Search in sources :

Example 1 with Identity

use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.

the class AzureIDBrokerObjectStorageValidator method validateStorageAccount.

private void validateStorageAccount(AzureClient client, Set<Identity> identities, String location, CloudIdentityType cloudIdentityType, ValidationResultBuilder resultBuilder) {
    AdlsGen2Config adlsGen2Config = adlsGen2ConfigGenerator.generateStorageConfig(location);
    String storageAccountName = adlsGen2Config.getAccount();
    Optional<String> storageAccountIdOptional = azureStorage.findStorageAccountIdInVisibleSubscriptions(client, storageAccountName);
    if (storageAccountIdOptional.isEmpty()) {
        LOGGER.debug("Storage account {} not found or insufficient permission to list subscriptions and / or storage accounts.", storageAccountName);
        addError(resultBuilder, String.format("Storage account with name %s not found in the given Azure subscription. %s", storageAccountName, getAdviceMessage(STORAGE_LOCATION, cloudIdentityType)));
        return;
    }
    List<RoleAssignmentInner> roleAssignments = client.listRoleAssignmentsByScopeInner(storageAccountIdOptional.get());
    ResourceId storageAccountResourceId = ResourceId.fromString(storageAccountIdOptional.get());
    boolean differentSubscriptions = !client.getCurrentSubscription().subscriptionId().equals(storageAccountResourceId.subscriptionId());
    List<RoleAssignmentInner> roleAssignmentsForSubscription = getRoleAssignmentsOfSubscription(roleAssignments, storageAccountResourceId.subscriptionId(), client, differentSubscriptions);
    for (Identity identity : identities) {
        validateRoleAssigmentAndScope(roleAssignmentsForSubscription, resultBuilder, identity, List.of(storageAccountName, storageAccountResourceId.resourceGroupName(), storageAccountResourceId.subscriptionId()), differentSubscriptions, cloudIdentityType);
    }
}
Also used : ResourceId(com.microsoft.azure.management.resources.fluentcore.arm.ResourceId) AdlsGen2Config(com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2Config) RoleAssignmentInner(com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner) Identity(com.microsoft.azure.management.msi.Identity)

Example 2 with Identity

use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.

the class AzureIDBrokerObjectStorageValidatorTest method testValidateObjectStorageNoMappedRoles.

@Test
public void testValidateObjectStorageNoMappedRoles() {
    SpiFileSystem fileSystem = setupSpiFileSystem(true);
    PagedList<Identity> identityPagedList = Mockito.spy(PagedList.class);
    when(assumer.id()).thenReturn(USER_IDENTITY_1);
    when(logger.id()).thenReturn(GROUP_IDENTITY_1);
    identityPagedList.add(assumer);
    identityPagedList.add(logger);
    when(client.listIdentities()).thenReturn(identityPagedList);
    final String wrongAssumerIdentityPrincipalid = "489e3729-aed1-4d54-a95b-b231b70d383f";
    final String wrongLoggerIdentityPrincipalid = "61a70b9b-7331-4fa3-8717-2652fc70434e";
    new RoleASsignmentBuilder(client).withAssignment(wrongAssumerIdentityPrincipalid, SUBSCRIPTION_FULL_ID).withAssignment(wrongLoggerIdentityPrincipalid, STORAGE_RESOURCE_GROUP_NAME);
    ValidationResultBuilder resultBuilder = new ValidationResultBuilder();
    underTest.validateObjectStorage(client, fileSystem, STORAGE_LOCATION_RANGER, null, null, resultBuilder);
    ValidationResult validationResult = resultBuilder.build();
    assertTrue(validationResult.hasError());
    assertEquals(5, validationResult.getErrors().size());
    List<String> actual = validationResult.getErrors();
    assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment.", USER_IDENTITY_1))));
    assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment on scope", GROUP_IDENTITY_1))));
    assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment on scope", USER_IDENTITY_1))));
}
Also used : ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) AzureClient(com.sequenceiq.cloudbreak.cloud.azure.client.AzureClient) AdlsGen2Config(com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2Config) StorageAccount(com.microsoft.azure.management.storage.StorageAccount) Mock(org.mockito.Mock) RunWith(org.junit.runner.RunWith) Identity(com.microsoft.azure.management.msi.Identity) SpiFileSystem(com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem) AccountMappingBase(com.sequenceiq.common.api.cloudstorage.AccountMappingBase) PagedList(com.microsoft.azure.PagedList) ValidationResult(com.sequenceiq.cloudbreak.validation.ValidationResult) ValidationResultBuilder(com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder) Map(java.util.Map) Spy(org.mockito.Spy) ResourceGroup(com.microsoft.azure.management.resources.ResourceGroup) Before(org.junit.Before) InjectMocks(org.mockito.InjectMocks) Subscription(com.microsoft.azure.management.resources.Subscription) AzureStorage(com.sequenceiq.cloudbreak.cloud.azure.AzureStorage) AdlsGen2ConfigGenerator(com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2ConfigGenerator) CloudStorageCdpService(com.sequenceiq.common.model.CloudStorageCdpService) StorageLocationBase(com.sequenceiq.common.api.cloudstorage.StorageLocationBase) Assert.assertTrue(org.junit.Assert.assertTrue) Mockito.times(org.mockito.Mockito.times) Test(org.junit.Test) Mockito.when(org.mockito.Mockito.when) CloudFileSystemView(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudFileSystemView) Mockito.verify(org.mockito.Mockito.verify) CloudAdlsGen2View(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudAdlsGen2View) Mockito(org.mockito.Mockito) List(java.util.List) Assert.assertFalse(org.junit.Assert.assertFalse) FileSystemType(com.sequenceiq.common.model.FileSystemType) Optional(java.util.Optional) CloudIdentityType(com.sequenceiq.common.model.CloudIdentityType) MockitoJUnitRunner(org.mockito.junit.MockitoJUnitRunner) RoleAssignmentInner(com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner) Assert.assertEquals(org.junit.Assert.assertEquals) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Mockito.mock(org.mockito.Mockito.mock) ValidationResultBuilder(com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder) SpiFileSystem(com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Identity(com.microsoft.azure.management.msi.Identity) ValidationResult(com.sequenceiq.cloudbreak.validation.ValidationResult) Test(org.junit.Test)

Example 3 with Identity

use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.

the class AzureClient method checkIdentityRoleAssignement.

public boolean checkIdentityRoleAssignement(String identityId, String scopeId) {
    Identity identity = getIdentityById(identityId);
    PagedList<RoleAssignment> roleAssignments = listRoleAssignmentsByScope(scopeId);
    return roleAssignments.stream().anyMatch(roleAssignment -> roleAssignment.principalId() != null && roleAssignment.principalId().equalsIgnoreCase(identity.principalId()));
}
Also used : RoleAssignment(com.microsoft.azure.management.graphrbac.RoleAssignment) EncryptionSetIdentity(com.microsoft.azure.management.compute.EncryptionSetIdentity) Identity(com.microsoft.azure.management.msi.Identity)

Example 4 with Identity

use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.

the class AzureIDBrokerObjectStorageValidator method validateObjectStorage.

public ValidationResult validateObjectStorage(AzureClient client, SpiFileSystem spiFileSystem, String logsLocationBase, String backupLocationBase, String singleResourceGroupName, ValidationResultBuilder resultBuilder) {
    LOGGER.info("Validating Azure identities...");
    List<CloudFileSystemView> cloudFileSystems = spiFileSystem.getCloudFileSystems();
    validateHierarchicalNamespace(client, spiFileSystem, logsLocationBase, backupLocationBase, resultBuilder);
    if (Objects.nonNull(cloudFileSystems) && cloudFileSystems.size() > 0) {
        for (CloudFileSystemView cloudFileSystemView : cloudFileSystems) {
            CloudAdlsGen2View cloudFileSystem = (CloudAdlsGen2View) cloudFileSystemView;
            String managedIdentityId = cloudFileSystem.getManagedIdentity();
            Identity identity = client.getIdentityById(managedIdentityId);
            CloudIdentityType cloudIdentityType = cloudFileSystem.getCloudIdentityType();
            if (identity != null) {
                if (ID_BROKER.equals(cloudIdentityType)) {
                    List<RoleAssignmentInner> roleAssignments;
                    Optional<ResourceGroup> singleResourceGroup;
                    if (singleResourceGroupName != null) {
                        ResourceGroup resourceGroup = client.getResourceGroup(singleResourceGroupName);
                        roleAssignments = client.listRoleAssignmentsByScopeInner(resourceGroup.id());
                        singleResourceGroup = Optional.of(resourceGroup);
                    } else {
                        roleAssignments = client.listRoleAssignments();
                        singleResourceGroup = Optional.empty();
                    }
                    validateIDBroker(client, roleAssignments, identity, cloudFileSystem, singleResourceGroup, resultBuilder);
                } else if (LOG.equals(cloudIdentityType)) {
                    validateLog(client, identity, logsLocationBase, resultBuilder);
                }
            } else {
                addError(resultBuilder, String.format("%s Identity with id %s does not exist in the given Azure subscription. %s", getIdentityType(cloudIdentityType), managedIdentityId, getAdviceMessage(IDENTITY, cloudIdentityType)));
            }
        }
    }
    return resultBuilder.build();
}
Also used : CloudFileSystemView(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudFileSystemView) CloudAdlsGen2View(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudAdlsGen2View) CloudIdentityType(com.sequenceiq.common.model.CloudIdentityType) Identity(com.microsoft.azure.management.msi.Identity) RoleAssignmentInner(com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner) ResourceGroup(com.microsoft.azure.management.resources.ResourceGroup)

Example 5 with Identity

use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.

the class AzureIDBrokerObjectStorageValidator method validateAllMappedIdentities.

private Set<Identity> validateAllMappedIdentities(AzureClient client, CloudFileSystemView cloudFileSystemView, ValidationResultBuilder resultBuilder) {
    Set<Identity> validMappedIdentities = Collections.emptySet();
    AccountMappingBase accountMappings = cloudFileSystemView.getAccountMapping();
    if (accountMappings != null) {
        Set<String> mappedIdentityIds = new HashSet<>();
        mappedIdentityIds.addAll(accountMappings.getUserMappings().values());
        mappedIdentityIds.addAll(accountMappings.getGroupMappings().values());
        mappedIdentityIds = mappedIdentityIds.stream().map(id -> id.replaceFirst("(?i)/resourceGroups/", "/resourcegroups/")).collect(Collectors.toSet());
        PagedList<Identity> existingIdentities = client.listIdentities();
        Set<String> existingIdentityIds = existingIdentities.stream().map(Identity::id).collect(Collectors.toSet());
        MutableSet<String> nonExistingIdentityIds = Sets.difference(mappedIdentityIds, existingIdentityIds);
        nonExistingIdentityIds.stream().forEach(identityId -> addError(resultBuilder, String.format("Identity with id %s does not exist in the given Azure subscription. %s", identityId, getAdviceMessage(IDENTITY, ID_BROKER))));
        Set<String> validMappedIdentityIds = Sets.difference(mappedIdentityIds, nonExistingIdentityIds);
        validMappedIdentities = existingIdentities.stream().filter(identity -> validMappedIdentityIds.contains(identity.id())).collect(Collectors.toSet());
    }
    return validMappedIdentities;
}
Also used : AccountMappingBase(com.sequenceiq.common.api.cloudstorage.AccountMappingBase) Identity(com.microsoft.azure.management.msi.Identity) HashSet(java.util.HashSet)

Aggregations

Identity (com.microsoft.azure.management.msi.Identity)8 RoleAssignmentInner (com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner)4 ResourceGroup (com.microsoft.azure.management.resources.ResourceGroup)4 PagedList (com.microsoft.azure.PagedList)3 AzureClient (com.sequenceiq.cloudbreak.cloud.azure.client.AzureClient)3 SpiFileSystem (com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem)3 CloudAdlsGen2View (com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudAdlsGen2View)3 CloudFileSystemView (com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudFileSystemView)3 ValidationResult (com.sequenceiq.cloudbreak.validation.ValidationResult)3 ValidationResultBuilder (com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder)3 AccountMappingBase (com.sequenceiq.common.api.cloudstorage.AccountMappingBase)3 CloudIdentityType (com.sequenceiq.common.model.CloudIdentityType)3 List (java.util.List)3 Map (java.util.Map)3 Test (org.junit.Test)3 Subscription (com.microsoft.azure.management.resources.Subscription)2 StorageAccount (com.microsoft.azure.management.storage.StorageAccount)2 AzureStorage (com.sequenceiq.cloudbreak.cloud.azure.AzureStorage)2 AdlsGen2Config (com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2Config)2 HashSet (java.util.HashSet)2