コード例 #1
0
ファイル: custom.py プロジェクト: andymoe/azure-cli
def create_role_definition(role_definition):
    role_id = uuid.uuid4()
    if os.path.exists(role_definition):
        role_definition = get_file_json(role_definition)
    else:
        role_definition = json.loads(role_definition)

    #to workaround service defects, ensure property names are camel case
    names = [p for p in role_definition if p[:1].isupper()]
    for n in names:
        new_name = n[:1].lower() + n[1:]
        role_definition[new_name] = role_definition.pop(n)

    if not 'name' in role_definition:
        raise CLIError("please provide 'name'")
    if not 'assignableScopes' in role_definition:
        raise CLIError("please provide 'assignableScopes'")

    permission = Permission(actions=role_definition.get('actions', None),
                            not_actions=role_definition.get('notActions', None))
    properties = RoleDefinitionProperties(role_name=role_definition['name'],
                                          description=role_definition.get('description', None),
                                          type=_CUSTOM_RULE,
                                          assignable_scopes=role_definition['assignableScopes'],
                                          permissions=[permission])

    definition = RoleDefinition(name=role_id, properties=properties)

    definitions_client = _auth_client_factory().role_definitions
    return definitions_client.create_or_update(role_definition_id=role_id,
                                               scope=properties.assignable_scopes[0],
                                               role_definition=definition)
コード例 #2
0
def _create_update_role_definition(cli_ctx, role_definition, for_update):
    definitions_client = _auth_client_factory(cli_ctx).role_definitions
    if os.path.exists(role_definition):
        role_definition = get_file_json(role_definition)
    else:
        role_definition = shell_safe_json_parse(role_definition)

    # to workaround service defects, ensure property names are camel case
    names = [p for p in role_definition if p[:1].isupper()]
    for n in names:
        new_name = n[:1].lower() + n[1:]
        role_definition[new_name] = role_definition.pop(n)

    role_name = role_definition.get('name', None)
    if not role_name:
        raise CLIError("please provide role name")
    if for_update:  # for update, we need to use guid style unique name
        scopes_in_definition = role_definition.get('assignableScopes', None)
        scope = (scopes_in_definition[0] if scopes_in_definition else
                 '/subscriptions/' + definitions_client.config.subscription_id)
        matched = _search_role_definitions(definitions_client, role_name,
                                           scope)
        if len(matched) != 1:
            raise CLIError(
                'Please provide the unique logic name of an existing role')
        role_definition['name'] = matched[0].name
        # ensure correct logical name and guid name. For update we accept both
        role_name = matched[0].properties.role_name
        role_id = matched[0].name
    else:
        role_id = _gen_guid()

    if not for_update and 'assignableScopes' not in role_definition:
        raise CLIError("please provide 'assignableScopes'")

    permission = Permission(actions=role_definition.get('actions', None),
                            not_actions=role_definition.get(
                                'notActions', None))
    properties = RoleDefinitionProperties(
        role_name=role_name,
        description=role_definition.get('description', None),
        type=_CUSTOM_RULE,
        assignable_scopes=role_definition['assignableScopes'],
        permissions=[permission])

    definition = RoleDefinition(name=role_id, properties=properties)

    return definitions_client.create_or_update(
        role_definition_id=role_id,
        scope=properties.assignable_scopes[0],
        role_definition=definition)
コード例 #3
0
    def create_policy_definition(self, role_name, rules):
        # Get "Contributor" built-in role as a RoleDefinition object
        roles = self.get_azure_policy(role_name)

        if len(roles):
            print(f"Role {role_name} already exists")
            return

        role_id = uuid.uuid4()
        permission = Permission(actions=rules['Actions'],
                                not_actions=rules['NotActions'],
                                data_actions=rules['DataActions'])

        properties = RoleDefinitionProperties(
            role_name=role_name,
            description=rules['Description'],
            type='CustomRole',
            assignable_scopes=rules['AssignableScopes'],
            permissions=[permission])

        definition = CustomRoleDefinition(
            id=role_id,
            name=rules['Name'],
            role_name=role_name,
            description=rules['Description'],
            role_type='CustomRole',
            permissions=[permission],
            assignable_scopes=rules['AssignableScopes'])

        result = self.authorization_client.role_definitions.create_or_update(
            role_definition_id=role_id,
            scope=properties.assignable_scopes[0],
            role_definition=definition)

        if result is not None:
            print(f"Successfully created role {role_name}")
        else:
            print(f"Failed to create role {role_name}")