Example 1 with Identity
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidator method validateStorageAccount.
private void validateStorageAccount(AzureClient client, Set<Identity> identities, String location, CloudIdentityType cloudIdentityType, ValidationResultBuilder resultBuilder) {
AdlsGen2Config adlsGen2Config = adlsGen2ConfigGenerator.generateStorageConfig(location);
String storageAccountName = adlsGen2Config.getAccount();
Optional<String> storageAccountIdOptional = azureStorage.findStorageAccountIdInVisibleSubscriptions(client, storageAccountName);
if (storageAccountIdOptional.isEmpty()) {
LOGGER.debug("Storage account {} not found or insufficient permission to list subscriptions and / or storage accounts.", storageAccountName);
addError(resultBuilder, String.format("Storage account with name %s not found in the given Azure subscription. %s", storageAccountName, getAdviceMessage(STORAGE_LOCATION, cloudIdentityType)));
return;
}
List<RoleAssignmentInner> roleAssignments = client.listRoleAssignmentsByScopeInner(storageAccountIdOptional.get());
ResourceId storageAccountResourceId = ResourceId.fromString(storageAccountIdOptional.get());
boolean differentSubscriptions = !client.getCurrentSubscription().subscriptionId().equals(storageAccountResourceId.subscriptionId());
List<RoleAssignmentInner> roleAssignmentsForSubscription = getRoleAssignmentsOfSubscription(roleAssignments, storageAccountResourceId.subscriptionId(), client, differentSubscriptions);
for (Identity identity : identities) {
validateRoleAssigmentAndScope(roleAssignmentsForSubscription, resultBuilder, identity, List.of(storageAccountName, storageAccountResourceId.resourceGroupName(), storageAccountResourceId.subscriptionId()), differentSubscriptions, cloudIdentityType);
}
}
Also used :
ResourceId(com.microsoft.azure.management.resources.fluentcore.arm.ResourceId)
AdlsGen2Config(com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2Config)
RoleAssignmentInner(com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner)
Identity(com.microsoft.azure.management.msi.Identity)
Example 2 with Identity
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidatorTest method testValidateObjectStorageNoMappedRoles.
@Test
public void testValidateObjectStorageNoMappedRoles() {
SpiFileSystem fileSystem = setupSpiFileSystem(true);
PagedList<Identity> identityPagedList = Mockito.spy(PagedList.class);
when(assumer.id()).thenReturn(USER_IDENTITY_1);
when(logger.id()).thenReturn(GROUP_IDENTITY_1);
identityPagedList.add(assumer);
identityPagedList.add(logger);
when(client.listIdentities()).thenReturn(identityPagedList);
final String wrongAssumerIdentityPrincipalid = "489e3729-aed1-4d54-a95b-b231b70d383f";
final String wrongLoggerIdentityPrincipalid = "61a70b9b-7331-4fa3-8717-2652fc70434e";
new RoleASsignmentBuilder(client).withAssignment(wrongAssumerIdentityPrincipalid, SUBSCRIPTION_FULL_ID).withAssignment(wrongLoggerIdentityPrincipalid, STORAGE_RESOURCE_GROUP_NAME);
ValidationResultBuilder resultBuilder = new ValidationResultBuilder();
underTest.validateObjectStorage(client, fileSystem, STORAGE_LOCATION_RANGER, null, null, resultBuilder);
ValidationResult validationResult = resultBuilder.build();
assertTrue(validationResult.hasError());
assertEquals(5, validationResult.getErrors().size());
List<String> actual = validationResult.getErrors();
assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment.", USER_IDENTITY_1))));
assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment on scope", GROUP_IDENTITY_1))));
assertTrue(actual.stream().anyMatch(item -> item.contains(String.format("Identity with id %s has no role assignment on scope", USER_IDENTITY_1))));
}
Also used :
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
AzureClient(com.sequenceiq.cloudbreak.cloud.azure.client.AzureClient)
AdlsGen2Config(com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2Config)
StorageAccount(com.microsoft.azure.management.storage.StorageAccount)
Mock(org.mockito.Mock)
RunWith(org.junit.runner.RunWith)
Identity(com.microsoft.azure.management.msi.Identity)
SpiFileSystem(com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem)
AccountMappingBase(com.sequenceiq.common.api.cloudstorage.AccountMappingBase)
PagedList(com.microsoft.azure.PagedList)
ValidationResult(com.sequenceiq.cloudbreak.validation.ValidationResult)
ValidationResultBuilder(com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder)
Map(java.util.Map)
Spy(org.mockito.Spy)
ResourceGroup(com.microsoft.azure.management.resources.ResourceGroup)
Before(org.junit.Before)
InjectMocks(org.mockito.InjectMocks)
Subscription(com.microsoft.azure.management.resources.Subscription)
AzureStorage(com.sequenceiq.cloudbreak.cloud.azure.AzureStorage)
AdlsGen2ConfigGenerator(com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2ConfigGenerator)
CloudStorageCdpService(com.sequenceiq.common.model.CloudStorageCdpService)
StorageLocationBase(com.sequenceiq.common.api.cloudstorage.StorageLocationBase)
Assert.assertTrue(org.junit.Assert.assertTrue)
Mockito.times(org.mockito.Mockito.times)
Test(org.junit.Test)
Mockito.when(org.mockito.Mockito.when)
CloudFileSystemView(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudFileSystemView)
Mockito.verify(org.mockito.Mockito.verify)
CloudAdlsGen2View(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudAdlsGen2View)
Mockito(org.mockito.Mockito)
List(java.util.List)
Assert.assertFalse(org.junit.Assert.assertFalse)
FileSystemType(com.sequenceiq.common.model.FileSystemType)
Optional(java.util.Optional)
CloudIdentityType(com.sequenceiq.common.model.CloudIdentityType)
MockitoJUnitRunner(org.mockito.junit.MockitoJUnitRunner)
RoleAssignmentInner(com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner)
Assert.assertEquals(org.junit.Assert.assertEquals)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Mockito.mock(org.mockito.Mockito.mock)
ValidationResultBuilder(com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder)
SpiFileSystem(com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Identity(com.microsoft.azure.management.msi.Identity)
ValidationResult(com.sequenceiq.cloudbreak.validation.ValidationResult)
Test(org.junit.Test)
Example 3 with Identity
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureClient method checkIdentityRoleAssignement.
public boolean checkIdentityRoleAssignement(String identityId, String scopeId) {
Identity identity = getIdentityById(identityId);
PagedList<RoleAssignment> roleAssignments = listRoleAssignmentsByScope(scopeId);
return roleAssignments.stream().anyMatch(roleAssignment -> roleAssignment.principalId() != null && roleAssignment.principalId().equalsIgnoreCase(identity.principalId()));
}
Also used :
RoleAssignment(com.microsoft.azure.management.graphrbac.RoleAssignment)
EncryptionSetIdentity(com.microsoft.azure.management.compute.EncryptionSetIdentity)
Identity(com.microsoft.azure.management.msi.Identity)
Example 4 with Identity
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidator method validateObjectStorage.
public ValidationResult validateObjectStorage(AzureClient client, SpiFileSystem spiFileSystem, String logsLocationBase, String backupLocationBase, String singleResourceGroupName, ValidationResultBuilder resultBuilder) {
LOGGER.info("Validating Azure identities...");
List<CloudFileSystemView> cloudFileSystems = spiFileSystem.getCloudFileSystems();
validateHierarchicalNamespace(client, spiFileSystem, logsLocationBase, backupLocationBase, resultBuilder);
if (Objects.nonNull(cloudFileSystems) && cloudFileSystems.size() > 0) {
for (CloudFileSystemView cloudFileSystemView : cloudFileSystems) {
CloudAdlsGen2View cloudFileSystem = (CloudAdlsGen2View) cloudFileSystemView;
String managedIdentityId = cloudFileSystem.getManagedIdentity();
Identity identity = client.getIdentityById(managedIdentityId);
CloudIdentityType cloudIdentityType = cloudFileSystem.getCloudIdentityType();
if (identity != null) {
if (ID_BROKER.equals(cloudIdentityType)) {
List<RoleAssignmentInner> roleAssignments;
Optional<ResourceGroup> singleResourceGroup;
if (singleResourceGroupName != null) {
ResourceGroup resourceGroup = client.getResourceGroup(singleResourceGroupName);
roleAssignments = client.listRoleAssignmentsByScopeInner(resourceGroup.id());
singleResourceGroup = Optional.of(resourceGroup);
} else {
roleAssignments = client.listRoleAssignments();
singleResourceGroup = Optional.empty();
}
validateIDBroker(client, roleAssignments, identity, cloudFileSystem, singleResourceGroup, resultBuilder);
} else if (LOG.equals(cloudIdentityType)) {
validateLog(client, identity, logsLocationBase, resultBuilder);
}
} else {
addError(resultBuilder, String.format("%s Identity with id %s does not exist in the given Azure subscription. %s", getIdentityType(cloudIdentityType), managedIdentityId, getAdviceMessage(IDENTITY, cloudIdentityType)));
}
}
}
return resultBuilder.build();
}
Also used :
CloudFileSystemView(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudFileSystemView)
CloudAdlsGen2View(com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudAdlsGen2View)
CloudIdentityType(com.sequenceiq.common.model.CloudIdentityType)
Identity(com.microsoft.azure.management.msi.Identity)
RoleAssignmentInner(com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner)
ResourceGroup(com.microsoft.azure.management.resources.ResourceGroup)
Example 5 with Identity
use of com.microsoft.azure.management.msi.Identity in project cloudbreak by hortonworks.
the class AzureIDBrokerObjectStorageValidator method validateAllMappedIdentities.
private Set<Identity> validateAllMappedIdentities(AzureClient client, CloudFileSystemView cloudFileSystemView, ValidationResultBuilder resultBuilder) {
Set<Identity> validMappedIdentities = Collections.emptySet();
AccountMappingBase accountMappings = cloudFileSystemView.getAccountMapping();
if (accountMappings != null) {
Set<String> mappedIdentityIds = new HashSet<>();
mappedIdentityIds.addAll(accountMappings.getUserMappings().values());
mappedIdentityIds.addAll(accountMappings.getGroupMappings().values());
mappedIdentityIds = mappedIdentityIds.stream().map(id -> id.replaceFirst("(?i)/resourceGroups/", "/resourcegroups/")).collect(Collectors.toSet());
PagedList<Identity> existingIdentities = client.listIdentities();
Set<String> existingIdentityIds = existingIdentities.stream().map(Identity::id).collect(Collectors.toSet());
MutableSet<String> nonExistingIdentityIds = Sets.difference(mappedIdentityIds, existingIdentityIds);
nonExistingIdentityIds.stream().forEach(identityId -> addError(resultBuilder, String.format("Identity with id %s does not exist in the given Azure subscription. %s", identityId, getAdviceMessage(IDENTITY, ID_BROKER))));
Set<String> validMappedIdentityIds = Sets.difference(mappedIdentityIds, nonExistingIdentityIds);
validMappedIdentities = existingIdentities.stream().filter(identity -> validMappedIdentityIds.contains(identity.id())).collect(Collectors.toSet());
}
return validMappedIdentities;
}
Also used :
AccountMappingBase(com.sequenceiq.common.api.cloudstorage.AccountMappingBase)
Identity(com.microsoft.azure.management.msi.Identity)
HashSet(java.util.HashSet)
Aggregations
Identity (com.microsoft.azure.management.msi.Identity)8
RoleAssignmentInner (com.microsoft.azure.management.graphrbac.implementation.RoleAssignmentInner)4
ResourceGroup (com.microsoft.azure.management.resources.ResourceGroup)4
PagedList (com.microsoft.azure.PagedList)3
AzureClient (com.sequenceiq.cloudbreak.cloud.azure.client.AzureClient)3
SpiFileSystem (com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem)3
CloudAdlsGen2View (com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudAdlsGen2View)3
CloudFileSystemView (com.sequenceiq.cloudbreak.cloud.model.filesystem.CloudFileSystemView)3
ValidationResult (com.sequenceiq.cloudbreak.validation.ValidationResult)3
ValidationResultBuilder (com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder)3
AccountMappingBase (com.sequenceiq.common.api.cloudstorage.AccountMappingBase)3
CloudIdentityType (com.sequenceiq.common.model.CloudIdentityType)3
List (java.util.List)3
Map (java.util.Map)3
Test (org.junit.Test)3
Subscription (com.microsoft.azure.management.resources.Subscription)2
StorageAccount (com.microsoft.azure.management.storage.StorageAccount)2
AzureStorage (com.sequenceiq.cloudbreak.cloud.azure.AzureStorage)2
AdlsGen2Config (com.sequenceiq.cloudbreak.telemetry.fluent.cloud.AdlsGen2Config)2
HashSet (java.util.HashSet)2
