def create_role_user(session, actor, name, description, canjoin):
# type (Session, User, str, str, str) -> None
"""DEPRECATED: Do not use in production code
Creates a service account with the given name, description, and canjoin status
Args:
session: the database session
actor: the user creating the service account
name: the name of the service account
description: description of the service account
canjoin: the canjoin status for management of the service account
Throws:
IntegrityError: if a user or group with the given name already exists
"""
user = User(username=name, role_user=True)
group = Group(groupname=name, description=description, canjoin=canjoin)
user.add(session)
group.add(session)
group.add_member(actor, actor, "Group Creator", "actioned", None, "np-owner")
group.add_member(actor, user, "Service Account", "actioned", None, "member")
session.commit()
AuditLog.log(
session,
actor.id,
"create_role_user",
"Created new service account.",
on_group_id=group.id,
on_user_id=user.id,
)
def create_service_account(session, actor, name, description, machine_set, owner):
# type: (Session, User, str, str, str, Group) -> ServiceAccount
"""Creates a service account and its underlying user.
Also adds the service account to the list of accounts managed by the owning group.
Throws:
BadMachineSet: if some plugin rejected the machine set
DuplicateServiceAccount: if a user with the given name already exists
"""
user = User(username=name, is_service_account=True)
service_account = ServiceAccount(user=user, description=description, machine_set=machine_set)
if machine_set is not None:
_check_machine_set(service_account, machine_set)
try:
user.add(session)
service_account.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise DuplicateServiceAccount("User {} already exists".format(name))
# Counter is updated here and the session is committed, so we don't need an additional update
# or commit for the account creation.
add_service_account(session, owner, service_account)
AuditLog.log(session, actor.id, "create_service_account", "Created new service account.",
on_group_id=owner.id, on_user_id=service_account.user_id)
return service_account
def create_user(self, name):
# type: (str) -> None
"""Create a user, does nothing if it already exists."""
if User.get(self.session, name=name):
return
user = User(username=name)
user.add(self.session)
def service_accounts(session, users, groups):
user = User(username="******", is_service_account=True)
service_account = ServiceAccount(user=user,
description="some service account",
machine_set="some machines")
user.add(session)
service_account.add(session)
session.flush()
add_service_account(session, groups["team-sre"], service_account)
return {"*****@*****.**": service_account}
def create_role_user(self,
role_user,
description="",
join_policy=GroupJoinPolicy.CAN_ASK):
# type: (str, str, GroupJoinPolicy) -> None
"""Create an old-style role user.
This concept is obsolete and all code related to it will be deleted once all remaining
legacy role users have been converted to service accounts. This method should be used only
for tests to maintain backward compatibility until that happens.
"""
user = User(username=role_user, role_user=True)
user.add(self.session)
self.create_group(role_user, description, join_policy)
self.add_user_to_group(role_user, role_user)
def create_service_account(self,
service_account,
owner,
description="",
machine_set=""):
# type: (str, str, str, str) -> None
self.create_group(owner)
group_obj = Group.get(self.session, name=owner)
assert group_obj
if User.get(self.session, name=service_account):
return
user = User(username=service_account)
user.add(self.session)
service_account_obj = ServiceAccount(user_id=user.id,
description=description,
machine_set=machine_set)
service_account_obj.add(self.session)
user.is_service_account = True
self.session.flush()
owner_map = GroupServiceAccount(
group_id=group_obj.id, service_account_id=service_account_obj.id)
owner_map.add(self.session)
