Skip to content

Commit

Permalink
Fix/google bucket creation (#273)
Browse files Browse the repository at this point in the history 
* fix(bucket-creation): limit fence-service creds to not have access to change bucket IAM, require storage creds

* feat(bucket-creation): allow passing a different project_id for group creation

allows project with buckets and cloud-identity-linked project to be
different Google Projects

* fix(bucket-creation): remove arg, parse storage project from creds file
  • Loading branch information
@Avantol13
Avantol13 authored Jun 22, 2018
1 parent 5fdf8e9 commit 9205572
Showing 1 changed file with 28 additions and 10 deletions.
38 changes: 28 additions & 10 deletions fence/scripting/fence_create.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import time
import uuid
import yaml
import json

from authlib.common.encoding import to_unicode
from cirrus import GoogleCloudManager
Expand Down Expand Up @@ -704,6 +705,17 @@ def create_google_bucket(

google_project_id = google_project_id or cirrus_config.GOOGLE_PROJECT_ID

# determine project where buckets are located
# default to same project, try to get storage creds project from key file
storage_creds_project_id = google_project_id
storage_creds_file = cirrus_config.configs['GOOGLE_STORAGE_CREDS']
if os.path.exists(storage_creds_file):
with open(storage_creds_file) as file:
storage_creds_project_id = (
json.load(file)
.get('project_id', google_project_id)
)

# default to read access
allowed_privileges = allowed_privileges or ['read', 'write']

Expand All @@ -717,7 +729,7 @@ def create_google_bucket(
name=name,
storage_class=storage_class,
requester_pays=requester_pays,
google_project_id=google_project_id,
storage_creds_project_id=storage_creds_project_id,
public=public,
project_auth_id=project_auth_id,
access_logs_bucket=access_logs_bucket)
Expand All @@ -730,17 +742,19 @@ def create_google_bucket(
google_bucket_name=name,
bucket_db_id=bucket_db_entry.id,
google_project_id=google_project_id,
storage_creds_project_id=storage_creds_project_id,
privileges=[privilege])


def _create_google_bucket_and_update_db(
db_session, name, storage_class, public, requester_pays,
google_project_id, project_auth_id, access_logs_bucket):
storage_creds_project_id, project_auth_id, access_logs_bucket):
"""
Handles creates the Google bucket and adding necessary db entry
"""
manager = GoogleCloudManager(
google_project_id, creds=cirrus_config.configs['GOOGLE_STORAGE_CREDS'])
storage_creds_project_id,
creds=cirrus_config.configs['GOOGLE_STORAGE_CREDS'])
with manager as g_mgr:
g_mgr.create_or_update_bucket(
name,
Expand Down Expand Up @@ -820,9 +834,8 @@ def _create_google_bucket_and_update_db(

def _create_google_bucket_access_group(
db_session, google_bucket_name, bucket_db_id, google_project_id,
privileges):
storage_creds_project_id, privileges):
access_group = None

# use default creds for creating group and iam policies
with GoogleCloudManager(google_project_id) as g_mgr:
# create bucket access group
Expand All @@ -839,13 +852,18 @@ def _create_google_bucket_access_group(
db_session.add(access_group)
db_session.commit()

# use storage creds to update bucket iam
storage_manager = GoogleCloudManager(
storage_creds_project_id,
creds=cirrus_config.configs['GOOGLE_STORAGE_CREDS'])
with storage_manager as g_mgr:
g_mgr.give_group_access_to_bucket(
group_email, google_bucket_name, access=privileges)

print(
'Successfully created Google Bucket Access Group {} '
'for Google Bucket {}.'
.format(group_email, google_bucket_name)
)
print(
'Successfully created Google Bucket Access Group {} '
'for Google Bucket {}.'
.format(group_email, google_bucket_name)
)

return access_group

0 comments on commit 9205572

Please sign in to comment.