def add_acs_resource(resource):
"""Create given ACS `{resource}`. For more information consult the DC/OS documentation:
https://docs.mesosphere.com/1.9/administration/id-and-access-mgt/permissions/user-service-perms/
"""
import json
try:
logger.info('Adding ACS resource: {}'.format(resource))
url = dcos_url_path('acs/api/v1/acls/{}'.format(resource))
extra_args = {'headers': {'Content-Type': 'application/json'}}
req = http.put(url,
data=json.dumps({'description': resource}),
**extra_args)
assert req.status_code == 201, 'Failed create ACS resource: {}, {}'.format(
req, req.text)
except DCOSHTTPException as e:
if (e.response.status_code == 409):
logger.info('ACS resource {} already exists'.format(resource))
else:
logger.error("Unexpected HTTP error: {}, {}".format(
e.response, e.response.text))
raise
except Exception:
logger.exception(
"Unexpected error while adding ACS resource {}".format(resource))
raise
def set_service_account_permissions(service_account,
resource='dcos:superuser',
action='full'):
"""Set permissions for given `{service_account}` for passed `{resource}` with
`{action}`. For more information consult the DC/OS documentation:
https://docs.mesosphere.com/1.9/administration/id-and-access-mgt/permissions/user-service-perms/
"""
try:
logger.info('Granting {} permissions to {}/users/{}'.format(
action, resource, service_account))
url = dcos_url_path('acs/api/v1/acls/{}/users/{}/{}'.format(
resource, service_account, action))
req = http.put(url)
msg = 'Failed to grant permissions to the service account: {}, {}'.format(
req, req.text)
assert req.status_code == 204, msg
except DCOSHTTPException as e:
if (e.response.status_code == 409):
logger.info(
'Service account {} already has {} permissions set'.format(
service_account, resource))
else:
logger.error("Unexpected HTTP error: {}".format(e.response))
raise
except Exception:
logger.exception(
"Unexpected error when setting service account permissions")
raise
def set_service_account_permissions(service_account, ressource='dcos:superuser', action='full'):
""" Set permissions for given `{service_account}` for passed `{ressource}` with
`{action}`. For more information consult the DC/OS documentation:
https://docs.mesosphere.com/1.9/administration/id-and-access-mgt/permissions/user-service-perms/
"""
print('Granting {} permissions to {}/users/{}'.format(action, ressource, service_account))
url = urljoin(dcos_url(), 'acs/api/v1/acls/{}/users/{}/{}'.format(ressource, service_account, action))
req = http.put(url)
assert req.status_code == 204, 'Failed to grant permissions to the service account: {}, {}'.format(req, req.text)
def ensure_resource(rid):
""" Creates or confirms that a resource is added into the DCOS Enterprise System.
Example: dcos:service:marathon:marathon:services:/example-secure
:param rid: resource ID
:type rid: str
"""
try:
acl_url = urljoin(_acl_url(), 'acls/{}'.format(rid))
r = http.put(acl_url, json={'description': 'jope'})
assert r.status_code == 201
except DCOSHTTPException as e:
if e.response.status_code != 409:
raise
def add_user_to_group(uid, gid, exist_ok=True):
""" Adds a user to a group within DCOS Enterprise. The group and
user must exist.
:param uid: user id
:type uid: str
:param gid: group id
:type gid: str
:param exist_ok: True if it is ok for the relationship to pre-exist.
:type exist_ok: bool
"""
acl_url = urljoin(_acl_url(), 'groups/{}/users/{}'.format(gid, uid))
try:
r = http.put(acl_url)
assert r.status_code == 204
except DCOSHTTPException as e:
if e.response.status_code == 409 and exist_ok:
pass
else:
raise
def add_group(id, description=None):
""" Adds group to the DCOS Enterprise. If not description
is provided the id will be used for the description.
:param id: group id
:type id: str
:param desc: description of user
:type desc: str
"""
if not description:
description = id
data = {'description': description}
acl_url = urljoin(_acl_url(), 'groups/{}'.format(id))
try:
r = http.put(acl_url, json=data)
assert r.status_code == 201
except DCOSHTTPException as e:
if e.response.status_code != 409:
raise
def add_user(uid, password, desc=None):
""" Adds user to the DCOS Enterprise. If not description
is provided the uid will be used for the description.
:param uid: user id
:type uid: str
:param password: password
:type password: str
:param desc: description of user
:type desc: str
"""
try:
desc = uid if desc is None else desc
user_object = {"description": desc, "password": password}
acl_url = urljoin(_acl_url(), 'users/{}'.format(uid))
r = http.put(acl_url, json=user_object)
assert r.status_code == 201
except DCOSHTTPException as e:
# already exists
if e.response.status_code != 409:
raise
def set_user_permission(rid, uid, action='full'):
""" Sets users permission on a given resource. The resource will be created
if it doesn't exist. Actions are: read, write, update, delete, full.
:param uid: user id
:type uid: str
:param rid: resource ID
:type rid: str
:param action: read, write, update, delete or full
:type action: str
"""
rid = rid.replace('/', '%252F')
# Create ACL if it does not yet exist.
ensure_resource(rid)
# Set the permission triplet.
try:
acl_url = urljoin(_acl_url(),
'acls/{}/users/{}/{}'.format(rid, uid, action))
r = http.put(acl_url)
assert r.status_code == 204
except DCOSHTTPException as e:
if e.response.status_code != 409:
raise
