Search in sources :

Example 46 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsCredentialVerifierTest method verifyCredentialAndThrowFailExceptionTest.

@Test
public void verifyCredentialAndThrowFailExceptionTest() throws IOException {
    URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
    String awsEnvPolicy = Resources.toString(url, Charsets.UTF_8);
    String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
    Map<String, Object> awsParameters = new HashMap<>();
    awsParameters.put("accessKey", "a");
    awsParameters.put("secretKey", "b");
    CloudCredential cloudCredential = new CloudCredential("id", "name", awsParameters, "acc", false);
    AmazonIdentityManagementClient amazonIdentityManagement = mock(AmazonIdentityManagementClient.class);
    when(awsClient.createAmazonIdentityManagement(any(AwsCredentialView.class))).thenReturn(amazonIdentityManagement);
    AmazonSecurityTokenServiceClient awsSecurityTokenService = mock(AmazonSecurityTokenServiceClient.class);
    GetCallerIdentityResult getCallerIdentityResult = new GetCallerIdentityResult();
    getCallerIdentityResult.setArn("arn");
    when(awsSecurityTokenService.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(getCallerIdentityResult);
    when(awsClient.createSecurityTokenService(any(AwsCredentialView.class))).thenReturn(awsSecurityTokenService);
    ArgumentCaptor<SimulatePrincipalPolicyRequest> requestArgumentCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
    AtomicInteger i = new AtomicInteger();
    when(amazonIdentityManagement.simulatePrincipalPolicy(requestArgumentCaptor.capture())).thenAnswer(invocation -> {
        SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = new SimulatePrincipalPolicyResult();
        ArrayList<EvaluationResult> evaluationResults = new ArrayList<>();
        evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action1_" + i).withEvalResourceName("aws:ec2"));
        evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action2_" + i).withEvalResourceName("aws:ec2"));
        evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action3_" + i).withEvalResourceName("aws:ec2"));
        evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action_" + i).withEvalResourceName("*"));
        simulatePrincipalPolicyResult.setEvaluationResults(evaluationResults);
        i.getAndIncrement();
        return simulatePrincipalPolicyResult;
    });
    try {
        awsCredentialVerifier.validateAws(new AwsCredentialView(cloudCredential), encodedAwsEnvPolicy);
        fail("It shoud throw verification exception");
    } catch (AwsPermissionMissingException e) {
        assertThat(e.getMessage(), CoreMatchers.containsString("denied_action1"));
        assertThat(e.getMessage(), CoreMatchers.containsString("denied_action2"));
        assertThat(e.getMessage(), CoreMatchers.containsString("denied_action3"));
        assertThat(e.getMessage(), not(CoreMatchers.containsString("accepted_action")));
    }
    List<SimulatePrincipalPolicyRequest> allSimulatePrincipalPolicyRequest = requestArgumentCaptor.getAllValues();
    int simulateRequestNumber = 5;
    assertEquals("expect if " + simulateRequestNumber + " simulate request has been sent", simulateRequestNumber, allSimulatePrincipalPolicyRequest.size());
    allSimulatePrincipalPolicyRequest.forEach(simulatePrincipalPolicyRequest -> assertEquals("arn", simulatePrincipalPolicyRequest.getPolicySourceArn()));
}
Also used : AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient) HashMap(java.util.HashMap) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential) OrganizationsDecisionDetail(com.amazonaws.services.identitymanagement.model.OrganizationsDecisionDetail) ArrayList(java.util.ArrayList) URL(java.net.URL) EvaluationResult(com.amazonaws.services.identitymanagement.model.EvaluationResult) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest) GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest) AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient) SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult) GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult) Test(org.junit.Test)

Example 47 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsCredentialVerifierTest method verifyCredentialAndOrganizatioDecisionDetailIsNullTest.

@Test
public void verifyCredentialAndOrganizatioDecisionDetailIsNullTest() throws IOException {
    URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
    String awsEnvPolicy = Resources.toString(url, Charsets.UTF_8);
    String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
    Map<String, Object> awsParameters = new HashMap<>();
    awsParameters.put("accessKey", "a");
    awsParameters.put("secretKey", "b");
    CloudCredential cloudCredential = new CloudCredential("id", "name", awsParameters, "acc", false);
    AmazonIdentityManagementClient amazonIdentityManagement = mock(AmazonIdentityManagementClient.class);
    when(awsClient.createAmazonIdentityManagement(any(AwsCredentialView.class))).thenReturn(amazonIdentityManagement);
    AmazonSecurityTokenServiceClient awsSecurityTokenService = mock(AmazonSecurityTokenServiceClient.class);
    GetCallerIdentityResult getCallerIdentityResult = new GetCallerIdentityResult();
    getCallerIdentityResult.setArn("arn");
    when(awsSecurityTokenService.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(getCallerIdentityResult);
    when(awsClient.createSecurityTokenService(any(AwsCredentialView.class))).thenReturn(awsSecurityTokenService);
    ArgumentCaptor<SimulatePrincipalPolicyRequest> requestArgumentCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
    AtomicInteger i = new AtomicInteger();
    when(amazonIdentityManagement.simulatePrincipalPolicy(requestArgumentCaptor.capture())).thenAnswer(invocation -> {
        SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = new SimulatePrincipalPolicyResult();
        ArrayList<EvaluationResult> evaluationResults = new ArrayList<>();
        evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(null).withEvalActionName("denied_action1_" + i).withEvalResourceName("aws:ec2"));
        evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(null).withEvalActionName("denied_action2_" + i).withEvalResourceName("aws:ec2"));
        evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(null).withEvalActionName("denied_action3_" + i).withEvalResourceName("aws:ec2"));
        evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(null).withEvalActionName("accepted_action_" + i).withEvalResourceName("*"));
        simulatePrincipalPolicyResult.setEvaluationResults(evaluationResults);
        i.getAndIncrement();
        return simulatePrincipalPolicyResult;
    });
    try {
        awsCredentialVerifier.validateAws(new AwsCredentialView(cloudCredential), encodedAwsEnvPolicy);
        fail("It shoud throw verification exception");
    } catch (AwsPermissionMissingException e) {
        assertThat(e.getMessage(), CoreMatchers.containsString("denied_action1_0 : aws:ec2,"));
        assertThat(e.getMessage(), CoreMatchers.containsString("denied_action2_0 : aws:ec2,"));
        assertThat(e.getMessage(), CoreMatchers.containsString("denied_action3_0 : aws:ec2,"));
        assertThat(e.getMessage(), not(CoreMatchers.containsString("accepted_action")));
    }
    List<SimulatePrincipalPolicyRequest> allSimulatePrincipalPolicyRequest = requestArgumentCaptor.getAllValues();
    int simulateRequestNumber = 5;
    assertEquals("expect if " + simulateRequestNumber + " simulate request has been sent", simulateRequestNumber, allSimulatePrincipalPolicyRequest.size());
    allSimulatePrincipalPolicyRequest.forEach(simulatePrincipalPolicyRequest -> assertEquals("arn", simulatePrincipalPolicyRequest.getPolicySourceArn()));
}
Also used : AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient) HashMap(java.util.HashMap) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential) ArrayList(java.util.ArrayList) URL(java.net.URL) EvaluationResult(com.amazonaws.services.identitymanagement.model.EvaluationResult) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest) GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest) AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient) SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult) GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult) Test(org.junit.Test)

Example 48 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsNativeResourceConnector method launchLoadBalancers.

@Override
public List<CloudResourceStatus> launchLoadBalancers(AuthenticatedContext authenticatedContext, CloudStack stack, PersistenceNotifier persistenceNotifier) throws Exception {
    LOGGER.info("Launching elastic load balancers");
    CloudCredential cloudCredential = authenticatedContext.getCloudCredential();
    String region = authenticatedContext.getCloudContext().getLocation().getRegion().value();
    AwsCredentialView awsCredentialView = new AwsCredentialView(cloudCredential);
    AmazonElasticLoadBalancingClient elasticLoadBalancingClient = commonAwsClient.createElasticLoadBalancingClient(awsCredentialView, region);
    return loadBalancerLaunchService.launchLoadBalancerResources(authenticatedContext, stack, persistenceNotifier, elasticLoadBalancingClient, true);
}
Also used : AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AmazonElasticLoadBalancingClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonElasticLoadBalancingClient) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential)

Example 49 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsCloudFormationSetup method scalingPrerequisites.

@Override
public void scalingPrerequisites(AuthenticatedContext ac, CloudStack stack, boolean upscale) {
    if (!upscale) {
        return;
    }
    String regionName = ac.getCloudContext().getLocation().getRegion().value();
    AwsCredentialView awsCredential = new AwsCredentialView(ac.getCloudCredential());
    AmazonCloudFormationClient cloudFormationClient = awsClient.createCloudFormationClient(awsCredential, regionName);
    AmazonAutoScalingClient amazonASClient = awsClient.createAutoScalingClient(awsCredential, regionName);
    List<Group> groups = stack.getGroups().stream().filter(g -> g.getInstances().stream().anyMatch(inst -> InstanceStatus.CREATE_REQUESTED == inst.getTemplate().getStatus())).collect(Collectors.toList());
    Map<String, Group> groupMap = groups.stream().collect(Collectors.toMap(g -> cfStackUtil.getAutoscalingGroupName(ac, cloudFormationClient, g.getName()), g -> g));
    DescribeAutoScalingGroupsResult result = amazonASClient.describeAutoScalingGroups(new DescribeAutoScalingGroupsRequest().withAutoScalingGroupNames(groupMap.keySet()));
    for (AutoScalingGroup asg : result.getAutoScalingGroups()) {
        Group group = groupMap.get(asg.getAutoScalingGroupName());
        List<CloudInstance> groupInstances = group.getInstances().stream().filter(inst -> InstanceStatus.CREATED.equals(inst.getTemplate().getStatus())).collect(Collectors.toList());
        List<CloudVmInstanceStatus> instanceStatuses = instanceConnector.check(ac, groupInstances);
        if (checkInstanceStatuses(instanceStatuses, ac.getCloudCredential().getAccountId())) {
            String errorMessage = "Not all the existing instances are in allowed state, upscale is not possible!";
            LOGGER.info(errorMessage);
            throw new CloudConnectorException(errorMessage);
        }
        List<Instance> asgOnlyInstances = asg.getInstances().stream().filter(inst -> groupInstances.stream().noneMatch(gi -> gi.getInstanceId().equals(inst.getInstanceId()))).collect(Collectors.toList());
        List<CloudInstance> cbOnlyInstances = groupInstances.stream().filter(gi -> asg.getInstances().stream().noneMatch(inst -> inst.getInstanceId().equals(gi.getInstanceId()))).collect(Collectors.toList());
        if (!asgOnlyInstances.isEmpty() || !cbOnlyInstances.isEmpty()) {
            String errorMessage = "The instances in the autoscaling group are not in sync with the instances in cloudbreak! Cloudbreak only instances: [" + cbOnlyInstances.stream().map(CloudInstance::getInstanceId).collect(Collectors.joining(",")) + "], AWS only instances: [" + asgOnlyInstances.stream().map(Instance::getInstanceId).collect(Collectors.joining(",")) + "]. Upscale is not possible!";
            LOGGER.info(errorMessage);
            throw new CloudConnectorException(errorMessage);
        }
        if (groupInstances.size() != asg.getDesiredCapacity()) {
            String errorMessage = String.format("The autoscale group's desired instance count is not match with the instance count in the cloudbreak." + " Desired count: %d <> cb instance count: %d. Upscale is not possible!", asg.getDesiredCapacity(), groupInstances.size());
            LOGGER.info(errorMessage);
            throw new CloudConnectorException(errorMessage);
        }
    }
}
Also used : EntitlementService(com.sequenceiq.cloudbreak.auth.altus.EntitlementService) CloudInstance(com.sequenceiq.cloudbreak.cloud.model.CloudInstance) Inject(javax.inject.Inject) CloudConnectorException(com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException) AmazonCloudFormationClient(com.sequenceiq.cloudbreak.cloud.aws.client.AmazonCloudFormationClient) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AuthenticatedContext(com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext) Map(java.util.Map) DescribeAutoScalingGroupsResult(com.amazonaws.services.autoscaling.model.DescribeAutoScalingGroupsResult) CloudVmInstanceStatus(com.sequenceiq.cloudbreak.cloud.model.CloudVmInstanceStatus) EnumSet(java.util.EnumSet) AwsInstanceConnector(com.sequenceiq.cloudbreak.cloud.aws.common.AwsInstanceConnector) AwsSetup(com.sequenceiq.cloudbreak.cloud.aws.common.AwsSetup) Logger(org.slf4j.Logger) AutoScalingGroup(com.amazonaws.services.autoscaling.model.AutoScalingGroup) Set(java.util.Set) Collectors(java.util.stream.Collectors) DescribeAutoScalingGroupsRequest(com.amazonaws.services.autoscaling.model.DescribeAutoScalingGroupsRequest) CloudStack(com.sequenceiq.cloudbreak.cloud.model.CloudStack) List(java.util.List) Component(org.springframework.stereotype.Component) AmazonAutoScalingClient(com.sequenceiq.cloudbreak.cloud.aws.client.AmazonAutoScalingClient) InstanceStatus(com.sequenceiq.cloudbreak.cloud.model.InstanceStatus) Group(com.sequenceiq.cloudbreak.cloud.model.Group) LoggerFactory.getLogger(org.slf4j.LoggerFactory.getLogger) Instance(com.amazonaws.services.autoscaling.model.Instance) AutoScalingGroup(com.amazonaws.services.autoscaling.model.AutoScalingGroup) Group(com.sequenceiq.cloudbreak.cloud.model.Group) AutoScalingGroup(com.amazonaws.services.autoscaling.model.AutoScalingGroup) CloudConnectorException(com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException) CloudInstance(com.sequenceiq.cloudbreak.cloud.model.CloudInstance) Instance(com.amazonaws.services.autoscaling.model.Instance) CloudVmInstanceStatus(com.sequenceiq.cloudbreak.cloud.model.CloudVmInstanceStatus) CloudInstance(com.sequenceiq.cloudbreak.cloud.model.CloudInstance) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) DescribeAutoScalingGroupsRequest(com.amazonaws.services.autoscaling.model.DescribeAutoScalingGroupsRequest) AmazonAutoScalingClient(com.sequenceiq.cloudbreak.cloud.aws.client.AmazonAutoScalingClient) DescribeAutoScalingGroupsResult(com.amazonaws.services.autoscaling.model.DescribeAutoScalingGroupsResult) AmazonCloudFormationClient(com.sequenceiq.cloudbreak.cloud.aws.client.AmazonCloudFormationClient)

Example 50 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsObjectStorageConnector method validateObjectStorage.

@Override
public ObjectStorageValidateResponse validateObjectStorage(ObjectStorageValidateRequest request) {
    String accountId = Crn.safeFromString(request.getCredential().getId()).getAccountId();
    if (!entitlementService.awsCloudStorageValidationEnabled(accountId)) {
        LOGGER.info("Aws Cloud storage validation entitlement is missing, not validating cloudStorageRequest: {}", JsonUtil.writeValueAsStringSilent(request));
        return ObjectStorageValidateResponse.builder().withStatus(ResponseStatus.OK).build();
    }
    AwsCredentialView awsCredentialView = new AwsCredentialView(request.getCredential());
    AmazonIdentityManagementClient iam = awsClient.createAmazonIdentityManagement(awsCredentialView);
    SpiFileSystem spiFileSystem = request.getSpiFileSystem();
    ValidationResultBuilder resultBuilder = new ValidationResultBuilder();
    resultBuilder.prefix("Cloud Storage validation failed");
    ValidationResult validationResult = awsIDBrokerObjectStorageValidator.validateObjectStorage(iam, spiFileSystem, request.getLogsLocationBase(), request.getBackupLocationBase(), resultBuilder);
    ObjectStorageValidateResponse response;
    if (validationResult.hasError()) {
        response = ObjectStorageValidateResponse.builder().withStatus(ResponseStatus.ERROR).withError(validationResult.getFormattedErrors()).build();
    } else {
        response = ObjectStorageValidateResponse.builder().withStatus(ResponseStatus.OK).withError(validationResult.getFormattedWarnings()).build();
    }
    return response;
}
Also used : AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient) ValidationResultBuilder(com.sequenceiq.cloudbreak.validation.ValidationResult.ValidationResultBuilder) ObjectStorageValidateResponse(com.sequenceiq.cloudbreak.cloud.model.objectstorage.ObjectStorageValidateResponse) SpiFileSystem(com.sequenceiq.cloudbreak.cloud.model.SpiFileSystem) ValidationResult(com.sequenceiq.cloudbreak.validation.ValidationResult)

Aggregations

AwsCredentialView (com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)94 AmazonEc2Client (com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonEc2Client)32 CloudConnectorException (com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException)32 List (java.util.List)25 AmazonServiceException (com.amazonaws.AmazonServiceException)22 AmazonCloudFormationClient (com.sequenceiq.cloudbreak.cloud.aws.client.AmazonCloudFormationClient)21 Logger (org.slf4j.Logger)21 Inject (javax.inject.Inject)20 ArrayList (java.util.ArrayList)19 Collectors (java.util.stream.Collectors)19 CloudInstance (com.sequenceiq.cloudbreak.cloud.model.CloudInstance)18 Group (com.sequenceiq.cloudbreak.cloud.model.Group)18 Set (java.util.Set)18 CloudResource (com.sequenceiq.cloudbreak.cloud.model.CloudResource)17 CloudStack (com.sequenceiq.cloudbreak.cloud.model.CloudStack)17 Map (java.util.Map)16 LoggerFactory (org.slf4j.LoggerFactory)16 AuthenticatedContext (com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext)15 Service (org.springframework.stereotype.Service)15 AmazonAutoScalingClient (com.sequenceiq.cloudbreak.cloud.aws.client.AmazonAutoScalingClient)14