def update_from_db(self, session): # type: (Session) -> None # Only allow one thread at a time to construct a fresh graph. with self._update_lock: checkpoint, checkpoint_time = self._get_checkpoint(session) if checkpoint == self.checkpoint: self._logger.debug("Checkpoint hasn't changed. Not Updating.") return self._logger.debug("Checkpoint changed; updating!") start_time = datetime.utcnow() user_metadata = self._get_user_metadata(session) groups, disabled_groups = self._get_groups(session, user_metadata) permissions = self._get_permissions(session) group_grants = self._get_group_grants(session) group_service_accounts = self._get_group_service_accounts(session) service_account_grants = all_service_account_permissions(session) nodes = self._get_nodes(groups, user_metadata) edges = self._get_edges(session) edges_without_np_owner = [ (n1, n2) for n1, n2, r in edges if GROUP_EDGE_ROLES[r["role"]] != "np-owner" ] graph = DiGraph() graph.add_nodes_from(nodes) graph.add_edges_from(edges) rgraph = graph.reverse() # We need a separate graph without np-owner edges to construct the mapping of # permissions to users with that grant. permission_graph = DiGraph() permission_graph.add_nodes_from(nodes) permission_graph.add_edges_from(edges_without_np_owner) grants_by_permission = self._get_grants_by_permission( permission_graph, group_grants, service_account_grants, user_metadata) with self.lock: self._graph = graph self._rgraph = rgraph self.checkpoint = checkpoint self.checkpoint_time = checkpoint_time self.user_metadata = user_metadata self._groups = groups self._disabled_groups = disabled_groups self._permissions = permissions self._group_grants = group_grants self._group_service_accounts = group_service_accounts self._service_account_grants = service_account_grants self._grants_by_permission = grants_by_permission duration = datetime.utcnow() - start_time stats.log_rate("graph_update_ms", int(duration.total_seconds() * 1000))
def update_from_db(self, session): # Only allow one thread at a time to construct a fresh graph. with self.update_lock: checkpoint, checkpoint_time = self._get_checkpoint(session) if checkpoint == self.checkpoint: self.logger.debug("Checkpoint hasn't changed. Not Updating.") return self.logger.debug("Checkpoint changed; updating!") new_graph = DiGraph() new_graph.add_nodes_from(self._get_nodes_from_db(session)) new_graph.add_edges_from(self._get_edges_from_db(session)) rgraph = new_graph.reverse() users = set() groups = set() for (node_type, node_name) in new_graph.nodes(): if node_type == "User": users.add(node_name) elif node_type == "Group": groups.add(node_name) user_metadata = self._get_user_metadata(session) permission_metadata = self._get_permission_metadata(session) service_account_permissions = all_service_account_permissions( session) group_metadata = self._get_group_metadata(session, permission_metadata) group_service_accounts = self._get_group_service_accounts(session) permission_tuples = self._get_permission_tuples(session) group_tuples = self._get_group_tuples(session) disabled_group_tuples = self._get_group_tuples(session, enabled=False) with self.lock: self._graph = new_graph self._rgraph = rgraph self.checkpoint = checkpoint self.checkpoint_time = checkpoint_time self.users = users self.groups = groups self.permissions = { perm.permission for perm_list in itervalues(permission_metadata) for perm in perm_list } self.user_metadata = user_metadata self.group_metadata = group_metadata self.group_service_accounts = group_service_accounts self.permission_metadata = permission_metadata self.service_account_permissions = service_account_permissions self.permission_tuples = permission_tuples self.group_tuples = group_tuples self.disabled_group_tuples = disabled_group_tuples
def update_from_db(self, session): # Only allow one thread at a time to construct a fresh graph. with self.update_lock: checkpoint, checkpoint_time = self._get_checkpoint(session) if checkpoint == self.checkpoint: self.logger.debug("Checkpoint hasn't changed. Not Updating.") return self.logger.debug("Checkpoint changed; updating!") new_graph = DiGraph() new_graph.add_nodes_from(self._get_nodes_from_db(session)) new_graph.add_edges_from(self._get_edges_from_db(session)) rgraph = new_graph.reverse() users = set() groups = set() for (node_type, node_name) in new_graph.nodes(): if node_type == "User": users.add(node_name) elif node_type == "Group": groups.add(node_name) user_metadata = self._get_user_metadata(session) permission_metadata = self._get_permission_metadata(session) service_account_permissions = all_service_account_permissions(session) group_metadata = self._get_group_metadata(session, permission_metadata) group_service_accounts = self._get_group_service_accounts(session) permission_tuples = self._get_permission_tuples(session) group_tuples = self._get_group_tuples(session) disabled_group_tuples = self._get_group_tuples(session, enabled=False) with self.lock: self._graph = new_graph self._rgraph = rgraph self.checkpoint = checkpoint self.checkpoint_time = checkpoint_time self.users = users self.groups = groups self.permissions = {perm.permission for perm_list in permission_metadata.values() for perm in perm_list} self.user_metadata = user_metadata self.group_metadata = group_metadata self.group_service_accounts = group_service_accounts self.permission_metadata = permission_metadata self.service_account_permissions = service_account_permissions self.permission_tuples = permission_tuples self.group_tuples = group_tuples self.disabled_group_tuples = disabled_group_tuples
def update_from_db(self, session): # type: (Session) -> None # Only allow one thread at a time to construct a fresh graph. with self._update_lock: checkpoint, checkpoint_time = self._get_checkpoint(session) if checkpoint == self.checkpoint: self._logger.debug("Checkpoint hasn't changed. Not Updating.") return self._logger.debug("Checkpoint changed; updating!") start_time = datetime.utcnow() user_metadata = self._get_user_metadata(session) groups, disabled_groups = self._get_groups(session, user_metadata) permissions = self._get_permissions(session) group_grants = self._get_group_grants(session) group_service_accounts = self._get_group_service_accounts(session) service_account_grants = all_service_account_permissions(session) graph = DiGraph() graph.add_nodes_from(self._get_nodes(groups, user_metadata)) graph.add_edges_from(self._get_edges(session)) rgraph = graph.reverse() grants_by_permission = self._get_grants_by_permission( graph, group_grants, service_account_grants ) with self.lock: self._graph = graph self._rgraph = rgraph self.checkpoint = checkpoint self.checkpoint_time = checkpoint_time self.user_metadata = user_metadata self._groups = groups self._disabled_groups = disabled_groups self._permissions = permissions self._group_grants = group_grants self._group_service_accounts = group_service_accounts self._service_account_grants = service_account_grants self._grants_by_permission = grants_by_permission duration = datetime.utcnow() - start_time stats.log_rate("graph_update_ms", int(duration.total_seconds() * 1000))