Search in sources :

Example 41 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsCredentialConnector method verifyCredentialsPermission.

private CloudCredentialStatus verifyCredentialsPermission(CloudCredential cloudCredential, AwsCredentialView awsCredential, CloudCredentialStatus credentialStatus) {
    if (cloudCredential.isVerifyPermissions()) {
        try {
            String environmentMinimalPoliciesJson = awsPlatformParameters.getEnvironmentMinimalPoliciesJson().get(getPolicyType(new AwsCredentialView(cloudCredential).isGovernmentCloudEnabled()));
            verifyCredentialsPermission(awsCredential, environmentMinimalPoliciesJson);
        } catch (AwsPermissionMissingException e) {
            credentialStatus = new CloudCredentialStatus(cloudCredential, PERMISSIONS_MISSING, new Exception(e.getMessage()), e.getMessage());
        }
    }
    return credentialStatus;
}
Also used : AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException) AmazonClientException(com.amazonaws.AmazonClientException) CloudCredentialStatus(com.sequenceiq.cloudbreak.cloud.model.CloudCredentialStatus)

Example 42 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsCredentialVerifier method validateAws.

@Cacheable(value = AwsCredentialCachingConfig.TEMPORARY_AWS_CREDENTIAL_VERIFIER_CACHE, unless = "#awsCredential == null")
public void validateAws(AwsCredentialView awsCredential, String policyJson) throws AwsPermissionMissingException {
    String policies = new String(Base64.getDecoder().decode(policyJson));
    try {
        List<RequiredAction> resourcesWithActions = getRequiredActions(policies);
        AmazonIdentityManagementClient amazonIdentityManagement = awsClient.createAmazonIdentityManagement(awsCredential);
        AmazonSecurityTokenServiceClient awsSecurityTokenService = awsClient.createSecurityTokenService(awsCredential);
        String arn;
        if (awsCredential.getRoleArn() != null) {
            arn = awsCredential.getRoleArn();
        } else {
            GetCallerIdentityResult callerIdentity = awsSecurityTokenService.getCallerIdentity(new GetCallerIdentityRequest());
            arn = callerIdentity.getArn();
        }
        List<String> failedActionList = new ArrayList<>();
        for (RequiredAction resourceAndAction : resourcesWithActions) {
            SimulatePrincipalPolicyRequest simulatePrincipalPolicyRequest = new SimulatePrincipalPolicyRequest();
            simulatePrincipalPolicyRequest.setMaxItems(MAX_ELEMENT_SIZE);
            simulatePrincipalPolicyRequest.setPolicySourceArn(arn);
            simulatePrincipalPolicyRequest.setActionNames(resourceAndAction.getActionNames());
            simulatePrincipalPolicyRequest.setResourceArns(Collections.singleton(resourceAndAction.getResourceArn()));
            simulatePrincipalPolicyRequest.setContextEntries(resourceAndAction.getConditions());
            LOGGER.debug("Simulate policy request: {}", simulatePrincipalPolicyRequest);
            SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = amazonIdentityManagement.simulatePrincipalPolicy(simulatePrincipalPolicyRequest);
            LOGGER.debug("Simulate policy result: {}", simulatePrincipalPolicyResult);
            simulatePrincipalPolicyResult.getEvaluationResults().stream().filter(evaluationResult -> evaluationResult.getEvalDecision().toLowerCase().contains("deny")).map(evaluationResult -> {
                if (evaluationResult.getOrganizationsDecisionDetail() != null && !evaluationResult.getOrganizationsDecisionDetail().getAllowedByOrganizations()) {
                    return evaluationResult.getEvalActionName() + " : " + evaluationResult.getEvalResourceName() + " -> Denied by Organization Rule";
                } else {
                    return evaluationResult.getEvalActionName() + " : " + evaluationResult.getEvalResourceName();
                }
            }).forEach(failedActionList::add);
        }
        if (!failedActionList.isEmpty()) {
            throw new AwsPermissionMissingException(String.format("CDP Credential '%s' doesn't have permission for these actions which are required: %s", awsCredential.getName(), failedActionList.stream().collect(joining(", ", "[ ", " ]"))));
        }
    } catch (IOException e) {
        throw new IllegalStateException("Can not parse aws policy json", e);
    }
}
Also used : Policy(com.amazonaws.auth.policy.Policy) AwsCredentialCachingConfig(com.sequenceiq.cloudbreak.cloud.aws.common.cache.AwsCredentialCachingConfig) Action(com.amazonaws.auth.policy.Action) Cacheable(org.springframework.cache.annotation.Cacheable) LoggerFactory(org.slf4j.LoggerFactory) SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest) ContextEntry(com.amazonaws.services.identitymanagement.model.ContextEntry) ArrayList(java.util.ArrayList) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) Inject(javax.inject.Inject) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) Service(org.springframework.stereotype.Service) ContextKeyTypeEnum(com.amazonaws.services.identitymanagement.model.ContextKeyTypeEnum) AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient) Statement(com.amazonaws.auth.policy.Statement) GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult) Logger(org.slf4j.Logger) JsonPolicyReader(com.amazonaws.auth.policy.internal.JsonPolicyReader) IOException(java.io.IOException) Collectors(java.util.stream.Collectors) Collectors.joining(java.util.stream.Collectors.joining) GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest) SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult) Base64(java.util.Base64) List(java.util.List) AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient) Optional(java.util.Optional) Collections(java.util.Collections) Condition(com.amazonaws.auth.policy.Condition) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient) ArrayList(java.util.ArrayList) IOException(java.io.IOException) SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest) GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest) AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient) SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult) GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult) Cacheable(org.springframework.cache.annotation.Cacheable)

Example 43 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsDefaultRegionSelector method determineDefaultRegion.

public String determineDefaultRegion(CloudCredential cloudCredential) {
    String result = null;
    AwsCredentialView awsCredential = new AwsCredentialView(cloudCredential);
    String originalDefaultRegion = defaultZoneProvider.getDefaultZone(cloudCredential);
    Set<Region> enabledRegions = platformResources.getEnabledRegions();
    LOGGER.debug("Try to describe regions by using the global default region '{}' in EC2.", originalDefaultRegion);
    boolean globalDefaultRegionViable = describeRegionsViaEc2Region(awsCredential, originalDefaultRegion);
    if (!globalDefaultRegionViable && CollectionUtils.isNotEmpty(enabledRegions)) {
        LOGGER.info("Regions could not be described by using the global default region '{}' in EC2. Starting to describe regions with other regions", originalDefaultRegion);
        String regionSelected = enabledRegions.stream().filter(r -> describeRegionsViaEc2Region(awsCredential, r.getRegionName())).findFirst().orElseThrow(() -> {
            List<String> usedRegions = enabledRegions.stream().map(Region::getRegionName).collect(Collectors.toList());
            usedRegions.add(originalDefaultRegion);
            String regions = String.join(",", usedRegions);
            String msg = String.format("Failed to describe available EC2 regions by configuring SDK to use the following regions: '%s'", regions);
            LOGGER.warn(msg);
            return new AwsDefaultRegionSelectionFailed(msg);
        }).getRegionName();
        if (!originalDefaultRegion.equals(regionSelected)) {
            LOGGER.info("The default region for credential needs to be changed from '{}' to '{}'", originalDefaultRegion, regionSelected);
            result = regionSelected;
        }
    } else if (!globalDefaultRegionViable) {
        String msg = String.format("Failed to describe available EC2 regions in region '%s'", originalDefaultRegion);
        LOGGER.warn(msg);
        throw new AwsDefaultRegionSelectionFailed(msg);
    }
    return result;
}
Also used : AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) Logger(org.slf4j.Logger) DescribeRegionsRequest(com.amazonaws.services.ec2.model.DescribeRegionsRequest) Region(com.sequenceiq.cloudbreak.cloud.model.Region) LoggerFactory(org.slf4j.LoggerFactory) Set(java.util.Set) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential) Collectors(java.util.stream.Collectors) CollectionUtils(org.apache.commons.collections4.CollectionUtils) Inject(javax.inject.Inject) List(java.util.List) AmazonEc2Client(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonEc2Client) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) Service(org.springframework.stereotype.Service) AmazonEC2Exception(com.amazonaws.services.ec2.model.AmazonEC2Exception) AwsDefaultRegionSelectionFailed(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsDefaultRegionSelectionFailed) AwsDefaultRegionSelectionFailed(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsDefaultRegionSelectionFailed) Region(com.sequenceiq.cloudbreak.cloud.model.Region) List(java.util.List)

Example 44 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsCloudFormationErrorMessageProvider method getStackResourceStatusReasons.

private String getStackResourceStatusReasons(AwsCredentialView credentialView, String region, String stackName, Set<String> resourceErrorStatuses, AmazonCloudFormationClient cfClient) {
    DescribeStackResourcesRequest describeStackResourcesRequest = new DescribeStackResourcesRequest().withStackName(stackName);
    DescribeStackResourcesResult describeStackResourcesResult = cfClient.describeStackResources(describeStackResourcesRequest);
    String stackResourceStatusReasons = describeStackResourcesResult.getStackResources().stream().filter(stackResource -> resourceErrorStatuses.contains(stackResource.getResourceStatus())).map(stackResource -> getStackResourceMessage(credentialView, region, stackResource)).collect(Collectors.joining(", "));
    return stackResourceStatusReasons;
}
Also used : Arrays(java.util.Arrays) DescribeStacksRequest(com.amazonaws.services.cloudformation.model.DescribeStacksRequest) LoggerFactory(org.slf4j.LoggerFactory) StackResource(com.amazonaws.services.cloudformation.model.StackResource) DescribeStacksResult(com.amazonaws.services.cloudformation.model.DescribeStacksResult) Inject(javax.inject.Inject) StackEvent(com.amazonaws.services.cloudformation.model.StackEvent) AmazonCloudFormationClient(com.sequenceiq.cloudbreak.cloud.aws.client.AmazonCloudFormationClient) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AuthenticatedContext(com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext) DescribeStackEventsResult(com.amazonaws.services.cloudformation.model.DescribeStackEventsResult) AwsEncodedAuthorizationFailureMessageDecoder(com.sequenceiq.cloudbreak.cloud.aws.common.util.AwsEncodedAuthorizationFailureMessageDecoder) Logger(org.slf4j.Logger) DescribeStackResourcesResult(com.amazonaws.services.cloudformation.model.DescribeStackResourcesResult) AwsCloudFormationClient(com.sequenceiq.cloudbreak.cloud.aws.AwsCloudFormationClient) Set(java.util.Set) ResourceStatus(com.amazonaws.services.cloudformation.model.ResourceStatus) Collectors(java.util.stream.Collectors) Objects(java.util.Objects) List(java.util.List) Component(org.springframework.stereotype.Component) Stream(java.util.stream.Stream) CollectionUtils(org.springframework.util.CollectionUtils) DescribeStackEventsRequest(com.amazonaws.services.cloudformation.model.DescribeStackEventsRequest) DescribeStackResourcesRequest(com.amazonaws.services.cloudformation.model.DescribeStackResourcesRequest) StringUtils(org.springframework.util.StringUtils) DescribeStackResourcesResult(com.amazonaws.services.cloudformation.model.DescribeStackResourcesResult) DescribeStackResourcesRequest(com.amazonaws.services.cloudformation.model.DescribeStackResourcesRequest)

Example 45 with AwsCredentialView

use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.

the class AwsMigrationUtil method allInstancesDeletedFromCloudFormation.

public boolean allInstancesDeletedFromCloudFormation(AuthenticatedContext ac, CloudResource cloudResource) {
    String regionName = ac.getCloudContext().getLocation().getRegion().value();
    AwsCredentialView awsCredential = new AwsCredentialView(ac.getCloudCredential());
    DescribeStackResourcesResult describeStackResourcesResult = awsClient.createCloudFormationClient(awsCredential, regionName).describeStackResources(new DescribeStackResourcesRequest().withStackName(cloudResource.getName()));
    List<StackResource> asGroups = describeStackResourcesResult.getStackResources().stream().filter(it -> "AWS::AutoScaling::AutoScalingGroup".equals(it.getResourceType())).collect(Collectors.toList());
    LOGGER.debug("AutoScalingGroup fetched: {}", asGroups);
    boolean empty = true;
    int i = 0;
    while (empty && i < asGroups.size()) {
        StackResource asGroup = asGroups.get(i);
        List<String> result = cfStackUtil.getInstanceIds(awsClient.createAutoScalingClient(awsCredential, regionName), asGroup.getPhysicalResourceId());
        LOGGER.debug("{} autoScalingGroup has {} instance(s): {}", asGroup.getPhysicalResourceId(), result.size(), result);
        empty = result.isEmpty();
        i++;
    }
    return empty;
}
Also used : AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) Logger(org.slf4j.Logger) DescribeStackResourcesResult(com.amazonaws.services.cloudformation.model.DescribeStackResourcesResult) AwsCloudFormationClient(com.sequenceiq.cloudbreak.cloud.aws.AwsCloudFormationClient) CloudResource(com.sequenceiq.cloudbreak.cloud.model.CloudResource) CloudFormationStackUtil(com.sequenceiq.cloudbreak.cloud.aws.CloudFormationStackUtil) Collectors(java.util.stream.Collectors) StackResource(com.amazonaws.services.cloudformation.model.StackResource) Inject(javax.inject.Inject) List(java.util.List) Component(org.springframework.stereotype.Component) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AuthenticatedContext(com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext) LoggerFactory.getLogger(org.slf4j.LoggerFactory.getLogger) DescribeStackResourcesRequest(com.amazonaws.services.cloudformation.model.DescribeStackResourcesRequest) DescribeStackResourcesResult(com.amazonaws.services.cloudformation.model.DescribeStackResourcesResult) DescribeStackResourcesRequest(com.amazonaws.services.cloudformation.model.DescribeStackResourcesRequest) StackResource(com.amazonaws.services.cloudformation.model.StackResource)

Aggregations

AwsCredentialView (com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)94 AmazonEc2Client (com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonEc2Client)32 CloudConnectorException (com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException)32 List (java.util.List)25 AmazonServiceException (com.amazonaws.AmazonServiceException)22 AmazonCloudFormationClient (com.sequenceiq.cloudbreak.cloud.aws.client.AmazonCloudFormationClient)21 Logger (org.slf4j.Logger)21 Inject (javax.inject.Inject)20 ArrayList (java.util.ArrayList)19 Collectors (java.util.stream.Collectors)19 CloudInstance (com.sequenceiq.cloudbreak.cloud.model.CloudInstance)18 Group (com.sequenceiq.cloudbreak.cloud.model.Group)18 Set (java.util.Set)18 CloudResource (com.sequenceiq.cloudbreak.cloud.model.CloudResource)17 CloudStack (com.sequenceiq.cloudbreak.cloud.model.CloudStack)17 Map (java.util.Map)16 LoggerFactory (org.slf4j.LoggerFactory)16 AuthenticatedContext (com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext)15 Service (org.springframework.stereotype.Service)15 AmazonAutoScalingClient (com.sequenceiq.cloudbreak.cloud.aws.client.AmazonAutoScalingClient)14