示例#1
0
 def _get_iam_ec2_role(self):
     iam_role_name, policies = super(ToilJenkinsSlave,
                                     self)._get_iam_ec2_role()
     iam_role_name += '--' + abreviated_snake_case_class_name(
         ToilJenkinsSlave)
     policies.update(dict(s3_full=s3_full_policy, sdb_full=sdb_full_policy))
     return iam_role_name, policies
示例#2
0
 def _get_iam_ec2_role(self):
     iam_role_name, policies = super(JenkinsMaster,
                                     self)._get_iam_ec2_role()
     iam_role_name += '--' + abreviated_snake_case_class_name(JenkinsMaster)
     policies.update(
         dict(
             ec2_full=dict(
                 Version="2012-10-17",
                 Statement=[
                     # FIXME: Be more specific
                     dict(Effect="Allow", Resource="*", Action="ec2:*")
                 ]),
             jenkins_master_iam_pass_role=dict(
                 Version="2012-10-17",
                 Statement=[
                     dict(Effect="Allow",
                          Resource=self._role_arn(),
                          Action="iam:PassRole")
                 ]),
             jenkins_master_s3=dict(
                 Version="2012-10-17",
                 Statement=[
                     dict(Effect="Allow",
                          Resource="arn:aws:s3:::*",
                          Action="s3:ListAllMyBuckets"),
                     dict(
                         Effect="Allow",
                         Action="s3:*",
                         Resource=[
                             "arn:aws:s3:::public-artifacts.cghub.ucsc.edu",
                             "arn:aws:s3:::public-artifacts.cghub.ucsc.edu/*"
                         ])
                 ])))
     return iam_role_name, policies
示例#3
0
 def _get_iam_ec2_role(self):
     iam_role_name, policies = super(ToilBoxSupport,
                                     self)._get_iam_ec2_role()
     iam_role_name += '--' + abreviated_snake_case_class_name(
         ToilBoxSupport)
     policies.update(
         dict(toil_iam_pass_role=dict(Version="2012-10-17",
                                      Statement=[
                                          dict(Effect="Allow",
                                               Resource=self._role_arn(),
                                               Action="iam:PassRole")
                                      ]),
              ec2_full=ec2_full_policy,
              s3_full=s3_full_policy,
              sbd_full=sdb_full_policy,
              ec2_toil_box=dict(Version="2012-10-17",
                                Statement=[
                                    dict(Effect="Allow",
                                         Resource="*",
                                         Action="ec2:CreateTags"),
                                    dict(Effect="Allow",
                                         Resource="*",
                                         Action="ec2:CreateVolume"),
                                    dict(Effect="Allow",
                                         Resource="*",
                                         Action="ec2:AttachVolume")
                                ])))
     return iam_role_name, policies
示例#4
0
 def _get_iam_ec2_role( self ):
     role_name, policies = super( AgentBox, self )._get_iam_ec2_role( )
     if self.enable_agent:
         role_name += '--' + abreviated_snake_case_class_name( AgentBox )
         policies.update( dict(
             ec2_read_only=ec2_read_only_policy,
             s3_read_only=s3_read_only_policy,
             iam_read_only=iam_read_only_policy,
             sqs_agent=dict( Version="2012-10-17", Statement=[
                 dict( Effect="Allow", Resource="*", Action=[
                     "sqs:Get*",
                     "sqs:List*",
                     "sqs:CreateQueue",
                     "sqs:SetQueueAttributes",
                     "sqs:ReceiveMessage",
                     "sqs:DeleteMessage" ] ) ] ),
             sns_agent=dict( Version="2012-10-17", Statement=[
                 dict( Effect="Allow", Resource="*", Action=[
                     "sns:Get*",
                     "sns:List*",
                     "sns:CreateTopic",
                     "sns:Subscribe" ] ) ] ),
             cloud_watch=dict( Version='2012-10-17', Statement=[
                 dict( Effect='Allow', Resource='*', Action=[
                     'cloudwatch:Get*',
                     'cloudwatch:List*',
                     'cloudwatch:PutMetricData' ] ) ] ) ) )
     return role_name, policies
示例#5
0
 def _get_iam_ec2_role(self):
     iam_role_name, policies = super(CgcloudJenkinsSlave,
                                     self)._get_iam_ec2_role()
     iam_role_name += '--' + abreviated_snake_case_class_name(
         CgcloudJenkinsSlave)
     cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
     policies.update(
         dict(
             ec2_full=ec2_full_policy,  # FIXME: Be more specific
             iam_cgcloud_jenkins_slave_pass_role=dict(
                 Version="2012-10-17",
                 Statement=[
                     # This assumes that if instance lives in /, then tests running on the instance
                     # will run in /test-5571439d. If the instance lives in /foo, then tests running
                     # on the instance will run in /foo/test-5571439d.
                     dict(Effect="Allow",
                          Resource=self._pass_role_arn(),
                          Action="iam:PassRole")
                 ]),
             register_keypair=dict(
                 Version="2012-10-17",
                 Statement=[
                     dict(Effect="Allow",
                          Resource="arn:aws:s3:::*",
                          Action="s3:ListAllMyBuckets"),
                     dict(Effect="Allow",
                          Action="s3:*",
                          Resource=[
                              cgcloud_bucket_arn, cgcloud_bucket_arn + "/*"
                          ]),
                     dict(Effect="Allow",
                          Action=["sns:Publish", "sns:CreateTopic"],
                          Resource=
                          'arn:aws:sns:*:%s:cgcloud-agent-notifications' %
                          self.ctx.account)
                 ]),
             iam_cgcloud_jenkins_slave=dict(
                 Version="2012-10-17",
                 Statement=[
                     dict(Effect="Allow",
                          Resource="*",
                          Action=[
                              "iam:ListRoles", "iam:CreateRole",
                              "iam:DeleteRole", "iam:ListRolePolicies",
                              "iam:DeleteRolePolicy", "iam:GetRolePolicy",
                              "iam:PutRolePolicy",
                              "iam:ListInstanceProfiles",
                              "iam:GetInstanceProfile",
                              "iam:CreateInstanceProfile",
                              "iam:DeleteInstanceProfile",
                              "iam:RemoveRoleFromInstanceProfile",
                              "iam:AddRoleToInstanceProfile",
                              "iam:DeleteInstanceProfile"
                          ])
                 ])))
     return iam_role_name, policies
示例#6
0
 def _get_iam_ec2_role( self ):
     iam_role_name, policies = super( MesosBoxSupport, self )._get_iam_ec2_role( )
     iam_role_name += '--' + abreviated_snake_case_class_name( MesosBoxSupport )
     policies.update( dict(
         ec2_read_only=ec2_read_only_policy,
         ec2_mesos_box=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow", Resource="*", Action="ec2:CreateTags" ),
             dict( Effect="Allow", Resource="*", Action="ec2:CreateVolume" ),
             dict( Effect="Allow", Resource="*", Action="ec2:AttachVolume" ) ] ) ) )
     return iam_role_name, policies
示例#7
0
 def _get_iam_ec2_role( self ):
     role_name, policies = super( SparkBox, self )._get_iam_ec2_role( )
     role_name += '--' + abreviated_snake_case_class_name( SparkBox )
     policies.update( dict(
         ec2_read_only=ec2_read_only_policy,
         ec2_spark_box=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow", Resource="*", Action="ec2:CreateTags" ),
             dict( Effect="Allow", Resource="*", Action="ec2:CreateVolume" ),
             dict( Effect="Allow", Resource="*", Action="ec2:AttachVolume" ) ] ) ) )
     return role_name, policies
示例#8
0
 def _get_iam_ec2_role( self ):
     iam_role_name, policies = super( ToilBoxSupport, self )._get_iam_ec2_role( )
     iam_role_name += '--' + abreviated_snake_case_class_name( ToilBoxSupport )
     policies.update( dict(
         toil_iam_pass_role=dict(
             Version="2012-10-17",
             Statement=[
                 dict( Effect="Allow", Resource=self._role_arn( ), Action="iam:PassRole" ) ] ),
         ec2_full=ec2_full_policy,
         s3_full=s3_full_policy,
         sbd_full=sdb_full_policy,
         ec2_toil_box=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow", Resource="*", Action="ec2:CreateTags" ),
             dict( Effect="Allow", Resource="*", Action="ec2:CreateVolume" ),
             dict( Effect="Allow", Resource="*", Action="ec2:AttachVolume" ) ] ) ) )
     return iam_role_name, policies
示例#9
0
 def _get_iam_ec2_role( self ):
     role_name, policies = super( CgcloudJenkinsSlave, self )._get_iam_ec2_role( )
     role_name += '--' + abreviated_snake_case_class_name( CgcloudJenkinsSlave )
     cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
     # This is a bit convoluted, but it is still better than optionally allowing wildcards in
     # the name validation in Context.absolute_name(). The ? wildcard is not very well
     # documented but I found evidence for it here:
     # http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html#policy-vars-specialchars
     test_namespace_suffix_pattern = "?" * test_namespace_suffix_length
     pass_role_arn = self._role_arn( role_prefix='test/testnamespacesuffixpattern/' )
     pass_role_arn = pass_role_arn.replace( 'testnamespacesuffixpattern',
                                            test_namespace_suffix_pattern )
     policies.update( dict(
         ec2_full=ec2_full_policy,  # FIXME: Be more specific
         iam_cgcloud_jenkins_slave_pass_role=dict( Version="2012-10-17", Statement=[
             # This assumes that if instance lives in /, then tests running on the instance
             # will run in /test-5571439d. If the instance lives in /foo, then tests running
             # on the instance will run in /foo/test-5571439d.
             dict( Effect="Allow",
                   Resource=pass_role_arn,
                   Action="iam:PassRole" ) ] ),
         register_keypair=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow", Resource="arn:aws:s3:::*", Action="s3:ListAllMyBuckets" ),
             dict( Effect="Allow", Action="s3:*", Resource=[
                 cgcloud_bucket_arn,
                 cgcloud_bucket_arn + "/*" ] ),
             dict( Effect="Allow",
                   Resource='arn:aws:sns:*:%s:cgcloud-agent-notifications' % self.ctx.account,
                   Action=[ "sns:Publish", "sns:CreateTopic" ] ) ] ),
         iam_cgcloud_jenkins_slave=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow", Resource="*", Action=[
                 "iam:ListRoles",
                 "iam:CreateRole",
                 "iam:DeleteRole",
                 "iam:ListRolePolicies",
                 "iam:DeleteRolePolicy",
                 "iam:GetRolePolicy",
                 "iam:PutRolePolicy",
                 "iam:ListInstanceProfiles",
                 "iam:GetInstanceProfile",
                 "iam:CreateInstanceProfile",
                 "iam:DeleteInstanceProfile",
                 "iam:RemoveRoleFromInstanceProfile",
                 "iam:AddRoleToInstanceProfile",
                 "iam:DeleteInstanceProfile" ] ) ] ) ) )
     return role_name, policies
示例#10
0
 def _get_iam_ec2_role(self):
     role_name, policies = super(AgentBox, self)._get_iam_ec2_role()
     if self.enable_agent:
         role_name += '--' + abreviated_snake_case_class_name(AgentBox)
         policies.update(
             dict(ec2_read_only=ec2_read_only_policy,
                  s3_read_only=s3_read_only_policy,
                  iam_read_only=iam_read_only_policy,
                  sqs_agent=dict(Version="2012-10-17",
                                 Statement=[
                                     dict(Effect="Allow",
                                          Resource="*",
                                          Action=[
                                              "sqs:Get*", "sqs:List*",
                                              "sqs:CreateQueue",
                                              "sqs:SetQueueAttributes",
                                              "sqs:ReceiveMessage",
                                              "sqs:DeleteMessage"
                                          ])
                                 ]),
                  sns_agent=dict(Version="2012-10-17",
                                 Statement=[
                                     dict(Effect="Allow",
                                          Resource="*",
                                          Action=[
                                              "sns:Get*", "sns:List*",
                                              "sns:CreateTopic",
                                              "sns:Subscribe"
                                          ])
                                 ]),
                  cloud_watch=dict(Version='2012-10-17',
                                   Statement=[
                                       dict(Effect='Allow',
                                            Resource='*',
                                            Action=[
                                                'cloudwatch:Get*',
                                                'cloudwatch:List*',
                                                'cloudwatch:PutMetricData'
                                            ])
                                   ])))
     return role_name, policies
示例#11
0
 def _get_iam_ec2_role( self ):
     role_name, policies = super( JenkinsMaster, self )._get_iam_ec2_role( )
     role_name += '--' + abreviated_snake_case_class_name( JenkinsMaster )
     policies.update( dict(
         ec2_full=dict(
             Version="2012-10-17",
             Statement=[
                 # FIXME: Be more specific
                 dict( Effect="Allow", Resource="*", Action="ec2:*" ) ] ),
         jenkins_master_iam_pass_role=dict(
             Version="2012-10-17",
             Statement=[
                 dict( Effect="Allow", Resource=self._role_arn( ), Action="iam:PassRole" ) ] ),
         jenkins_master_s3=dict(
             Version="2012-10-17",
             Statement=[
                 dict( Effect="Allow", Resource="arn:aws:s3:::*", Action="s3:ListAllMyBuckets" ),
                 dict( Effect="Allow", Action="s3:*", Resource=[
                     "arn:aws:s3:::public-artifacts.cghub.ucsc.edu",
                     "arn:aws:s3:::public-artifacts.cghub.ucsc.edu/*" ] ) ] ) ) )
     return role_name, policies
 def _get_iam_ec2_role( self ):
     iam_role_name, policies = super( CgcloudJenkinsSlave, self )._get_iam_ec2_role( )
     iam_role_name += '--' + abreviated_snake_case_class_name( CgcloudJenkinsSlave )
     cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
     policies.update( dict(
         ec2_full=ec2_full_policy,  # FIXME: Be more specific
         iam_cgcloud_jenkins_slave_pass_role=dict( Version="2012-10-17", Statement=[
             # This assumes that if instance lives in /, then tests running on the instance
             # will run in /test-5571439d. If the instance lives in /foo, then tests running
             # on the instance will run in /foo/test-5571439d.
             dict( Effect="Allow", Resource=self._pass_role_arn(),
                   Action="iam:PassRole" ) ] ),
         register_keypair=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow", Resource="arn:aws:s3:::*", Action="s3:ListAllMyBuckets" ),
             dict( Effect="Allow",
                   Action="s3:*",
                   Resource=[ cgcloud_bucket_arn, cgcloud_bucket_arn + "/*" ] ),
             dict( Effect="Allow",
                   Action=[ "sns:Publish", "sns:CreateTopic" ],
                   Resource='arn:aws:sns:*:%s:cgcloud-agent-notifications' % self.ctx.account ) ] ),
         iam_cgcloud_jenkins_slave=dict( Version="2012-10-17", Statement=[
             dict( Effect="Allow",
                   Resource="*",
                   Action=[ "iam:ListRoles",
                            "iam:CreateRole",
                            "iam:DeleteRole",
                            "iam:ListRolePolicies",
                            "iam:DeleteRolePolicy",
                            "iam:GetRolePolicy",
                            "iam:PutRolePolicy",
                            "iam:ListInstanceProfiles",
                            "iam:GetInstanceProfile",
                            "iam:CreateInstanceProfile",
                            "iam:DeleteInstanceProfile",
                            "iam:RemoveRoleFromInstanceProfile",
                            "iam:AddRoleToInstanceProfile",
                            "iam:DeleteInstanceProfile" ] ) ] ) ) )
     return iam_role_name, policies
示例#13
0
 def name( cls ):
     return abreviated_snake_case_class_name( cls, Cluster )
示例#14
0
 def _get_iam_ec2_role( self ):
     role_name, policies = super( S3amJenkinsSlave, self )._get_iam_ec2_role( )
     role_name += '--' + abreviated_snake_case_class_name( S3amJenkinsSlave )
     policies.update( dict( s3_full=s3_full_policy ) )
     return role_name, policies
示例#15
0
 def operation( self ):
     return abreviated_snake_case_class_name( self.__class__, ClusterCommand )
示例#16
0
 def _get_iam_ec2_role(self):
     role_name, policies = super(CgcloudJenkinsSlave,
                                 self)._get_iam_ec2_role()
     role_name += '--' + abreviated_snake_case_class_name(
         CgcloudJenkinsSlave)
     cgcloud_bucket_arn = "arn:aws:s3:::%s" % self.ctx.s3_bucket_name
     # This is a bit convoluted, but it is still better than optionally allowing wildcards in
     # the name validation in Context.absolute_name(). The ? wildcard is not very well
     # documented but I found evidence for it here:
     # http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html#policy-vars-specialchars
     test_namespace_suffix_pattern = "?" * test_namespace_suffix_length
     pass_role_arn = self._role_arn(
         role_prefix='test/testnamespacesuffixpattern/')
     pass_role_arn = pass_role_arn.replace('testnamespacesuffixpattern',
                                           test_namespace_suffix_pattern)
     policies.update(
         dict(
             ec2_full=ec2_full_policy,  # FIXME: Be more specific
             iam_cgcloud_jenkins_slave_pass_role=dict(
                 Version="2012-10-17",
                 Statement=[
                     # This assumes that if instance lives in /, then tests running on the instance
                     # will run in /test-5571439d. If the instance lives in /foo, then tests running
                     # on the instance will run in /foo/test-5571439d.
                     dict(Effect="Allow",
                          Resource=pass_role_arn,
                          Action="iam:PassRole")
                 ]),
             register_keypair=dict(
                 Version="2012-10-17",
                 Statement=[
                     dict(Effect="Allow",
                          Resource="arn:aws:s3:::*",
                          Action="s3:ListAllMyBuckets"),
                     dict(Effect="Allow",
                          Action="s3:*",
                          Resource=[
                              cgcloud_bucket_arn, cgcloud_bucket_arn + "/*"
                          ]),
                     dict(Effect="Allow",
                          Resource=
                          'arn:aws:sns:*:%s:cgcloud-agent-notifications' %
                          self.ctx.account,
                          Action=["sns:Publish", "sns:CreateTopic"])
                 ]),
             iam_cgcloud_jenkins_slave=dict(
                 Version="2012-10-17",
                 Statement=[
                     dict(Effect="Allow",
                          Resource="*",
                          Action=[
                              "iam:ListRoles", "iam:CreateRole",
                              "iam:DeleteRole", "iam:ListRolePolicies",
                              "iam:DeleteRolePolicy", "iam:GetRolePolicy",
                              "iam:PutRolePolicy",
                              "iam:ListInstanceProfiles",
                              "iam:GetInstanceProfile",
                              "iam:CreateInstanceProfile",
                              "iam:DeleteInstanceProfile",
                              "iam:RemoveRoleFromInstanceProfile",
                              "iam:AddRoleToInstanceProfile",
                              "iam:DeleteInstanceProfile"
                          ])
                 ])))
     return role_name, policies
示例#17
0
 def operation(self):
     return abreviated_snake_case_class_name(self.__class__, ClusterCommand)
示例#18
0
 def name( cls ):
     return abreviated_snake_case_class_name( cls, Cluster )