Skip to content

Commit ec565ac

Browse files
gregwood-dbgregwood-db
committed
Add group filtering logic to cluster export
1 parent aa19b5d commit ec565ac

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

dbclient/ClustersClient.py

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -514,6 +514,14 @@ def log_cluster_configs(self, log_file='clusters.log', acl_log_file='acl_cluster
514514
:param filter_user: user name to filter and log the cluster config
515515
:return:
516516
"""
517+
518+
# get users list based on groups_to_keep
519+
users_list = []
520+
if self.groups_to_keep is not None:
521+
all_users = self.get('/preview/scim/v2/Users').get('Resources', None)
522+
users_list = list(set([user.get("emails")[0].get("value") for user in all_users
523+
for group in user.get("groups") if group.get("display") in self.groups_to_keep]))
524+
517525
cluster_log = self.get_export_dir() + log_file
518526
acl_cluster_log = self.get_export_dir() + acl_log_file
519527
error_logger = logging_utils.get_error_logger(
@@ -545,14 +553,30 @@ def log_cluster_configs(self, log_file='clusters.log', acl_log_file='acl_cluster
545553
cluster_json['aws_attributes'] = aws_conf
546554
cluster_json['aws_attributes'] = aws_conf
547555
cluster_perms = self.get_cluster_acls(cluster_json['cluster_id'], cluster_json['cluster_name'])
548-
if cluster_perms['http_status_code'] == 200:
556+
557+
if users_list:
558+
acls = [acl for acl in cluster_perms.get("access_control_list") if
559+
(acl.get("group_name", "") in self.groups_to_keep) or
560+
(acl.get("user_name", "") in users_list) or
561+
(acl.get("group_name", "") == "users")]
562+
cluster_perms["access_control_list"] = acls
563+
564+
if cluster_perms['http_status_code'] == 200 and acls:
565+
acl_log_fp.write(json.dumps(cluster_perms) + '\n')
566+
else:
567+
error_logger.error(f'Failed to get cluster ACL: {cluster_perms}')
568+
569+
elif cluster_perms['http_status_code'] == 200:
549570
acl_log_fp.write(json.dumps(cluster_perms) + '\n')
550571
else:
551572
error_logger.error(f'Failed to get cluster ACL: {cluster_perms}')
552573

553574
if filter_user:
554575
if cluster_json['creator_user_name'] == filter_user:
555576
log_fp.write(json.dumps(cluster_json) + '\n')
577+
elif users_list:
578+
if cluster_json.get('creator_user_name') in users_list:
579+
log_fp.write(json.dumps(cluster_json) + '\n')
556580
else:
557581
log_fp.write(json.dumps(cluster_json) + '\n')
558582

@@ -566,13 +590,33 @@ def log_cluster_policies(self, log_file='cluster_policies.log', acl_log_file='ac
566590
for x in policies_list:
567591
policy_ids[x.get('policy_id')] = x.get('name')
568592
fp.write(json.dumps(x) + '\n')
593+
594+
# get users list based on groups_to_keep
595+
users_list = []
596+
if self.groups_to_keep is not None:
597+
all_users = self.get('/preview/scim/v2/Users').get('Resources', None)
598+
users_list = list(set([user.get("emails")[0].get("value") for user in all_users
599+
for group in user.get("groups") if
600+
group.get("display") in self.groups_to_keep]))
601+
569602
# log cluster policy ACLs, which takes a policy id as arguments
570603
with open(acl_policies_log, 'w') as acl_fp:
571604
for pid in policy_ids:
572605
api = f'/preview/permissions/cluster-policies/{pid}'
573606
perms = self.get(api)
574607
perms['name'] = policy_ids[pid]
575-
acl_fp.write(json.dumps(perms) + '\n')
608+
609+
# remove any ACLs that involve users/groups that have been filtered
610+
if users_list:
611+
acls = [acl for acl in perms.get("access_control_list") if
612+
(acl.get("group_name", "") in self.groups_to_keep) or
613+
(acl.get("user_name", "") in users_list) or
614+
(acl.get("group_name", "" == "users"))]
615+
if acls:
616+
perms["access_control_list"] = acls
617+
acl_fp.write(json.dumps(perms) + '\n')
618+
else:
619+
acl_fp.write(json.dumps(perms) + '\n')
576620

577621
def log_instance_pools(self, log_file='instance_pools.log'):
578622
pool_log = self.get_export_dir() + log_file

0 commit comments

Comments
 (0)