOptional = azureStorage.findStorageAccountIdInVisibleSubscriptions(client, storageAccountName);
if (storageAccountIdOptional.isEmpty()) {
LOGGER.debug("Storage account {} not found or insufficient permission to list subscriptions and / or storage accounts.", storageAccountName);
addError(resultBuilder, String.format("Storage account with name %s not found in the given Azure subscription. %s", storageAccountName, getAdviceMessage(STORAGE_LOCATION, cloudIdentityType)));
return;
}
List<RoleAssignmentInner> roleAssignments = client.listRoleAssignmentsByScopeInner(storageAccountIdOptional.get());
ResourceId storageAccountResourceId = ResourceId.fromString(storageAccountIdOptional.get());
boolean differentSubscriptions = !client.getCurrentSubscription().subscriptionId().equals(storageAccountResourceId.subscriptionId());
List<RoleAssignmentInner> roleAssignmentsForSubscription = getRoleAssignmentsOfSubscription(roleAssignments, storageAccountResourceId.subscriptionId(), client, differentSubscriptions);
for (Identity identity : identities) {
validateRoleAssigmentAndScope(roleAssignmentsForSubscription, resultBuilder, identity, List.of(storageAccountName, storageAccountResourceId.resourceGroupName(), storageAccountResourceId.subscriptionId()), differentSubscriptions, cloudIdentityType);
}
}
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidatorTest method testValidateObjectStorageNoMappedRoles.
@Test
public void testValidateObjectStorageNoMappedRoles() {
SpiFileSystem fileSystem = setupSpiFileSystem(true);
PagedList<Identity> identityPagedList = Mockito.spy(PagedList.class);
when(assumer.id()).thenReturn(USER_IDENTITY_1);
when(logger.id()).thenReturn(GROUP_IDENTITY_1);
identityPagedList.add(assumer);
identityPagedList.add(logger);
when(client.listIdentities()).thenReturn(identityPagedList);
final String wrongAssumerIdentityPrincipalid = "489e3729-aed1-4d54-a95b-b231b70d383f";
final String wrongLoggerIdentityPrincipalid = "61a70b9b-7331-4fa3-8717-2652fc70434e";
new RoleASsignmentBuilder(client).withAssignment(wrongAssumerIdentityPrincipalid, SUBSCRIPTION_FULL_ID).withAssignment(wrongLoggerIdentityPrincipalid, STORAGE_RESOURCE_GROUP_NAME);
ValidationResultBuilder resultBuilder = new ValidationResultBuilder();
underTest.validateObjectStorage(client, fileSystem, STORAGE_LOCATION_RANGER, null, null, resultBuilder);
ValidationResult validationResult = resultBuilder.build();
assertTrue(validationResult.hasError());
assertEquals(5, validationResult.getErrors().size());
List<String> actual = validationResult.getErrors();
assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment.", USER_IDENTITY_1))));
assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment on scope", GROUP_IDENTITY_1))));
assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment on scope", USER_IDENTITY_1))));
}
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureClient method checkIdentityRoleAssignement.
public boolean checkIdentityRoleAssignement(String identityId, String scopeId) {
Identity identity = getIdentityById(identityId);
PagedList<RoleAssignment> roleAssignments = listRoleAssignmentsByScope(scopeId);
return roleAssignments.stream().anyMatch(roleAssignment -> roleAssignment.principalId() != null && roleAssignment.principalId().equalsIgnoreCase(identity.principalId()));
}
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidator method validateObjectStorage.
public ValidationResult validateObjectStorage(AzureClient client, SpiFileSystem spiFileSystem, String logsLocationBase, String backupLocationBase, String singleResourceGroupName, ValidationResultBuilder resultBuilder) {
LOGGER.info("Validating Azure identities...");
List<CloudFileSystemView> cloudFileSystems = spiFileSystem.getCloudFileSystems();
validateHierarchicalNamespace(client, spiFileSystem, logsLocationBase, backupLocationBase, resultBuilder);
if (Objects.nonNull(cloudFileSystems) && cloudFileSystems.size() > 0) {
for (CloudFileSystemView cloudFileSystemView : cloudFileSystems) {
CloudAdlsGen2View cloudFileSystem = (CloudAdlsGen2View) cloudFileSystemView;
String managedIdentityId = cloudFileSystem.getManagedIdentity();
Identity identity = client.getIdentityById(managedIdentityId);
CloudIdentityType cloudIdentityType = cloudFileSystem.getCloudIdentityType();
if (identity != null) {
if (ID_BROKER.equals(cloudIdentityType)) {
List<RoleAssignmentInner> roleAssignments;
Optional<ResourceGroup> singleResourceGroup;
if (singleResourceGroupName != null) {
ResourceGroup resourceGroup = client.getResourceGroup(singleResourceGroupName);
roleAssignments = client.listRoleAssignmentsByScopeInner(resourceGroup.id());
singleResourceGroup = Optional.of(resourceGroup);
} else {
roleAssignments = client.listRoleAssignments();
singleResourceGroup = Optional.empty();
}
validateIDBroker(client, roleAssignments, identity, cloudFileSystem, singleResourceGroup, resultBuilder);
} else if (LOG.equals(cloudIdentityType)) {
validateLog(client, identity, logsLocationBase, resultBuilder);
}
} else {
addError(resultBuilder, String.format("%s Identity with id %s does not exist in the given Azure subscription. %s", getIdentityType(cloudIdentityType), managedIdentityId, getAdviceMessage(IDENTITY, cloudIdentityType)));
}
}
}
return resultBuilder.build();
}
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidator method validateAllMappedIdentities.
private Set<Identity> validateAllMappedIdentities(AzureClient client, CloudFileSystemView cloudFileSystemView, ValidationResultBuilder resultBuilder) {
Set<Identity> validMappedIdentities = Collections.emptySet();
AccountMappingBase accountMappings = cloudFileSystemView.getAccountMapping();
if (accountMappings != null) {
Set<String> mappedIdentityIds = new HashSet<>();
mappedIdentityIds.addAll(accountMappings.getUserMappings().values());
mappedIdentityIds.addAll(accountMappings.getGroupMappings().values());
mappedIdentityIds = mappedIdentityIds.stream().map(id -> id.replaceFirst("(?i)/resourceGroups/", "/resourcegroups/")).collect(Collectors.toSet());
PagedList<Identity> existingIdentities = client.listIdentities();
Set<String> existingIdentityIds = existingIdentities.stream().map(Identity::id).collect(Collectors.toSet());
MutableSet<String> nonExistingIdentityIds = Sets.difference(mappedIdentityIds, existingIdentityIds);
nonExistingIdentityIds.stream().forEach(identityId -> addError(resultBuilder, String.format("Identity with id %s does not exist in the given Azure subscription. %s", identityId, getAdviceMessage(IDENTITY, ID_BROKER))));
Set<String> validMappedIdentityIds = Sets.difference(mappedIdentityIds, nonExistingIdentityIds);
validMappedIdentities = existingIdentities.stream().filter(identity -> validMappedIdentityIds.contains(identity.id())).collect(Collectors.toSet());
}
return validMappedIdentities;
}
Aggregations