use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsCredentialConnector method verifyCredentialsPermission.
private CloudCredentialStatus verifyCredentialsPermission(CloudCredential cloudCredential, AwsCredentialView awsCredential, CloudCredentialStatus credentialStatus) {
if (cloudCredential.isVerifyPermissions()) {
try {
String environmentMinimalPoliciesJson = awsPlatformParameters.getEnvironmentMinimalPoliciesJson().get(getPolicyType(new AwsCredentialView(cloudCredential).isGovernmentCloudEnabled()));
verifyCredentialsPermission(awsCredential, environmentMinimalPoliciesJson);
} catch (AwsPermissionMissingException e) {
credentialStatus = new CloudCredentialStatus(cloudCredential, PERMISSIONS_MISSING, new Exception(e.getMessage()), e.getMessage());
}
}
return credentialStatus;
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsCredentialVerifier method validateAws.
@Cacheable(value = AwsCredentialCachingConfig.TEMPORARY_AWS_CREDENTIAL_VERIFIER_CACHE, unless = "#awsCredential == null")
public void validateAws(AwsCredentialView awsCredential, String policyJson) throws AwsPermissionMissingException {
String policies = new String(Base64.getDecoder().decode(policyJson));
try {
List<RequiredAction> resourcesWithActions = getRequiredActions(policies);
AmazonIdentityManagementClient amazonIdentityManagement = awsClient.createAmazonIdentityManagement(awsCredential);
AmazonSecurityTokenServiceClient awsSecurityTokenService = awsClient.createSecurityTokenService(awsCredential);
String arn;
if (awsCredential.getRoleArn() != null) {
arn = awsCredential.getRoleArn();
} else {
GetCallerIdentityResult callerIdentity = awsSecurityTokenService.getCallerIdentity(new GetCallerIdentityRequest());
arn = callerIdentity.getArn();
}
List<String> failedActionList = new ArrayList<>();
for (RequiredAction resourceAndAction : resourcesWithActions) {
SimulatePrincipalPolicyRequest simulatePrincipalPolicyRequest = new SimulatePrincipalPolicyRequest();
simulatePrincipalPolicyRequest.setMaxItems(MAX_ELEMENT_SIZE);
simulatePrincipalPolicyRequest.setPolicySourceArn(arn);
simulatePrincipalPolicyRequest.setActionNames(resourceAndAction.getActionNames());
simulatePrincipalPolicyRequest.setResourceArns(Collections.singleton(resourceAndAction.getResourceArn()));
simulatePrincipalPolicyRequest.setContextEntries(resourceAndAction.getConditions());
LOGGER.debug("Simulate policy request: {}", simulatePrincipalPolicyRequest);
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = amazonIdentityManagement.simulatePrincipalPolicy(simulatePrincipalPolicyRequest);
LOGGER.debug("Simulate policy result: {}", simulatePrincipalPolicyResult);
simulatePrincipalPolicyResult.getEvaluationResults().stream().filter(evaluationResult -> evaluationResult.getEvalDecision().toLowerCase().contains("deny")).map(evaluationResult -> {
if (evaluationResult.getOrganizationsDecisionDetail() != null && !evaluationResult.getOrganizationsDecisionDetail().getAllowedByOrganizations()) {
return evaluationResult.getEvalActionName() + " : " + evaluationResult.getEvalResourceName() + " -> Denied by Organization Rule";
} else {
return evaluationResult.getEvalActionName() + " : " + evaluationResult.getEvalResourceName();
}
}).forEach(failedActionList::add);
}
if (!failedActionList.isEmpty()) {
throw new AwsPermissionMissingException(String.format("CDP Credential '%s' doesn't have permission for these actions which are required: %s", awsCredential.getName(), failedActionList.stream().collect(joining(", ", "[ ", " ]"))));
}
} catch (IOException e) {
throw new IllegalStateException("Can not parse aws policy json", e);
}
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsDefaultRegionSelector method determineDefaultRegion.
public String determineDefaultRegion(CloudCredential cloudCredential) {
String result = null;
AwsCredentialView awsCredential = new AwsCredentialView(cloudCredential);
String originalDefaultRegion = defaultZoneProvider.getDefaultZone(cloudCredential);
Set<Region> enabledRegions = platformResources.getEnabledRegions();
LOGGER.debug("Try to describe regions by using the global default region '{}' in EC2.", originalDefaultRegion);
boolean globalDefaultRegionViable = describeRegionsViaEc2Region(awsCredential, originalDefaultRegion);
if (!globalDefaultRegionViable && CollectionUtils.isNotEmpty(enabledRegions)) {
LOGGER.info("Regions could not be described by using the global default region '{}' in EC2. Starting to describe regions with other regions", originalDefaultRegion);
String regionSelected = enabledRegions.stream().filter(r -> describeRegionsViaEc2Region(awsCredential, r.getRegionName())).findFirst().orElseThrow(() -> {
List<String> usedRegions = enabledRegions.stream().map(Region::getRegionName).collect(Collectors.toList());
usedRegions.add(originalDefaultRegion);
String regions = String.join(",", usedRegions);
String msg = String.format("Failed to describe available EC2 regions by configuring SDK to use the following regions: '%s'", regions);
LOGGER.warn(msg);
return new AwsDefaultRegionSelectionFailed(msg);
}).getRegionName();
if (!originalDefaultRegion.equals(regionSelected)) {
LOGGER.info("The default region for credential needs to be changed from '{}' to '{}'", originalDefaultRegion, regionSelected);
result = regionSelected;
}
} else if (!globalDefaultRegionViable) {
String msg = String.format("Failed to describe available EC2 regions in region '%s'", originalDefaultRegion);
LOGGER.warn(msg);
throw new AwsDefaultRegionSelectionFailed(msg);
}
return result;
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsCloudFormationErrorMessageProvider method getStackResourceStatusReasons.
private String getStackResourceStatusReasons(AwsCredentialView credentialView, String region, String stackName, Set<String> resourceErrorStatuses, AmazonCloudFormationClient cfClient) {
DescribeStackResourcesRequest describeStackResourcesRequest = new DescribeStackResourcesRequest().withStackName(stackName);
DescribeStackResourcesResult describeStackResourcesResult = cfClient.describeStackResources(describeStackResourcesRequest);
String stackResourceStatusReasons = describeStackResourcesResult.getStackResources().stream().filter(stackResource -> resourceErrorStatuses.contains(stackResource.getResourceStatus())).map(stackResource -> getStackResourceMessage(credentialView, region, stackResource)).collect(Collectors.joining(", "));
return stackResourceStatusReasons;
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsMigrationUtil method allInstancesDeletedFromCloudFormation.
public boolean allInstancesDeletedFromCloudFormation(AuthenticatedContext ac, CloudResource cloudResource) {
String regionName = ac.getCloudContext().getLocation().getRegion().value();
AwsCredentialView awsCredential = new AwsCredentialView(ac.getCloudCredential());
DescribeStackResourcesResult describeStackResourcesResult = awsClient.createCloudFormationClient(awsCredential, regionName).describeStackResources(new DescribeStackResourcesRequest().withStackName(cloudResource.getName()));
List<StackResource> asGroups = describeStackResourcesResult.getStackResources().stream().filter(it -> "AWS::AutoScaling::AutoScalingGroup".equals(it.getResourceType())).collect(Collectors.toList());
LOGGER.debug("AutoScalingGroup fetched: {}", asGroups);
boolean empty = true;
int i = 0;
while (empty && i < asGroups.size()) {
StackResource asGroup = asGroups.get(i);
List<String> result = cfStackUtil.getInstanceIds(awsClient.createAutoScalingClient(awsCredential, regionName), asGroup.getPhysicalResourceId());
LOGGER.debug("{} autoScalingGroup has {} instance(s): {}", asGroup.getPhysicalResourceId(), result.size(), result);
empty = result.isEmpty();
i++;
}
return empty;
}
Aggregations