def list_users(args, l, rc):
from ambry.util import drop_empty
from tabulate import tabulate
headers = 'Id User Type Secret'.split()
records = []
for k in l.accounts.keys():
acct = l.account(k)
if acct.major_type == 'user':
try:
secret = acct.secret
except Exception as e:
secret = str(e) # "<corrupt secret>"
records.append([acct.account_id, acct.user_id, acct.minor_type, secret])
if not records:
return
records = drop_empty([headers] + records)
prt(tabulate(records[1:], records[0]))
def new_user(args, l, rc):
from botocore.exceptions import ClientError
client = get_client(args, 'iam')
try:
r = client.get_user(UserName=args.user_name)
prt("User already exists")
except ClientError:
r = client.create_user(Path=AMBRY_PATH, UserName=args.user_name)
iam = get_resource(args, 'iam')
user_name = r['User']['UserName']
user = iam.User(user_name)
key_pair = user.create_access_key_pair()
account = l.find_or_new_account(user.arn)
account.name = user.user_name
account.major_type = 'iam'
account.access_key = key_pair.id
account.secret = key_pair.secret
l.commit()
prt("Created user : {}", user.user_name)
prt("arn : {}", user.arn)
prt("Access Key : {}", key_pair.id)
prt("Secret Key : {}", key_pair.secret)
def new_user(args, l, rc):
from botocore.exceptions import ClientError
client = get_client(args, 'iam')
try:
r = client.get_user(UserName=args.user_name)
prt("User already exists")
except ClientError:
r = client.create_user(Path=AMBRY_PATH, UserName=args.user_name)
iam = get_resource(args, 'iam')
user_name = r['User']['UserName']
user = iam.User(user_name)
key_pair = user.create_access_key_pair()
account = l.find_or_new_account(user.arn)
account.name = user.user_name
account.major_type = 'iam'
account.access_key = key_pair.id
account.secret = key_pair.secret
l.commit()
prt("Created user : {}", user.user_name )
prt("arn : {}", user.arn)
prt("Access Key : {}", key_pair.id)
prt("Secret Key : {}", key_pair.secret)
def add_user(args, l, rc):
"""Add or update a user"""
from ambry.util import random_string
from getpass import getpass
account = l.find_or_new_account(args.user_name)
account.major_type = 'user'
account.access_key = args.user_name
if args.admin:
account.minor_type = 'admin'
if not account.encrypted_secret or args.secret:
account.secret = random_string(20)
prt("Secret: {}".format(account.secret))
if args.password:
password = args.password
elif not account.encrypted_password:
password = getpass().strip()
else:
password = None
if password:
account.encrypt_password(password)
assert account.test(password)
account.url = None
l.commit()
def run_args(args, l, rc):
ui_config = l.ui_config
db_init(args, l, rc)
prt('export AMBRY_UI_SECRET={} AMBRY_UI_CSRF_SECRET={} AMBRY_UI_TITLE="{}" '
.format(ui_config['secret'], ui_config['csrf_secret'], ui_config['website_title'] ))
def ui_info(args, l, rc):
from tabulate import tabulate
from __meta__ import __version__
records = []
records.append(['version', __version__])
records.append(['title', l.ui_config['website_title']])
records.append(['vhost', l.ui_config['virtual_host']])
prt(tabulate(records))
def test_user(args, l, rc):
from botocore.exceptions import ClientError
import boto3
account = get_iam_account(l, args, args.user_name)
if not account.access_key:
fatal(
"Can't test user {}; library does not have record for account ( by arn ) "
.format(args.user_name))
session = boto3.Session(aws_access_key_id=account.access_key,
aws_secret_access_key=account.secret)
root_s3 = get_resource(args, 's3')
s3 = session.resource('s3')
bn, prefix = split_bucket_name(args.bucket, default=None)
root_bucket = root_s3.Bucket(bn)
bucket = s3.Bucket(bn)
prefixes = [prefix] if prefix else TOP_LEVEL_DIRS
for prefix in prefixes:
k = prefix + '/test/' + args.user_name
rk = k + '-root'
ro = root_bucket.put_object(Key=rk, Body=args.user_name)
try:
o = bucket.Object(rk)
c = o.get()
read = True
except ClientError as e:
read = False
try:
o = bucket.put_object(Key=k, Body=args.user_name)
write = True
except ClientError as e:
write = False
try:
o.delete()
delete = True
except ClientError as e:
delete = False
#ro.delete()
prt("{:<35s} {:<5s} {:<5s} {:<6s} {}".format(
k, 'read' if read else '', 'write' if write else '',
'delete' if delete else '', 'no access' if not any(
(read, write, delete)) else ''))
def test_user(args, l, rc):
from botocore.exceptions import ClientError
import boto3
account = get_iam_account(l, args, args.user_name)
if not account.access_key:
fatal("Can't test user {}; library does not have record for account ( by arn ) ".format(args.user_name))
session = boto3.Session(aws_access_key_id=account.access_key,
aws_secret_access_key=account.secret)
root_s3 = get_resource(args, 's3')
s3 = session.resource('s3')
bn, prefix = split_bucket_name(args.bucket, default = None)
root_bucket = root_s3.Bucket(bn)
bucket = s3.Bucket(bn)
prefixes = [prefix] if prefix else TOP_LEVEL_DIRS
for prefix in prefixes:
k = prefix+'/test/'+args.user_name
rk = k+'-root'
ro = root_bucket.put_object(Key=rk, Body=args.user_name)
try:
o = bucket.Object(rk)
c = o.get()
read = True
except ClientError as e:
read = False
try:
o = bucket.put_object(Key=k, Body=args.user_name)
write = True
except ClientError as e:
write = False
try:
o.delete()
delete = True
except ClientError as e:
delete = False
#ro.delete()
prt("{:<35s} {:<5s} {:<5s} {:<6s} {}".format(k, 'read' if read else '',
'write' if write else '',
'delete' if delete else '',
'no access' if not any((read, write, delete)) else '' ))
def perm(args, l, rc):
from botocore.exceptions import ClientError
import json
iam = get_resource(args, 'iam')
bn, prefix = split_bucket_name(args.bucket, default = False)
if not prefix:
prefixes = TOP_LEVEL_DIRS
else:
prefixes = [prefix]
user = iam.User(args.user_name)
b = get_resource(args, 's3').Bucket(bn)
try:
bucket_policy = b.Policy().policy
perms = bucket_policy_to_dict(bucket_policy)
except ClientError:
perms = {}
bucket_policy = None
for prefix in prefixes:
if args.delete:
if (user.arn, prefix) in perms:
del perms[(user.name, prefix)]
prt("Removed {}/{} from {}".format(bn, prefix, user.name))
else:
if args.write:
perms[(user.name, prefix)] = 'W'
prt("Added write {}/{} to {}".format(bn, prefix, user.name))
has_writes = True
else:
perms[(user.name, prefix)] = 'R'
prt("Added read {}/{} to {}".format(bn, prefix, user.name))
if perms:
b = get_resource(args, 's3').Bucket(bn)
policy = bucket_dict_to_policy(args, bn, perms)
b.Policy().put(Policy=policy)
elif bucket_policy:
bucket_policy.delete()
def perm(args, l, rc):
from botocore.exceptions import ClientError
import json
iam = get_resource(args, 'iam')
bn, prefix = split_bucket_name(args.bucket, default=False)
if not prefix:
prefixes = TOP_LEVEL_DIRS
else:
prefixes = [prefix]
user = iam.User(args.user_name)
b = get_resource(args, 's3').Bucket(bn)
try:
bucket_policy = b.Policy().policy
perms = bucket_policy_to_dict(bucket_policy)
except ClientError:
perms = {}
bucket_policy = None
for prefix in prefixes:
if args.delete:
if (user.arn, prefix) in perms:
del perms[(user.name, prefix)]
prt("Removed {}/{} from {}".format(bn, prefix, user.name))
else:
if args.write:
perms[(user.name, prefix)] = 'W'
prt("Added write {}/{} to {}".format(bn, prefix, user.name))
has_writes = True
else:
perms[(user.name, prefix)] = 'R'
prt("Added read {}/{} to {}".format(bn, prefix, user.name))
if perms:
b = get_resource(args, 's3').Bucket(bn)
policy = bucket_dict_to_policy(args, bn, perms)
b.Policy().put(Policy=policy)
elif bucket_policy:
bucket_policy.delete()
def delete_user(args, l, rc):
from botocore.exceptions import ClientError
client = get_client(args, 'iam')
try:
resource = get_resource(args, 'iam')
user = resource.User(args.user_name)
for key in user.access_keys.all():
prt("Deleting user key: {}", key)
key.delete()
for policy in user.policies.all():
prt("Deleting user policy: {}", policy.name)
policy.delete()
response = client.delete_user(UserName=args.user_name)
prt("Deleted user: {}".format(args.user_name))
except ClientError as e:
fatal("Could not delete user: {}".format(e))
def delete_user(args, l, rc):
from botocore.exceptions import ClientError
client = get_client(args, 'iam')
try:
resource = get_resource(args, 'iam')
user = resource.User(args.user_name)
for key in user.access_keys.all():
prt("Deleting user key: {}",key)
key.delete()
for policy in user.policies.all():
prt("Deleting user policy: {}",policy.name)
policy.delete()
response = client.delete_user(UserName=args.user_name)
prt("Deleted user: {}".format(args.user_name))
except ClientError as e:
fatal("Could not delete user: {}".format(e))
