Adding ColumnWithTables permission grants.

EC2 Default User · EC2 Default User · commit 0e1b3bd7bc6d · 2020-05-12T14:07:16.000Z
diff --git a/bin/aws.ts b/bin/aws.ts
@@ -46,14 +46,44 @@ openTargetsStack.grantIamRead(analyticsStack.NotebookRole);
 
 
 
-const exampleUser = iam.User.fromUserName(coreDataLake, 'exampleGrantee', 'paul0' );
+const exampleUser = iam.User.fromUserName(coreDataLake, 'exampleGrantee', 'paul1' );
 
-var exampleGrant: DataLakeEnrollment.LakeFormationPermissionGrant = {
+var exampleGrant: DataLakeEnrollment.TablePermissionGrant = {
     tables: ["association_data", "evidence_data","target_list","disease_list"],
     DatabasePermissions: [DataLakeEnrollment.DatabasePermission.Alter, DataLakeEnrollment.DatabasePermission.CreateTable, DataLakeEnrollment.DatabasePermission.Drop],
     GrantableDatabasePermissions: [DataLakeEnrollment.DatabasePermission.Alter, DataLakeEnrollment.DatabasePermission.CreateTable, DataLakeEnrollment.DatabasePermission.Drop],
     TablePermissions: [DataLakeEnrollment.TablePermission.Select, DataLakeEnrollment.TablePermission.Insert, DataLakeEnrollment.TablePermission.Delete],
     GrantableTablePermissions: [DataLakeEnrollment.TablePermission.Select]
 };
 
-openTargetsStack.grantLakeFormationPermissions(exampleUser, exampleGrant);
+openTargetsStack.grantTablePermissions(exampleUser, exampleGrant);
+
+
+
+
+// In the example below, we are using the compound_structures table from ChEMBL. It has the following table definition:
+// ['molregno', 'molfile', 'standard_inchi', 'standard_inchi_key', 'canonical_smiles']
+// Lets say we want to give a principal ONLY select permissions to everything in the compound_structures table BUT the 'canonical_smiles' column.
+
+var exampleTableWithColumnsGrant: DataLakeEnrollment.TableWithColumnPermissionGrant = {
+    table: "chembl_25_public_compound_structures",
+    // Note that we are NOT including 'canonical_smiles'. That effectivley prevents this user from querying that column.
+    columns: ['molregno', 'molfile', 'standard_inchi', 'standard_inchi_key'],
+    DatabasePermissions: [],
+    GrantableDatabasePermissions: [],
+    TableColumnPermissions: [DataLakeEnrollment.TablePermission.Select],
+    GrantableTableColumnPermissions: []
+};
+
+var exampleTableWithColumnsGrant_WithWildCard: DataLakeEnrollment.TableWithColumnPermissionGrant = {
+    table: "chembl_25_public_compound_structures",
+    wildCardFilter: DataLakeEnrollment.TableWithColumnFilter.Exclude,
+    columns: ['canonical_smiles'],
+    DatabasePermissions: [],
+    GrantableDatabasePermissions: [],
+    TableColumnPermissions: [DataLakeEnrollment.TablePermission.Select],
+    GrantableTableColumnPermissions: []
+};
+
+// Note that exampleTableWithColumnsGrant exampleTableWithColumnsGrant_WithWildCard grants the same effecitve permissions. One just uses a the wildcard.
+chemblStack.grantTableWithColumnPermissions(exampleUser, exampleTableWithColumnsGrant);
diff --git a/lib/constructs/data-lake-enrollment.ts b/lib/constructs/data-lake-enrollment.ts
@@ -17,12 +17,14 @@ export class DataLakeEnrollment extends cdk.Construct {
   public DataSetName: string;
   private CoarseAthenaAccessPolicy: iam.ManagedPolicy;
   private CoarseResourceAccessPolicy: iam.ManagedPolicy;
+  private CoarseIamPolciesApplied: boolean;
 
   constructor(scope: cdk.Construct, id: string, props: DataLakeEnrollment.DataLakeEnrollmentProps) {
         super(scope, id);
 
 
         this.DataSetName = props.DataSetName;
+        this.CoarseIamPolciesApplied = false;
 
     }
 
@@ -224,21 +226,59 @@ export class DataLakeEnrollment extends cdk.Construct {
     }
 
 
-    private createLakeFormationPermission(resourceId: string, dataLakePrincipal: lakeformation.CfnPermissions.DataLakePrincipalProperty,
-                                          resource: lakeformation.CfnPermissions.ResourceProperty, permissions: string[], grantablePremissions: string[] ){
-       
-        new lakeformation.CfnPermissions(this, resourceId, {
-            dataLakePrincipal: dataLakePrincipal,
-            resource: resource,
-            permissions: permissions,
-            permissionsWithGrantOption: grantablePremissions
-        });
+    public grantTableWithColumnPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TableWithColumnPermissionGrant){
+
+        const coreGrant = this.setupIamAndLakeFormationDatabasePermissionForPrincipal(principal, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions);
+
+        const wildcardProperty: lakeformation.CfnPermissions.ColumnWildcardProperty = {
+            excludedColumnNames: permissionGrant.columns
+        };
+
+        var  tableWithColumnsProperty : lakeformation.CfnPermissions.TableWithColumnsResourceProperty = {
+            columnNames: permissionGrant.columns,
+            databaseName: this.DataEnrollment.Dataset_Datalake.databaseName,
+            name: permissionGrant.table
+        };
+
+        if(permissionGrant.wildCardFilter === null){
+            tableWithColumnsProperty = {
+                columnNames: permissionGrant.columns,
+                databaseName: this.DataEnrollment.Dataset_Datalake.databaseName,
+                name: permissionGrant.table
+            };
+        }else{
+
+            if(permissionGrant.wildCardFilter == DataLakeEnrollment.TableWithColumnFilter.Include){
+                tableWithColumnsProperty = {
+                    columnNames: permissionGrant.columns,
+                    databaseName: this.DataEnrollment.Dataset_Datalake.databaseName,
+                    name: permissionGrant.table
+                };
+            }
+
+            if(permissionGrant.wildCardFilter == DataLakeEnrollment.TableWithColumnFilter.Exclude){
+                tableWithColumnsProperty = {
+                    databaseName: this.DataEnrollment.Dataset_Datalake.databaseName,
+                    name: permissionGrant.table,
+                    columnWildcard: {
+                        excludedColumnNames: permissionGrant.columns
+                    }
+                };
+            }
+
+        }
+
+        const tableWithColumnResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {
+            tableWithColumnsResource: tableWithColumnsProperty
+        };
+
+        this.createLakeFormationPermission(`${coreGrant.grantIdPrefix}-${permissionGrant.table}-databaseTableWithColumnGrant`,coreGrant.dataLakePrincipal , tableWithColumnResourceProperty, permissionGrant.TableColumnPermissions, permissionGrant.GrantableTableColumnPermissions)
+
+
     }
 
-    public grantLakeFormationPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.LakeFormationPermissionGrant){
-       
+    public grantDatabasePermission(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.DatabasePermissionGrant){
 
-        this.grantCoarseIamRead(principal);
 
         var grantIdPrefix = ""
         var dataLakePrincipal : lakeformation.CfnPermissions.DataLakePrincipalProperty = {
@@ -260,10 +300,17 @@ export class DataLakeEnrollment extends cdk.Construct {
 	    if(resolvedPrincipalType === iam.User){
             const resolvedPrincipal = principal as  iam.User;
             grantIdPrefix = `${resolvedPrincipal.userName}-${this.DataSetName}`
-            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.userName };
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.userArn };
 		}
 
-		this.createLakeFormationPermission(`${grantIdPrefix}-databaseGrant`,dataLakePrincipal , databaseResourceProperty, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions)
+        this.createLakeFormationPermission(`${grantIdPrefix}-databaseGrant`,dataLakePrincipal , databaseResourceProperty, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions)
+
+    }
+
+
+    public grantTablePermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TablePermissionGrant){
+
+        const coreGrant = this.setupIamAndLakeFormationDatabasePermissionForPrincipal(principal, permissionGrant.DatabasePermissions, permissionGrant.GrantableDatabasePermissions);
 
         permissionGrant.tables.forEach(table => {
             var tableResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {
@@ -272,16 +319,53 @@ export class DataLakeEnrollment extends cdk.Construct {
                     databaseName: this.DataEnrollment.Dataset_Datalake.databaseName
                 }
             };
-            this.createLakeFormationPermission(`${grantIdPrefix}-${table}-databaseTableGrant`,dataLakePrincipal , tableResourceProperty, permissionGrant.TablePermissions, permissionGrant.TablePermissions)
+            this.createLakeFormationPermission(`${coreGrant.grantIdPrefix}-${table}-databaseTableGrant`,coreGrant.dataLakePrincipal , tableResourceProperty, permissionGrant.TablePermissions, permissionGrant.GrantableTablePermissions)
         });
 
     }
 
-    private determinePrincipalType(principal: iam.IPrincipal){        
+
+	public grantCoarseIamRead(principal: iam.IPrincipal){
+
+
+        const resolvedPrincipalType = this.determinePrincipalType(principal);
+
+		if(resolvedPrincipalType === iam.Role){
+		    this.CoarseAthenaAccessPolicy.attachToRole(principal as iam.Role);
+		    this.CoarseResourceAccessPolicy.attachToRole(principal as iam.Role);
+		    this.CoarseIamPolciesApplied = true;
+		    return;
+		}
+
+	    if(resolvedPrincipalType === iam.User){
+		    this.CoarseAthenaAccessPolicy.attachToUser(principal as iam.User);
+		    this.CoarseResourceAccessPolicy.attachToUser(principal as iam.User);
+		    this.CoarseIamPolciesApplied = true;
+		    return;
+		}
+
+
+
+
+
+	}
+
+
+
+	private createLakeFormationPermission(resourceId: string, dataLakePrincipal: lakeformation.CfnPermissions.DataLakePrincipalProperty, resource: lakeformation.CfnPermissions.ResourceProperty, permissions: string[], grantablePremissions: string[] ){
+
+        new lakeformation.CfnPermissions(this, resourceId, {
+            dataLakePrincipal: dataLakePrincipal,
+            resource: resource,
+            permissions: permissions,
+            permissionsWithGrantOption: grantablePremissions
+        });
+    }
+	private determinePrincipalType(principal: iam.IPrincipal){
 
         if(principal instanceof iam.Role){
             //return principal as iam.Role;
-            return iam.Role;            
+            return iam.Role;
 		}
 
 	    if(principal instanceof iam.User){
@@ -290,45 +374,56 @@ export class DataLakeEnrollment extends cdk.Construct {
 		}
 
 		if(principal instanceof cdk.Resource){
-            
+
 	        try{
-                const user = principal as iam.User;                          
+                const user = principal as iam.User;
                 return iam.User;
 	        } catch(exception) {
 	            console.log(exception);
 	        }
 	        try{
                 const role = principal as iam.Role;
-                return iam.Role; 
+                return iam.Role;
 	        } catch(exception) {
 	            console.log(exception);
 	        }
         }
-        
+
         throw("Unable to deterimine principal type...");
 
     }
-    
+	private setupIamAndLakeFormationDatabasePermissionForPrincipal(principal: iam.IPrincipal, databasePermissions: Array<DataLakeEnrollment.DatabasePermission>, grantableDatabasePermissions: Array<DataLakeEnrollment.DatabasePermission> ){
 
-	public grantCoarseIamRead(principal: iam.IPrincipal){
+        this.grantCoarseIamRead(principal);
+
+        var grantIdPrefix = ""
+        var dataLakePrincipal : lakeformation.CfnPermissions.DataLakePrincipalProperty = {
+            dataLakePrincipalIdentifier: ""
+        };
+        var databaseResourceProperty : lakeformation.CfnPermissions.ResourceProperty = {
+            //dataLocationResource: {resourceArn: this.DataEnrollment.DataLakeBucketName},
+            databaseResource: {name: this.DataEnrollment.Dataset_Datalake.databaseName}
+        };
 
         const resolvedPrincipalType = this.determinePrincipalType(principal);
 
-		if(resolvedPrincipalType === iam.Role){            
-		    this.CoarseAthenaAccessPolicy.attachToRole(principal as iam.Role);
-		    this.CoarseResourceAccessPolicy.attachToRole(principal as iam.Role);
-		    return;
+        if(resolvedPrincipalType === iam.Role) {
+            const resolvedPrincipal = principal as  iam.Role;
+            grantIdPrefix = `${resolvedPrincipal.roleArn}-${this.DataSetName}`
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.roleArn };
 		}
 
 	    if(resolvedPrincipalType === iam.User){
-		    this.CoarseAthenaAccessPolicy.attachToUser(principal as iam.User);
-		    this.CoarseResourceAccessPolicy.attachToUser(principal as iam.User);
-		    return;
+            const resolvedPrincipal = principal as  iam.User;
+            grantIdPrefix = `${resolvedPrincipal.userName}-${this.DataSetName}`
+            dataLakePrincipal = { dataLakePrincipalIdentifier: resolvedPrincipal.userArn };
 		}
-		
-		throw("Unable to attach policy. Principal is not a user or role.");
 
-	}
+	    this.grantDatabasePermission(principal, { DatabasePermissions: databasePermissions, GrantableDatabasePermissions: grantableDatabasePermissions  });
+
+        return { grantIdPrefix: grantIdPrefix, dataLakePrincipal: dataLakePrincipal };
+    }
+
 }
 
 
@@ -352,20 +447,41 @@ export namespace DataLakeEnrollment
         Insert = 'INSERT',
     }
 
+    export enum TableWithColumnFilter {
+        Include = "Include",
+        Exclude = "Exclude"
+    }
+
     export interface DataLakeEnrollmentProps extends cdk.StackProps {
     	dataLakeBucket: s3.Bucket;
     	GlueScriptPath: string;
     	GlueScriptArguments: any;
     	DataSetName: string;
     }
 
-    export interface LakeFormationPermissionGrant {
+    export interface DatabasePermissionGrant {
+        DatabasePermissions: Array<DatabasePermission>;
+        GrantableDatabasePermissions: Array<DatabasePermission>;
+    }
+
+
+    export interface TablePermissionGrant {
         tables: Array<string>;
         DatabasePermissions: Array<DatabasePermission>;
         GrantableDatabasePermissions: Array<DatabasePermission>;
         TablePermissions: Array<TablePermission>;
         GrantableTablePermissions: Array<TablePermission>;
     }
+
+    export interface TableWithColumnPermissionGrant {
+        table: string;
+        columns: Array<string>;
+        wildCardFilter?: TableWithColumnFilter;
+        DatabasePermissions: Array<DatabasePermission>;
+        GrantableDatabasePermissions: Array<DatabasePermission>;
+        TableColumnPermissions: Array<TablePermission>;
+        GrantableTableColumnPermissions: Array<TablePermission>;
+    }
 }
 
 
diff --git a/lib/stacks/dataset-stack.ts b/lib/stacks/dataset-stack.ts
@@ -8,28 +8,40 @@ import s3assets = require('@aws-cdk/aws-s3-assets');
 import { DataSetEnrollmentProps, DataSetEnrollment } from '../constructs/data-set-enrollment';
 import { DataLakeEnrollment } from '../constructs/data-lake-enrollment';
 import { DataLakeStack } from './datalake-stack';
-	
+
 export interface DataSetStackProps extends cdk.StackProps {
 	DataLake: DataLakeStack;
-}	
+}
 
 
 export class DataSetStack extends cdk.Stack {
-  
+
   public Enrollment: DataLakeEnrollment;
   public DataLake: DataLakeStack;
-  
+
   constructor(scope: cdk.Construct, id: string, props: DataSetStackProps) {
     super(scope, id, props);
     this.DataLake = props.DataLake;
   }
-  
-  public grantLakeFormationPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.LakeFormationPermissionGrant){
-    
+
+
+  public grantDatabasePermissions( principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.DatabasePermissionGrant){
+    this.Enrollment.grantDatabasePermission(principal, permissionGrant);
+  }
+
+  public grantTablePermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TablePermissionGrant){
+
     this.DataLake.grantAthenaResultsBucketPermission(principal);
-    this.Enrollment.grantLakeFormationPermissions(principal, permissionGrant);
+    this.Enrollment.grantTablePermissions(principal, permissionGrant);
   }
-  
+
+  public grantTableWithColumnPermissions(principal: iam.IPrincipal, permissionGrant: DataLakeEnrollment.TableWithColumnPermissionGrant){
+
+    this.DataLake.grantAthenaResultsBucketPermission(principal);
+    this.Enrollment.grantTableWithColumnPermissions(principal, permissionGrant);
+  }
+
+
   public grantIamRead(principal: iam.IPrincipal){
     this.DataLake.grantAthenaResultsBucketPermission(principal);
     this.Enrollment.grantCoarseIamRead(principal);
