From 33952c0abe25259806e17b20745365eba53dec8e Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Mon, 18 Mar 2024 16:03:00 +0000 Subject: [PATCH 01/11] split all models in different folders by themes. Enums are moved to api --- backend/api_handler.py | 4 +- .../dataall/core/environment/api/resolvers.py | 4 +- .../environment/env_permission_checker.py | 2 +- .../services/environment_service.py | 10 ++--- backend/dataall/core/groups/api/resolvers.py | 2 +- .../services/organization_service.py | 6 +-- backend/dataall/core/permissions/api/enums.py | 6 +++ .../dataall/core/permissions/api/resolvers.py | 6 +-- backend/dataall/core/permissions/api/types.py | 2 +- .../core/permissions/constants/__init__.py | 0 .../{ => constants}/permissions.py | 0 .../dataall/core/permissions/db/__init__.py | 6 +-- .../core/permissions/db/group/__init__.py | 0 .../{ => group}/group_policy_repositories.py | 2 +- .../permissions/db/permission/__init__.py | 0 .../db/permission/permission_models.py | 20 +++++++++ .../permission_repositories.py | 7 ++- .../db/resource_policy/__init__.py | 0 .../resource_policy/resource_policy_models.py | 36 ++++++++++++++++ .../resource_policy_repositories.py | 19 ++++---- .../core/permissions/db/tenant/__init__.py | 0 .../tenant_models.py} | 43 +------------------ .../tenant_policy_repositories.py | 23 +++++----- .../db/{ => tenant}/tenant_repositories.py | 2 +- .../core/permissions/decorators/__init__.py | 0 .../{ => decorators}/permission_checker.py | 4 +- .../stacks/db/keyvaluetag_repositories.py | 2 +- .../core/stacks/db/stack_repositories.py | 2 +- .../stacks/db/target_type_repositories.py | 2 +- .../dataall/core/vpc/services/vpc_service.py | 6 +-- .../services/glossaries_permissions.py | 2 +- .../catalog/services/glossaries_service.py | 2 +- .../services/dashboard_permissions.py | 2 +- .../services/dashboard_quicksight_service.py | 6 +-- .../dashboards/services/dashboard_service.py | 4 +- .../services/dashboard_share_service.py | 4 +- .../services/datapipelines_permissions.py | 2 +- .../services/datapipelines_service.py | 4 +- .../services/share_item_service.py | 4 +- .../services/share_object_service.py | 6 +-- .../services/share_permissions.py | 2 +- .../services/dataset_column_service.py | 4 +- .../services/dataset_location_service.py | 2 +- .../datasets/services/dataset_permissions.py | 2 +- .../services/dataset_profiling_service.py | 4 +- .../datasets/services/dataset_service.py | 4 +- .../services/dataset_table_service.py | 4 +- .../mlstudio/services/mlstudio_permissions.py | 2 +- .../mlstudio/services/mlstudio_service.py | 4 +- .../services/notebook_permissions.py | 2 +- .../notebooks/services/notebook_service.py | 4 +- .../services/worksheet_permissions.py | 2 +- .../worksheets/services/worksheet_service.py | 4 +- backend/local_graphql_server.py | 4 +- .../04d92886fabe_add_consumption_roles.py | 6 +-- ...618805341_rename_sgm_studio_permissions.py | 7 +-- .../72b8a90b6ee8__share_request_purpose.py | 4 +- ...f74bd_update_permissions_modularization.py | 11 +++-- ...215e_backfill_dataset_table_permissions.py | 4 +- .../versions/e177eb044b31_init_tenant.py | 6 +-- tests/conftest.py | 4 +- tests/core/environments/test_environment.py | 4 +- tests/core/permissions/test_permission.py | 8 ++-- tests/core/permissions/test_tenant.py | 2 +- tests/modules/conftest.py | 4 +- tests/modules/datasets/conftest.py | 2 +- .../datasets/test_dataset_permissions.py | 3 +- 67 files changed, 190 insertions(+), 171 deletions(-) create mode 100644 backend/dataall/core/permissions/api/enums.py create mode 100644 backend/dataall/core/permissions/constants/__init__.py rename backend/dataall/core/permissions/{ => constants}/permissions.py (100%) create mode 100644 backend/dataall/core/permissions/db/group/__init__.py rename backend/dataall/core/permissions/db/{ => group}/group_policy_repositories.py (94%) create mode 100644 backend/dataall/core/permissions/db/permission/__init__.py create mode 100644 backend/dataall/core/permissions/db/permission/permission_models.py rename backend/dataall/core/permissions/db/{ => permission}/permission_repositories.py (95%) create mode 100644 backend/dataall/core/permissions/db/resource_policy/__init__.py create mode 100644 backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py rename backend/dataall/core/permissions/db/{ => resource_policy}/resource_policy_repositories.py (92%) create mode 100644 backend/dataall/core/permissions/db/tenant/__init__.py rename backend/dataall/core/permissions/db/{permission_models.py => tenant/tenant_models.py} (50%) rename backend/dataall/core/permissions/db/{ => tenant}/tenant_policy_repositories.py (93%) rename backend/dataall/core/permissions/db/{ => tenant}/tenant_repositories.py (94%) create mode 100644 backend/dataall/core/permissions/decorators/__init__.py rename backend/dataall/core/permissions/{ => decorators}/permission_checker.py (94%) diff --git a/backend/api_handler.py b/backend/api_handler.py index dee347961..14e6343b3 100644 --- a/backend/api_handler.py +++ b/backend/api_handler.py @@ -17,9 +17,9 @@ from dataall.base.aws.parameter_store import ParameterStoreManager from dataall.base.context import set_context, dispose_context, RequestContext from dataall.core.permissions.db import save_permissions_with_tenant -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy from dataall.base.db import get_engine -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions from dataall.base.loader import load_modules, ImportMode logger = logging.getLogger() diff --git a/backend/dataall/core/environment/api/resolvers.py b/backend/dataall/core/environment/api/resolvers.py index e5371f190..bf492da4c 100644 --- a/backend/dataall/core/environment/api/resolvers.py +++ b/backend/dataall/core/environment/api/resolvers.py @@ -16,13 +16,13 @@ from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.environment.api.enums import EnvironmentPermission -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.stacks.api import stack_helper from dataall.core.stacks.aws.cloudformation import CloudFormation from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.vpc.services.vpc_service import VpcService from dataall.base.aws.ec2_client import EC2 -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions from dataall.base.feature_toggle_checker import is_feature_enabled from dataall.base.utils.naming_convention import ( NamingConventionService, diff --git a/backend/dataall/core/environment/env_permission_checker.py b/backend/dataall/core/environment/env_permission_checker.py index 92d57b0c2..19338b4c9 100644 --- a/backend/dataall/core/environment/env_permission_checker.py +++ b/backend/dataall/core/environment/env_permission_checker.py @@ -1,5 +1,5 @@ from dataall.base.context import get_context, RequestContext -from dataall.core.permissions.db.group_policy_repositories import GroupPolicy +from dataall.core.permissions.db.group.group_policy_repositories import GroupPolicy from dataall.base.utils.decorator_utls import process_func diff --git a/backend/dataall/core/environment/services/environment_service.py b/backend/dataall/core/environment/services/environment_service.py index e6c179636..66b667e34 100644 --- a/backend/dataall/core/environment/services/environment_service.py +++ b/backend/dataall/core/environment/services/environment_service.py @@ -11,10 +11,10 @@ from dataall.core.environment.db.environment_models import EnvironmentParameter, ConsumptionRole from dataall.core.environment.db.environment_repositories import EnvironmentParameterRepository, EnvironmentRepository from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.permission_models import PermissionType -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.permission.permission_models import PermissionType +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.vpc.db.vpc_models import Vpc from dataall.base.db.paginator import paginate from dataall.base.utils.naming_convention import ( @@ -22,7 +22,7 @@ NamingConventionPattern, ) from dataall.base.db import exceptions -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions from dataall.core.organizations.db.organization_repositories import OrganizationRepository from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup from dataall.core.environment.api.enums import EnvironmentPermission, EnvironmentType diff --git a/backend/dataall/core/groups/api/resolvers.py b/backend/dataall/core/groups/api/resolvers.py index f5d4ef3ea..676f42d77 100644 --- a/backend/dataall/core/groups/api/resolvers.py +++ b/backend/dataall/core/groups/api/resolvers.py @@ -6,7 +6,7 @@ from dataall.core.groups.db.group_models import Group from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.organizations.db.organization_repositories import OrganizationRepository -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy from dataall.base.db import exceptions log = logging.getLogger() diff --git a/backend/dataall/core/organizations/services/organization_service.py b/backend/dataall/core/organizations/services/organization_service.py index 7aa2e69e3..110cf9382 100644 --- a/backend/dataall/core/organizations/services/organization_service.py +++ b/backend/dataall/core/organizations/services/organization_service.py @@ -6,9 +6,9 @@ from dataall.core.organizations.services.organizations_enums import OrganisationUserRole from dataall.core.organizations.db.organization_models import OrganizationGroup from dataall.core.organizations.db import organization_models as models -from dataall.core.permissions import permissions -from dataall.core.permissions.permission_checker import has_tenant_permission, has_resource_permission -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.constants import permissions +from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy class OrganizationService: diff --git a/backend/dataall/core/permissions/api/enums.py b/backend/dataall/core/permissions/api/enums.py new file mode 100644 index 000000000..cd786406b --- /dev/null +++ b/backend/dataall/core/permissions/api/enums.py @@ -0,0 +1,6 @@ +import enum + + +class PermissionType(enum.Enum): + TENANT = 'TENANT' + RESOURCE = 'RESOURCE' diff --git a/backend/dataall/core/permissions/api/resolvers.py b/backend/dataall/core/permissions/api/resolvers.py index 16cb4394a..0333599f2 100644 --- a/backend/dataall/core/permissions/api/resolvers.py +++ b/backend/dataall/core/permissions/api/resolvers.py @@ -3,7 +3,7 @@ from dataall.base.aws.sts import SessionHelper from dataall.base.aws.parameter_store import ParameterStoreManager -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy log = logging.getLogger(__name__) @@ -26,15 +26,13 @@ def list_tenant_permissions(context, source): def list_tenant_groups(context, source, filter=None): - if not filter: - filter = {} with context.engine.scoped_session() as session: return TenantPolicy.list_tenant_groups( session=session, username=context.username, groups=context.groups, uri=None, - data=filter, + data=filter if filter else {}, check_perm=True, ) diff --git a/backend/dataall/core/permissions/api/types.py b/backend/dataall/core/permissions/api/types.py index 684e532d7..88efdc232 100644 --- a/backend/dataall/core/permissions/api/types.py +++ b/backend/dataall/core/permissions/api/types.py @@ -1,5 +1,5 @@ from dataall.base.api import gql -from dataall.core.permissions.db.permission_models import PermissionType +from dataall.core.permissions.api.enums import PermissionType def resolve_enum(context, source: PermissionType): diff --git a/backend/dataall/core/permissions/constants/__init__.py b/backend/dataall/core/permissions/constants/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/permissions.py b/backend/dataall/core/permissions/constants/permissions.py similarity index 100% rename from backend/dataall/core/permissions/permissions.py rename to backend/dataall/core/permissions/constants/permissions.py diff --git a/backend/dataall/core/permissions/db/__init__.py b/backend/dataall/core/permissions/db/__init__.py index f131de6aa..f8795af0d 100644 --- a/backend/dataall/core/permissions/db/__init__.py +++ b/backend/dataall/core/permissions/db/__init__.py @@ -1,8 +1,8 @@ import logging -from dataall.core.permissions.db import permission_models -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.tenant_repositories import Tenant +from dataall.core.permissions.db.permission import permission_models +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.tenant.tenant_repositories import Tenant log = logging.getLogger('Permissions') diff --git a/backend/dataall/core/permissions/db/group/__init__.py b/backend/dataall/core/permissions/db/group/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/db/group_policy_repositories.py b/backend/dataall/core/permissions/db/group/group_policy_repositories.py similarity index 94% rename from backend/dataall/core/permissions/db/group_policy_repositories.py rename to backend/dataall/core/permissions/db/group/group_policy_repositories.py index 221e8f394..cdc6991b1 100644 --- a/backend/dataall/core/permissions/db/group_policy_repositories.py +++ b/backend/dataall/core/permissions/db/group/group_policy_repositories.py @@ -1,5 +1,5 @@ from dataall.core.environment.db.environment_models import EnvironmentGroup -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.base.db.exceptions import UnauthorizedOperation diff --git a/backend/dataall/core/permissions/db/permission/__init__.py b/backend/dataall/core/permissions/db/permission/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/db/permission/permission_models.py b/backend/dataall/core/permissions/db/permission/permission_models.py new file mode 100644 index 000000000..2bac681c7 --- /dev/null +++ b/backend/dataall/core/permissions/db/permission/permission_models.py @@ -0,0 +1,20 @@ +import datetime + +from dataall.core.permissions.api.enums import PermissionType +from sqlalchemy import Column, String, DateTime, Enum as DBEnum + +from dataall.base.db import Base, utils + + +class Permission(Base): + __tablename__ = 'permission' + permissionUri = Column(String, primary_key=True, default=utils.uuid('permission')) + name = Column(String, nullable=False, index=True) + type = Column(DBEnum(PermissionType), nullable=False) + description = Column(String, nullable=False) + created = Column(DateTime, default=datetime.datetime.now) + updated = Column(DateTime, onupdate=datetime.datetime.now) + + + + diff --git a/backend/dataall/core/permissions/db/permission_repositories.py b/backend/dataall/core/permissions/db/permission/permission_repositories.py similarity index 95% rename from backend/dataall/core/permissions/db/permission_repositories.py rename to backend/dataall/core/permissions/db/permission/permission_repositories.py index c04ffcc5e..4576448c8 100644 --- a/backend/dataall/core/permissions/db/permission_repositories.py +++ b/backend/dataall/core/permissions/db/permission/permission_repositories.py @@ -1,10 +1,9 @@ import logging -from dataall.core.permissions.db.permission_models import PermissionType +from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions -from dataall.core.permissions import permissions -from dataall.core.permissions.db import permission_models as models - +from dataall.core.permissions.constants import permissions +from dataall.core.permissions.db.permission import permission_models as models logger = logging.getLogger(__name__) diff --git a/backend/dataall/core/permissions/db/resource_policy/__init__.py b/backend/dataall/core/permissions/db/resource_policy/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py b/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py new file mode 100644 index 000000000..361602268 --- /dev/null +++ b/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py @@ -0,0 +1,36 @@ +import datetime + +from dataall.core.permissions.api.enums import PermissionType +from sqlalchemy import Column, String, DateTime, ForeignKey, Enum as DBEnum +from sqlalchemy.orm import relationship + +from dataall.base.db import Base, utils + +from dataall.core.permissions.db.permission.permission_models import Permission + + +class ResourcePolicy(Base): + __tablename__ = 'resource_policy' + + sid = Column(String, primary_key=True, default=utils.uuid('resource_policy')) + + resourceUri = Column(String, nullable=False, index=True) + resourceType = Column(String, nullable=False, index=True) + + principalId = Column(String, nullable=False, index=True) + principalType = Column(DBEnum('USER', 'GROUP', 'SERVICE', name='rp_principal_type'), default='GROUP') + + permissions = relationship('ResourcePolicyPermission', uselist=True, backref='resource_policy') + + created = Column(DateTime, default=datetime.datetime.now) + updated = Column(DateTime, onupdate=datetime.datetime.now) + + +class ResourcePolicyPermission(Base): + __tablename__ = 'resource_policy_permission' + + sid = Column(String, ForeignKey(ResourcePolicy.sid), primary_key=True) + permissionUri = Column(String, ForeignKey(Permission.permissionUri), primary_key=True) + permission = relationship('Permission') + created = Column(DateTime, default=datetime.datetime.now) + updated = Column(DateTime, onupdate=datetime.datetime.now) diff --git a/backend/dataall/core/permissions/db/resource_policy_repositories.py b/backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py similarity index 92% rename from backend/dataall/core/permissions/db/resource_policy_repositories.py rename to backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py index 290770e52..15570863d 100644 --- a/backend/dataall/core/permissions/db/resource_policy_repositories.py +++ b/backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py @@ -3,10 +3,11 @@ from sqlalchemy.sql import and_ -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.permission_models import PermissionType +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions -from dataall.core.permissions.db import permission_models as models +from dataall.core.permissions.db.permission import permission_models +from dataall.core.permissions.db.resource_policy import resource_policy_models as models logger = logging.getLogger(__name__) @@ -44,14 +45,14 @@ def has_user_resource_permission( models.ResourcePolicy.sid == models.ResourcePolicyPermission.sid, ) .join( - models.Permission, - models.Permission.permissionUri == models.ResourcePolicyPermission.permissionUri, + permission_models.Permission, + permission_models.Permission.permissionUri == models.ResourcePolicyPermission.permissionUri, ) .filter( and_( models.ResourcePolicy.principalId.in_(groups), models.ResourcePolicy.principalType == 'GROUP', - models.Permission.name == permission_name, + permission_models.Permission.name == permission_name, models.ResourcePolicy.resourceUri == resource_uri, ) ) @@ -77,14 +78,14 @@ def has_group_resource_permission( models.ResourcePolicy.sid == models.ResourcePolicyPermission.sid, ) .join( - models.Permission, - models.Permission.permissionUri == models.ResourcePolicyPermission.permissionUri, + permission_models.Permission, + permission_models.Permission.permissionUri == models.ResourcePolicyPermission.permissionUri, ) .filter( and_( models.ResourcePolicy.principalId == group_uri, models.ResourcePolicy.principalType == 'GROUP', - models.Permission.name == permission_name, + permission_models.Permission.name == permission_name, models.ResourcePolicy.resourceUri == resource_uri, ) ) diff --git a/backend/dataall/core/permissions/db/tenant/__init__.py b/backend/dataall/core/permissions/db/tenant/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/db/permission_models.py b/backend/dataall/core/permissions/db/tenant/tenant_models.py similarity index 50% rename from backend/dataall/core/permissions/db/permission_models.py rename to backend/dataall/core/permissions/db/tenant/tenant_models.py index e5bc49900..57373a1d1 100644 --- a/backend/dataall/core/permissions/db/permission_models.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_models.py @@ -1,25 +1,11 @@ import datetime -import enum from sqlalchemy import Column, String, DateTime, ForeignKey, Enum as DBEnum from sqlalchemy.orm import relationship from dataall.base.db import Base, utils - -class PermissionType(enum.Enum): - TENANT = 'TENANT' - RESOURCE = 'RESOURCE' - - -class Permission(Base): - __tablename__ = 'permission' - permissionUri = Column(String, primary_key=True, default=utils.uuid('permission')) - name = Column(String, nullable=False, index=True) - type = Column(DBEnum(PermissionType), nullable=False) - description = Column(String, nullable=False) - created = Column(DateTime, default=datetime.datetime.now) - updated = Column(DateTime, onupdate=datetime.datetime.now) +from dataall.core.permissions.db.permission.permission_models import Permission class TenantPolicy(Base): @@ -52,33 +38,6 @@ class TenantPolicyPermission(Base): updated = Column(DateTime, onupdate=datetime.datetime.now) -class ResourcePolicy(Base): - __tablename__ = 'resource_policy' - - sid = Column(String, primary_key=True, default=utils.uuid('resource_policy')) - - resourceUri = Column(String, nullable=False, index=True) - resourceType = Column(String, nullable=False, index=True) - - principalId = Column(String, nullable=False, index=True) - principalType = Column(DBEnum('USER', 'GROUP', 'SERVICE', name='rp_principal_type'), default='GROUP') - - permissions = relationship('ResourcePolicyPermission', uselist=True, backref='resource_policy') - - created = Column(DateTime, default=datetime.datetime.now) - updated = Column(DateTime, onupdate=datetime.datetime.now) - - -class ResourcePolicyPermission(Base): - __tablename__ = 'resource_policy_permission' - - sid = Column(String, ForeignKey(ResourcePolicy.sid), primary_key=True) - permissionUri = Column(String, ForeignKey(Permission.permissionUri), primary_key=True) - permission = relationship('Permission') - created = Column(DateTime, default=datetime.datetime.now) - updated = Column(DateTime, onupdate=datetime.datetime.now) - - class Tenant(Base): __tablename__ = 'tenant' tenantUri = Column(String, primary_key=True, default=utils.uuid('tenant')) diff --git a/backend/dataall/core/permissions/db/tenant_policy_repositories.py b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py similarity index 93% rename from backend/dataall/core/permissions/db/tenant_policy_repositories.py rename to backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py index 4a8e41d06..721287ba0 100644 --- a/backend/dataall/core/permissions/db/tenant_policy_repositories.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py @@ -2,12 +2,13 @@ from sqlalchemy.sql import and_ -from dataall.core.permissions.db.permission_models import PermissionType +from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions, paginate -from dataall.core.permissions import permissions -from dataall.core.permissions.db import permission_models as models -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.tenant_repositories import Tenant as TenantService +from dataall.core.permissions.constants import permissions +from dataall.core.permissions.db.permission import permission_models +from dataall.core.permissions.db.tenant import tenant_models as models +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.tenant.tenant_repositories import Tenant as TenantService logger = logging.getLogger(__name__) @@ -63,12 +64,12 @@ def has_user_tenant_permission(session, username: str, groups: [str], tenant_nam models.Tenant.tenantUri == models.TenantPolicy.tenantUri, ) .join( - models.Permission, - models.Permission.permissionUri == models.TenantPolicyPermission.permissionUri, + permission_models.Permission, + permission_models.Permission.permissionUri == models.TenantPolicyPermission.permissionUri, ) .filter( models.TenantPolicy.principalId.in_(groups), - models.Permission.name == permission_name, + permission_models.Permission.name == permission_name, models.Tenant.name == tenant_name, ) .first() @@ -91,13 +92,13 @@ def has_group_tenant_permission(session, group_uri: str, tenant_name: str, permi models.Tenant.tenantUri == models.TenantPolicy.tenantUri, ) .join( - models.Permission, - models.Permission.permissionUri == models.TenantPolicyPermission.permissionUri, + permission_models.Permission, + permission_models.Permission.permissionUri == models.TenantPolicyPermission.permissionUri, ) .filter( and_( models.TenantPolicy.principalId == group_uri, - models.Permission.name == permission_name, + permission_models.Permission.name == permission_name, models.Tenant.name == tenant_name, ) ) diff --git a/backend/dataall/core/permissions/db/tenant_repositories.py b/backend/dataall/core/permissions/db/tenant/tenant_repositories.py similarity index 94% rename from backend/dataall/core/permissions/db/tenant_repositories.py rename to backend/dataall/core/permissions/db/tenant/tenant_repositories.py index 59a7e749e..685a31e55 100644 --- a/backend/dataall/core/permissions/db/tenant_repositories.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_repositories.py @@ -1,6 +1,6 @@ import logging -from dataall.core.permissions.db import permission_models as models +from dataall.core.permissions.db.tenant import tenant_models as models logger = logging.getLogger(__name__) diff --git a/backend/dataall/core/permissions/decorators/__init__.py b/backend/dataall/core/permissions/decorators/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/permission_checker.py b/backend/dataall/core/permissions/decorators/permission_checker.py similarity index 94% rename from backend/dataall/core/permissions/permission_checker.py rename to backend/dataall/core/permissions/decorators/permission_checker.py index de481e90f..54a9aac20 100644 --- a/backend/dataall/core/permissions/permission_checker.py +++ b/backend/dataall/core/permissions/decorators/permission_checker.py @@ -6,8 +6,8 @@ from typing import Protocol, Callable from dataall.base.context import RequestContext, get_context -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy from dataall.base.utils.decorator_utls import process_func diff --git a/backend/dataall/core/stacks/db/keyvaluetag_repositories.py b/backend/dataall/core/stacks/db/keyvaluetag_repositories.py index 910290c0d..642359fa3 100644 --- a/backend/dataall/core/stacks/db/keyvaluetag_repositories.py +++ b/backend/dataall/core/stacks/db/keyvaluetag_repositories.py @@ -1,7 +1,7 @@ import logging from dataall.base.context import get_context -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.stacks.db import stack_models as models from dataall.core.stacks.db.target_type_repositories import TargetType from dataall.base.db import exceptions diff --git a/backend/dataall/core/stacks/db/stack_repositories.py b/backend/dataall/core/stacks/db/stack_repositories.py index 2dba44769..f4258801b 100644 --- a/backend/dataall/core/stacks/db/stack_repositories.py +++ b/backend/dataall/core/stacks/db/stack_repositories.py @@ -2,7 +2,7 @@ from dataall.base.context import get_context from dataall.core.environment.db.environment_models import Environment -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.stacks.db import stack_models as models from dataall.core.stacks.db.target_type_repositories import TargetType from dataall.base.db import exceptions diff --git a/backend/dataall/core/stacks/db/target_type_repositories.py b/backend/dataall/core/stacks/db/target_type_repositories.py index 62a13d2a0..0c05b1e0a 100644 --- a/backend/dataall/core/stacks/db/target_type_repositories.py +++ b/backend/dataall/core/stacks/db/target_type_repositories.py @@ -1,7 +1,7 @@ import logging from dataall.base.db import exceptions -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions logger = logging.getLogger(__name__) diff --git a/backend/dataall/core/vpc/services/vpc_service.py b/backend/dataall/core/vpc/services/vpc_service.py index 8787825fd..c07e2803d 100644 --- a/backend/dataall/core/vpc/services/vpc_service.py +++ b/backend/dataall/core/vpc/services/vpc_service.py @@ -1,8 +1,8 @@ from dataall.base.context import get_context from dataall.base.db import exceptions -from dataall.core.permissions import permissions -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.constants import permissions +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.db.environment_repositories import EnvironmentRepository from dataall.core.activity.db.activity_models import Activity diff --git a/backend/dataall/modules/catalog/services/glossaries_permissions.py b/backend/dataall/modules/catalog/services/glossaries_permissions.py index 40ff807ce..acbfeae4a 100644 --- a/backend/dataall/modules/catalog/services/glossaries_permissions.py +++ b/backend/dataall/modules/catalog/services/glossaries_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( TENANT_ALL, TENANT_ALL_WITH_DESC, RESOURCES_ALL, diff --git a/backend/dataall/modules/catalog/services/glossaries_service.py b/backend/dataall/modules/catalog/services/glossaries_service.py index 92b3385df..5580f404c 100644 --- a/backend/dataall/modules/catalog/services/glossaries_service.py +++ b/backend/dataall/modules/catalog/services/glossaries_service.py @@ -1,7 +1,7 @@ import logging from dataall.base.context import get_context -from dataall.core.permissions.permission_checker import has_tenant_permission +from dataall.core.permissions.decorators.permission_checker import has_tenant_permission from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository from dataall.modules.catalog.db.glossary_models import GlossaryNode diff --git a/backend/dataall/modules/dashboards/services/dashboard_permissions.py b/backend/dataall/modules/dashboards/services/dashboard_permissions.py index c0e1178fc..13c8be70c 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_permissions.py +++ b/backend/dataall/modules/dashboards/services/dashboard_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, diff --git a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py index 7bf7ebe3e..17999eccb 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py @@ -4,10 +4,10 @@ from dataall.base.aws.sts import SessionHelper from dataall.base.context import get_context from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy -from dataall.core.permissions.permission_checker import has_resource_permission +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.base.db.exceptions import UnauthorizedOperation, TenantUnauthorized, AWSResourceNotFound -from dataall.core.permissions.permissions import TENANT_ALL +from dataall.core.permissions.constants.permissions import TENANT_ALL from dataall.modules.dashboards import DashboardRepository, Dashboard from dataall.modules.dashboards.aws.dashboard_quicksight_client import DashboardQuicksightClient from dataall.modules.dashboards.services.dashboard_permissions import GET_DASHBOARD, CREATE_DASHBOARD diff --git a/backend/dataall/modules/dashboards/services/dashboard_service.py b/backend/dataall/modules/dashboards/services/dashboard_service.py index 954e3aaab..f898bb01c 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_service.py @@ -3,8 +3,8 @@ from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_tenant_permission, has_resource_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.modules.vote.db.vote_repositories import VoteRepository from dataall.base.db.exceptions import UnauthorizedOperation from dataall.modules.dashboards import DashboardRepository, Dashboard diff --git a/backend/dataall/modules/dashboards/services/dashboard_share_service.py b/backend/dataall/modules/dashboards/services/dashboard_share_service.py index 173a9e995..d813f8808 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_share_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_share_service.py @@ -1,6 +1,6 @@ from dataall.base.context import get_context -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_tenant_permission, has_resource_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.base.db.exceptions import InvalidInput, UnauthorizedOperation from dataall.modules.dashboards import DashboardRepository from dataall.modules.dashboards.db.dashboard_models import DashboardShareStatus, Dashboard diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py index 8f71063f2..6be74d9ea 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_service.py b/backend/dataall/modules/datapipelines/services/datapipelines_service.py index 8d32e7fe6..c418feefb 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_service.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_service.py @@ -5,8 +5,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.stack_repositories import Stack diff --git a/backend/dataall/modules/dataset_sharing/services/share_item_service.py b/backend/dataall/modules/dataset_sharing/services/share_item_service.py index 4eb1c945e..c6764a533 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_item_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_item_service.py @@ -3,8 +3,8 @@ from dataall.core.tasks.service_handlers import Worker from dataall.base.context import get_context from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils from dataall.base.db.exceptions import ObjectNotFound, UnauthorizedOperation diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py index 471e2bba2..dd24fcd2b 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py @@ -4,9 +4,9 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentGroup, ConsumptionRole from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission -from dataall.core.permissions.permissions import GET_ENVIRONMENT +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission +from dataall.core.permissions.constants.permissions import GET_ENVIRONMENT from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils from dataall.base.aws.quicksight import QuicksightClient diff --git a/backend/dataall/modules/dataset_sharing/services/share_permissions.py b/backend/dataall/modules/dataset_sharing/services/share_permissions.py index 50bcfacde..5321a9c8e 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_permissions.py +++ b/backend/dataall/modules/dataset_sharing/services/share_permissions.py @@ -2,7 +2,7 @@ SHARE OBJECT """ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_INVITED_DEFAULT, diff --git a/backend/dataall/modules/datasets/services/dataset_column_service.py b/backend/dataall/modules/datasets/services/dataset_column_service.py index 633f17425..8bc4d993b 100644 --- a/backend/dataall/modules/datasets/services/dataset_column_service.py +++ b/backend/dataall/modules/datasets/services/dataset_column_service.py @@ -1,9 +1,9 @@ from dataall.core.tasks.service_handlers import Worker from dataall.base.aws.sts import SessionHelper from dataall.base.context import get_context -from dataall.core.permissions.permission_checker import has_resource_permission +from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.modules.datasets.aws.glue_table_client import GlueTableClient from dataall.modules.datasets.db.dataset_column_repositories import DatasetColumnRepository from dataall.modules.datasets.db.dataset_table_repositories import DatasetTableRepository diff --git a/backend/dataall/modules/datasets/services/dataset_location_service.py b/backend/dataall/modules/datasets/services/dataset_location_service.py index 72769b8ea..a71964b4c 100644 --- a/backend/dataall/modules/datasets/services/dataset_location_service.py +++ b/backend/dataall/modules/datasets/services/dataset_location_service.py @@ -1,6 +1,6 @@ from dataall.base.context import get_context from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.base.db.exceptions import ResourceShared, ResourceAlreadyExists from dataall.modules.dataset_sharing.db.share_object_repositories import ShareObjectRepository from dataall.modules.datasets.aws.s3_location_client import S3LocationClient diff --git a/backend/dataall/modules/datasets/services/dataset_permissions.py b/backend/dataall/modules/datasets/services/dataset_permissions.py index 1f37b5225..136b8ebd3 100644 --- a/backend/dataall/modules/datasets/services/dataset_permissions.py +++ b/backend/dataall/modules/datasets/services/dataset_permissions.py @@ -1,6 +1,6 @@ from itertools import chain -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( TENANT_ALL, TENANT_ALL_WITH_DESC, RESOURCES_ALL, diff --git a/backend/dataall/modules/datasets/services/dataset_profiling_service.py b/backend/dataall/modules/datasets/services/dataset_profiling_service.py index d4f4ce423..1fb29a0a3 100644 --- a/backend/dataall/modules/datasets/services/dataset_profiling_service.py +++ b/backend/dataall/modules/datasets/services/dataset_profiling_service.py @@ -1,11 +1,11 @@ import json -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.tasks.service_handlers import Worker from dataall.base.context import get_context from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.permission_checker import has_resource_permission +from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task from dataall.base.db.exceptions import ObjectNotFound from dataall.modules.datasets.aws.glue_profiler_client import GlueDatasetProfilerClient diff --git a/backend/dataall/modules/datasets/services/dataset_service.py b/backend/dataall/modules/datasets/services/dataset_service.py index 632ab8a08..b8101b107 100644 --- a/backend/dataall/modules/datasets/services/dataset_service.py +++ b/backend/dataall/modules/datasets/services/dataset_service.py @@ -10,8 +10,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.db.stack_repositories import Stack diff --git a/backend/dataall/modules/datasets/services/dataset_table_service.py b/backend/dataall/modules/datasets/services/dataset_table_service.py index 21b4b402f..645c5f2a6 100644 --- a/backend/dataall/modules/datasets/services/dataset_table_service.py +++ b/backend/dataall/modules/datasets/services/dataset_table_service.py @@ -3,8 +3,8 @@ from dataall.base.context import get_context from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.base.db.exceptions import ResourceShared from dataall.modules.dataset_sharing.db.share_object_repositories import ShareObjectRepository from dataall.modules.datasets.aws.athena_table_client import AthenaTableClient diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py index 44c2770f1..9b1ffd5c6 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py @@ -17,7 +17,7 @@ """ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( ENVIRONMENT_ALL, ENVIRONMENT_INVITED, RESOURCES_ALL_WITH_DESC, diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_service.py b/backend/dataall/modules/mlstudio/services/mlstudio_service.py index 61f3816eb..98d547610 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_service.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_service.py @@ -11,8 +11,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.stack_repositories import Stack from dataall.base.db import exceptions diff --git a/backend/dataall/modules/notebooks/services/notebook_permissions.py b/backend/dataall/modules/notebooks/services/notebook_permissions.py index 24eaeade6..4fa442459 100644 --- a/backend/dataall/modules/notebooks/services/notebook_permissions.py +++ b/backend/dataall/modules/notebooks/services/notebook_permissions.py @@ -3,7 +3,7 @@ Contains permissions for sagemaker notebooks """ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( ENVIRONMENT_ALL, ENVIRONMENT_INVITED, RESOURCES_ALL_WITH_DESC, diff --git a/backend/dataall/modules/notebooks/services/notebook_service.py b/backend/dataall/modules/notebooks/services/notebook_service.py index 9edd8d6e0..60576b263 100644 --- a/backend/dataall/modules/notebooks/services/notebook_service.py +++ b/backend/dataall/modules/notebooks/services/notebook_service.py @@ -12,8 +12,8 @@ from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.db.stack_repositories import Stack diff --git a/backend/dataall/modules/worksheets/services/worksheet_permissions.py b/backend/dataall/modules/worksheets/services/worksheet_permissions.py index d67b412e5..2620f7db1 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_permissions.py +++ b/backend/dataall/modules/worksheets/services/worksheet_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.permissions import ( +from dataall.core.permissions.constants.permissions import ( TENANT_ALL, TENANT_ALL_WITH_DESC, RESOURCES_ALL, diff --git a/backend/dataall/modules/worksheets/services/worksheet_service.py b/backend/dataall/modules/worksheets/services/worksheet_service.py index 57d8a1c7b..902c0db99 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_service.py +++ b/backend/dataall/modules/worksheets/services/worksheet_service.py @@ -2,8 +2,8 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permission_checker import has_tenant_permission, has_resource_permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.base.db import exceptions from dataall.modules.worksheets.aws.athena_client import AthenaClient from dataall.modules.worksheets.db.worksheet_models import Worksheet diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index 8d2d41338..238b69c8a 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -8,9 +8,9 @@ from dataall.base.api import get_executable_schema from dataall.core.tasks.service_handlers import Worker -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions from dataall.core.permissions.db import save_permissions_with_tenant -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy from dataall.base.db import get_engine, Base from dataall.base.searchproxy import connect, run_query from dataall.base.loader import load_modules, ImportMode diff --git a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py index dc0c36dd3..6f2334a4a 100644 --- a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py +++ b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py @@ -14,10 +14,10 @@ from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.base.db import utils -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions from datetime import datetime from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareObjectStatus diff --git a/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py b/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py index 234d29de7..180a74388 100644 --- a/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py +++ b/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py @@ -9,14 +9,15 @@ from alembic import op from sqlalchemy import String, orm, and_ -from dataall.core.permissions.db.permission_repositories import Permission as PermissionService -from dataall.core.permissions.db.permission_models import Permission, TenantPolicyPermission, PermissionType +from dataall.core.permissions.db.permission.permission_repositories import Permission as PermissionService +from dataall.core.permissions.db.permission.permission_models import Permission +from dataall.core.permissions.api.enums import PermissionType +from dataall.core.permissions.db.tenant.tenant_models import TenantPolicyPermission from dataall.modules.notebooks.services.notebook_permissions import MANAGE_NOTEBOOKS from dataall.modules.mlstudio.services.mlstudio_permissions import ( MANAGE_SGMSTUDIO_USERS, ) - # revision identifiers, used by Alembic. revision = '4a0618805341' down_revision = '92bdf9efb1aa' diff --git a/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py b/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py index 68bed3d45..b9602ef98 100644 --- a/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py +++ b/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py @@ -7,11 +7,11 @@ """ from alembic import op -from sqlalchemy import orm, Column, String, and_ +from sqlalchemy import orm, Column, String from sqlalchemy.ext.declarative import declarative_base from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.modules.dataset_sharing.db.share_object_models import ShareObject from dataall.modules.dataset_sharing.services.share_permissions import SHARE_OBJECT_APPROVER, SHARE_OBJECT_REQUESTER from dataall.modules.datasets_base.db.dataset_repositories import DatasetRepository diff --git a/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py b/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py index 865e2819f..21caefa15 100644 --- a/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py +++ b/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py @@ -10,13 +10,12 @@ from sqlalchemy import Boolean, Column, String, orm from sqlalchemy.ext.declarative import declarative_base -from dataall.core.permissions.db.permission_repositories import Permission +from dataall.core.permissions.db.permission.permission_repositories import Permission from dataall.base.db import Resource -from dataall.core.permissions.db.permission_models import ( - PermissionType, - ResourcePolicyPermission, - TenantPolicyPermission, -) +from dataall.core.permissions.db.resource_policy.resource_policy_models import ResourcePolicyPermission +from dataall.core.permissions.api.enums import PermissionType +from dataall.core.permissions.db.tenant.tenant_models import TenantPolicyPermission + # revision identifiers, used by Alembic. diff --git a/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py b/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py index 4aaaecd30..dad686e94 100644 --- a/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py +++ b/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py @@ -13,8 +13,8 @@ from sqlalchemy.ext.declarative import declarative_base from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.base.db import utils, Resource from datetime import datetime from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ( diff --git a/backend/migrations/versions/e177eb044b31_init_tenant.py b/backend/migrations/versions/e177eb044b31_init_tenant.py index 2d62a77cc..23685c82e 100644 --- a/backend/migrations/versions/e177eb044b31_init_tenant.py +++ b/backend/migrations/versions/e177eb044b31_init_tenant.py @@ -11,9 +11,9 @@ # revision identifiers, used by Alembic. from sqlalchemy import orm -from dataall.core.permissions.db.tenant_repositories import Tenant -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy -from dataall.core.permissions.permissions import TENANT_ALL +from dataall.core.permissions.db.tenant.tenant_repositories import Tenant +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.constants.permissions import TENANT_ALL revision = 'e177eb044b31' down_revision = '033c3d6c1849' diff --git a/tests/conftest.py b/tests/conftest.py index 13a353c46..8e91cd26d 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -9,8 +9,8 @@ from dataall.core.groups.db.group_models import Group from dataall.core.permissions.db import Tenant, Permission -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy -from dataall.core.permissions.permissions import TENANT_ALL +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.constants.permissions import TENANT_ALL from tests.client import create_app, ClientWrapper load_modules(modes=ImportMode.all()) diff --git a/tests/core/environments/test_environment.py b/tests/core/environments/test_environment.py index a4d59f833..9c7c4ff94 100644 --- a/tests/core/environments/test_environment.py +++ b/tests/core/environments/test_environment.py @@ -1,8 +1,8 @@ from dataall.core.environment.api.enums import EnvironmentPermission from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permissions import REMOVE_ENVIRONMENT_CONSUMPTION_ROLE +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.constants.permissions import REMOVE_ENVIRONMENT_CONSUMPTION_ROLE def get_env(client, env_fixture, group): diff --git a/tests/core/permissions/test_permission.py b/tests/core/permissions/test_permission.py index 9eef192a5..94567bd88 100644 --- a/tests/core/permissions/test_permission.py +++ b/tests/core/permissions/test_permission.py @@ -1,10 +1,10 @@ import pytest -from dataall.core.permissions.db.permission_repositories import Permission -from dataall.core.permissions.db.permission_models import PermissionType -from dataall.core.permissions.db.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.permission.permission_models import PermissionType +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy from dataall.base.db import exceptions -from dataall.core.permissions.permissions import MANAGE_GROUPS, ENVIRONMENT_ALL, ORGANIZATION_ALL, TENANT_ALL +from dataall.core.permissions.constants.permissions import MANAGE_GROUPS, ENVIRONMENT_ALL, ORGANIZATION_ALL, TENANT_ALL def permissions(db, all_perms): diff --git a/tests/core/permissions/test_tenant.py b/tests/core/permissions/test_tenant.py index 411c24045..a15f275a8 100644 --- a/tests/core/permissions/test_tenant.py +++ b/tests/core/permissions/test_tenant.py @@ -1,4 +1,4 @@ -from dataall.core.permissions import permissions +from dataall.core.permissions.constants import permissions def test_list_tenant_permissions(client, user, group, tenant): diff --git a/tests/modules/conftest.py b/tests/modules/conftest.py index 52bec050b..883ccbd8e 100644 --- a/tests/modules/conftest.py +++ b/tests/modules/conftest.py @@ -4,8 +4,8 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup, EnvironmentParameter from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.permissions import ENVIRONMENT_ALL +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.constants.permissions import ENVIRONMENT_ALL from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.stacks.db.stack_models import KeyValueTag diff --git a/tests/modules/datasets/conftest.py b/tests/modules/datasets/conftest.py index 2f4bc2d55..249bdbf74 100644 --- a/tests/modules/datasets/conftest.py +++ b/tests/modules/datasets/conftest.py @@ -5,7 +5,7 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareableType, PrincipalType from dataall.modules.dataset_sharing.db.share_object_models import ShareObject, ShareObjectItem from dataall.modules.dataset_sharing.services.share_permissions import SHARE_OBJECT_REQUESTER, SHARE_OBJECT_APPROVER diff --git a/tests/modules/datasets/test_dataset_permissions.py b/tests/modules/datasets/test_dataset_permissions.py index 9928baccf..b2ad887d0 100644 --- a/tests/modules/datasets/test_dataset_permissions.py +++ b/tests/modules/datasets/test_dataset_permissions.py @@ -1,8 +1,7 @@ from dataall.base.context import set_context, RequestContext from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.base.db.exceptions import ResourceUnauthorized -from dataall.core.permissions.permissions import TENANT_ALL from dataall.modules.datasets.services.dataset_permissions import ( DATASET_WRITE, UPDATE_DATASET, From e830a45e43869ad5fe49df0b776adbc143627fa6 Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Tue, 19 Mar 2024 14:47:53 +0000 Subject: [PATCH 02/11] separation of tenant_repository and tenant_service decorators are moved to separate folder --- backend/api_handler.py | 5 +- backend/dataall/core/groups/api/resolvers.py | 4 +- .../dataall/core/permissions/api/resolvers.py | 16 +- .../db/permission/permission_models.py | 4 - .../resource_policy/resource_policy_models.py | 2 +- .../permissions/db/tenant/tenant_models.py | 2 +- .../db/tenant/tenant_policy_repositories.py | 260 +---------------- .../decorators/permission_checker.py | 4 +- .../services/tenant_policy_service.py | 271 ++++++++++++++++++ backend/local_graphql_server.py | 5 +- ...f74bd_update_permissions_modularization.py | 3 +- .../versions/e177eb044b31_init_tenant.py | 4 +- tests/conftest.py | 4 +- tests/core/permissions/test_permission.py | 9 +- .../datasets/test_dataset_permissions.py | 7 +- 15 files changed, 306 insertions(+), 294 deletions(-) create mode 100644 backend/dataall/core/permissions/services/tenant_policy_service.py diff --git a/backend/api_handler.py b/backend/api_handler.py index 14e6343b3..3fbc76ccf 100644 --- a/backend/api_handler.py +++ b/backend/api_handler.py @@ -18,6 +18,7 @@ from dataall.base.context import set_context, dispose_context, RequestContext from dataall.core.permissions.db import save_permissions_with_tenant from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine from dataall.core.permissions.constants import permissions from dataall.base.loader import load_modules, ImportMode @@ -143,10 +144,10 @@ def handler(event, context): log.debug('groups are %s', ','.join(groups)) with ENGINE.scoped_session() as session: for group in groups: - policy = TenantPolicy.find_tenant_policy(session, group, 'dataall') + policy = TenantPolicyService.find_tenant_policy(session, group, 'dataall') if not policy: print(f'No policy found for Team {group}. Attaching TENANT_ALL permissions') - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group=group, permissions=permissions.TENANT_ALL, diff --git a/backend/dataall/core/groups/api/resolvers.py b/backend/dataall/core/groups/api/resolvers.py index 676f42d77..364f76530 100644 --- a/backend/dataall/core/groups/api/resolvers.py +++ b/backend/dataall/core/groups/api/resolvers.py @@ -6,7 +6,7 @@ from dataall.core.groups.db.group_models import Group from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.organizations.db.organization_repositories import OrganizationRepository -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import exceptions log = logging.getLogger() @@ -23,7 +23,7 @@ def resolve_group_tenant_permissions(context, source): if not source: return None with context.engine.scoped_session() as session: - return TenantPolicy.list_group_tenant_permissions( + return TenantPolicyService.list_group_tenant_permissions( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/permissions/api/resolvers.py b/backend/dataall/core/permissions/api/resolvers.py index 0333599f2..12cc51cc5 100644 --- a/backend/dataall/core/permissions/api/resolvers.py +++ b/backend/dataall/core/permissions/api/resolvers.py @@ -4,13 +4,14 @@ from dataall.base.aws.sts import SessionHelper from dataall.base.aws.parameter_store import ParameterStoreManager from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService log = logging.getLogger(__name__) def update_group_permissions(context, source, input=None): with context.engine.scoped_session() as session: - return TenantPolicy.update_group_permissions( + return TenantPolicyService.update_group_permissions( session=session, username=context.username, groups=context.groups, @@ -22,18 +23,15 @@ def update_group_permissions(context, source, input=None): def list_tenant_permissions(context, source): with context.engine.scoped_session() as session: - return TenantPolicy.list_tenant_permissions(session=session, username=context.username, groups=context.groups) + return TenantPolicyService.list_tenant_permissions( + session=session, username=context.username, groups=context.groups + ) def list_tenant_groups(context, source, filter=None): with context.engine.scoped_session() as session: - return TenantPolicy.list_tenant_groups( - session=session, - username=context.username, - groups=context.groups, - uri=None, - data=filter if filter else {}, - check_perm=True, + return TenantPolicyService.list_tenant_groups( + session=session, username=context.username, groups=context.groups, data=filter if filter else {} ) diff --git a/backend/dataall/core/permissions/db/permission/permission_models.py b/backend/dataall/core/permissions/db/permission/permission_models.py index 2bac681c7..6f586f14f 100644 --- a/backend/dataall/core/permissions/db/permission/permission_models.py +++ b/backend/dataall/core/permissions/db/permission/permission_models.py @@ -14,7 +14,3 @@ class Permission(Base): description = Column(String, nullable=False) created = Column(DateTime, default=datetime.datetime.now) updated = Column(DateTime, onupdate=datetime.datetime.now) - - - - diff --git a/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py b/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py index 361602268..dbfc9e750 100644 --- a/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py +++ b/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py @@ -6,7 +6,7 @@ from dataall.base.db import Base, utils -from dataall.core.permissions.db.permission.permission_models import Permission +from dataall.core.permissions.db.permission.permission_models import Permission class ResourcePolicy(Base): diff --git a/backend/dataall/core/permissions/db/tenant/tenant_models.py b/backend/dataall/core/permissions/db/tenant/tenant_models.py index 57373a1d1..de0c94a9d 100644 --- a/backend/dataall/core/permissions/db/tenant/tenant_models.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_models.py @@ -5,7 +5,7 @@ from dataall.base.db import Base, utils -from dataall.core.permissions.db.permission.permission_models import Permission +from dataall.core.permissions.db.permission.permission_models import Permission class TenantPolicy(Base): diff --git a/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py index 721287ba0..3763de9fa 100644 --- a/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py @@ -8,46 +8,12 @@ from dataall.core.permissions.db.permission import permission_models from dataall.core.permissions.db.tenant import tenant_models as models from dataall.core.permissions.db.permission.permission_repositories import Permission -from dataall.core.permissions.db.tenant.tenant_repositories import Tenant as TenantService logger = logging.getLogger(__name__) -TENANT_NAME = 'dataall' - class TenantPolicy: - @staticmethod - def is_tenant_admin(groups: [str]): - if not groups: - return False - - if 'DAAdministrators' in groups: - return True - - return False - - @staticmethod - def check_user_tenant_permission(session, username: str, groups: [str], tenant_name: str, permission_name: str): - if TenantPolicy.is_tenant_admin(groups): - return True - - tenant_policy = TenantPolicy.has_user_tenant_permission( - session=session, - username=username, - groups=groups, - permission_name=permission_name, - tenant_name=tenant_name, - ) - - if not tenant_policy: - raise exceptions.TenantUnauthorized( - username=username, - action=permission_name, - tenant_name=tenant_name, - ) - - else: - return tenant_policy + TENANT_NAME = 'dataall' @staticmethod def has_user_tenant_permission(session, username: str, groups: [str], tenant_name: str, permission_name: str): @@ -112,8 +78,6 @@ def has_group_tenant_permission(session, group_uri: str, tenant_name: str, permi @staticmethod def find_tenant_policy(session, group_uri: str, tenant_name: str): - TenantPolicy.validate_find_tenant_policy(group_uri, tenant_name) - tenant_policy = ( session.query(models.TenantPolicy) .join(models.Tenant, models.Tenant.tenantUri == models.TenantPolicy.tenantUri) @@ -128,158 +92,7 @@ def find_tenant_policy(session, group_uri: str, tenant_name: str): return tenant_policy @staticmethod - def validate_find_tenant_policy(group_uri, tenant_name): - if not group_uri: - raise exceptions.RequiredParameter(param_name='group_uri') - if not tenant_name: - raise exceptions.RequiredParameter(param_name='tenant_name') - - @staticmethod - def attach_group_tenant_policy( - session, - group: str, - permissions: [str], - tenant_name: str, - ) -> models.TenantPolicy: - TenantPolicy.validate_attach_tenant_policy(group, permissions, tenant_name) - - policy = TenantPolicy.save_group_tenant_policy(session, group, tenant_name) - - TenantPolicy.add_permission_to_group_tenant_policy(session, group, permissions, tenant_name, policy) - - return policy - - @staticmethod - def validate_attach_tenant_policy(group, permissions, tenant_name): - if not group: - raise exceptions.RequiredParameter(param_name='group') - if not permissions: - raise exceptions.RequiredParameter(param_name='permissions') - if not tenant_name: - raise exceptions.RequiredParameter(param_name='tenant_name') - - @staticmethod - def save_group_tenant_policy(session, group, tenant_name): - TenantPolicy.validate_save_tenant_policy(group, tenant_name) - - policy = TenantPolicy.find_tenant_policy(session, group, tenant_name) - if not policy: - policy = models.TenantPolicy( - principalId=group, - principalType='GROUP', - tenant=TenantService.get_tenant_by_name(session, tenant_name), - ) - session.add(policy) - session.commit() - return policy - - @staticmethod - def validate_save_tenant_policy(group, tenant_name): - if not group: - raise exceptions.RequiredParameter(param_name='group') - if not tenant_name: - raise exceptions.RequiredParameter(param_name='tenant_name') - - @staticmethod - def add_permission_to_group_tenant_policy(session, group, permissions, tenant_name, policy): - TenantPolicy.validate_add_permission_to_tenant_policy_params(group, permissions, policy, tenant_name) - - for permission in permissions: - if not TenantPolicy.has_group_tenant_permission( - session, - group_uri=group, - permission_name=permission, - tenant_name=tenant_name, - ): - TenantPolicy.associate_permission_to_tenant_policy(session, policy, permission) - - @staticmethod - def validate_add_permission_to_tenant_policy_params(group, permissions, policy, tenant_name): - if not group: - raise exceptions.RequiredParameter(param_name='group') - TenantPolicy.validate_add_permissions_params(permissions, policy, tenant_name) - - @staticmethod - def validate_add_permissions_params(permissions, policy, tenant_name): - if not permissions: - raise exceptions.RequiredParameter(param_name='permissions') - if not tenant_name: - raise exceptions.RequiredParameter(param_name='tenant_name') - if not policy: - raise exceptions.RequiredParameter(param_name='policy') - - @staticmethod - def associate_permission_to_tenant_policy(session, policy, permission): - policy_permission = models.TenantPolicyPermission( - sid=policy.sid, - permissionUri=Permission.get_permission_by_name( - session, permission, PermissionType.TENANT.name - ).permissionUri, - ) - session.add(policy_permission) - session.commit() - - @staticmethod - def get_tenant_policy_permissions(session, group_uri, tenant_name): - if not group_uri: - raise exceptions.RequiredParameter(param_name='group_uri') - if not tenant_name: - raise exceptions.RequiredParameter(param_name='tenant_name') - policy = TenantPolicy.find_tenant_policy( - session=session, - group_uri=group_uri, - tenant_name=tenant_name, - ) - permissions = [] - for p in policy.permissions: - permissions.append(p.permission) - return permissions - - @staticmethod - def delete_tenant_policy( - session, - group: str, - tenant_name: str, - ) -> bool: - policy = TenantPolicy.find_tenant_policy(session, group_uri=group, tenant_name=tenant_name) - if policy: - for permission in policy.permissions: - session.delete(permission) - session.delete(policy) - session.commit() - - return True - - @staticmethod - def list_group_tenant_permissions(session, username, groups, uri, data=None, check_perm=None): - if not groups: - raise exceptions.RequiredParameter('groups') - if not uri: - raise exceptions.RequiredParameter('groupUri') - - if not TenantPolicy.is_tenant_admin(groups): - raise exceptions.UnauthorizedOperation( - action='LIST_TENANT_TEAM_PERMISSIONS', - message=f'User: {username} is not allowed to manage tenant permissions', - ) - - return TenantPolicy.get_tenant_policy_permissions( - session=session, - group_uri=uri, - tenant_name='dataall', - ) - - @staticmethod - def list_tenant_groups(session, username, groups, uri, data=None, check_perm=None): - if not groups: - raise exceptions.RequiredParameter('groups') - - if not TenantPolicy.is_tenant_admin(groups): - raise exceptions.UnauthorizedOperation( - action='LIST_TENANT_TEAMS', - message=f'User: {username} is not allowed to manage tenant permissions', - ) - + def list_tenant_groups(session, data=None): query = session.query( models.TenantPolicy.principalId.label('name'), models.TenantPolicy.principalId.label('groupUri'), @@ -298,72 +111,3 @@ def list_tenant_groups(session, username, groups, uri, data=None, check_perm=Non page=data.get('page', 1), page_size=data.get('pageSize', 10), ).to_dict() - - @staticmethod - def list_tenant_permissions(session, username, groups): - if not TenantPolicy.is_tenant_admin(groups): - raise exceptions.UnauthorizedOperation( - action='LIST_TENANT_TEAM_PERMISSIONS', - message=f'User: {username} is not allowed to manage tenant permissions', - ) - group_invitation_permissions = [] - for p in permissions.TENANT_ALL: - group_invitation_permissions.append( - Permission.find_permission_by_name( - session=session, - permission_name=p, - permission_type=PermissionType.TENANT.name, - ) - ) - return group_invitation_permissions - - @staticmethod - def update_group_permissions(session, username, groups, uri, data=None, check_perm=None): - TenantPolicy.validate_params(data) - - if not TenantPolicy.is_tenant_admin(groups): - exceptions.UnauthorizedOperation( - action='UPDATE_TENANT_TEAM_PERMISSIONS', - message=f'User: {username} is not allowed to manage tenant permissions', - ) - - TenantPolicy.validate_permissions(session, TENANT_NAME, data['permissions'], uri) - - TenantPolicy.delete_tenant_policy(session=session, group=uri, tenant_name=TENANT_NAME) - TenantPolicy.attach_group_tenant_policy( - session=session, - group=uri, - permissions=data['permissions'], - tenant_name=TENANT_NAME, - ) - - return True - - @staticmethod - def validate_permissions(session, tenant_name, g_permissions, group): - g_permissions = list(set(g_permissions)) - - if g_permissions not in permissions.TENANT_ALL: - exceptions.TenantPermissionUnauthorized( - action='UPDATE_TENANT_TEAM_PERMISSIONS', - group_name=group, - tenant_name=tenant_name, - ) - - tenant_group_permissions = [] - for p in g_permissions: - tenant_group_permissions.append( - Permission.find_permission_by_name( - session=session, - permission_name=p, - permission_type=PermissionType.TENANT.name, - ) - ) - return tenant_group_permissions - - @staticmethod - def validate_params(data): - if not data: - raise exceptions.RequiredParameter('data') - if not data.get('permissions'): - raise exceptions.RequiredParameter('permissions') diff --git a/backend/dataall/core/permissions/decorators/permission_checker.py b/backend/dataall/core/permissions/decorators/permission_checker.py index 54a9aac20..a9fee2796 100644 --- a/backend/dataall/core/permissions/decorators/permission_checker.py +++ b/backend/dataall/core/permissions/decorators/permission_checker.py @@ -7,7 +7,7 @@ from dataall.base.context import RequestContext, get_context from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.utils.decorator_utls import process_func @@ -19,7 +19,7 @@ def get_resource_uri(self) -> str: ... def _check_tenant_permission(session, permission): context: RequestContext = get_context() - TenantPolicy.check_user_tenant_permission( + TenantPolicyService.check_user_tenant_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py new file mode 100644 index 000000000..84af88048 --- /dev/null +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -0,0 +1,271 @@ +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.constants import permissions +from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.api.enums import PermissionType +from dataall.base.db import exceptions +from dataall.core.permissions.db.tenant.tenant_models import TenantPolicy as TenantPolicyModel, TenantPolicyPermission +from dataall.core.permissions.db.tenant.tenant_repositories import Tenant as TenantService + + +class TenantPolicyValidationService: + @staticmethod + def is_tenant_admin(groups: [str]): + if not groups: + return False + + if 'DAAdministrators' in groups: + return True + + return False + + @staticmethod + def validate_admin_access(username, groups, action): + if not TenantPolicyValidationService.is_tenant_admin(groups): + raise exceptions.UnauthorizedOperation( + action=action, + message=f'User: {username} is not allowed to manage tenant permissions', + ) + + @staticmethod + def validate_find_tenant_policy(group_uri, tenant_name): + if not group_uri: + raise exceptions.RequiredParameter(param_name='group_uri') + if not tenant_name: + raise exceptions.RequiredParameter(param_name='tenant_name') + + @staticmethod + def validate_attach_tenant_policy(group, permissions, tenant_name): + if not group: + raise exceptions.RequiredParameter(param_name='group') + if not permissions: + raise exceptions.RequiredParameter(param_name='permissions') + if not tenant_name: + raise exceptions.RequiredParameter(param_name='tenant_name') + + @staticmethod + def validate_save_tenant_policy(group, tenant_name): + if not group: + raise exceptions.RequiredParameter(param_name='group') + if not tenant_name: + raise exceptions.RequiredParameter(param_name='tenant_name') + + @staticmethod + def validate_add_permission_to_tenant_policy_params(group, permissions, policy, tenant_name): + if not group: + raise exceptions.RequiredParameter(param_name='group') + TenantPolicyValidationService.validate_add_permissions_params(permissions, policy, tenant_name) + + @staticmethod + def validate_add_permissions_params(permissions, policy, tenant_name): + if not permissions: + raise exceptions.RequiredParameter(param_name='permissions') + if not tenant_name: + raise exceptions.RequiredParameter(param_name='tenant_name') + if not policy: + raise exceptions.RequiredParameter(param_name='policy') + + @staticmethod + def validate_permissions(session, tenant_name, g_permissions, group): + g_permissions = list(set(g_permissions)) + + if g_permissions not in permissions.TENANT_ALL: + exceptions.TenantPermissionUnauthorized( + action='UPDATE_TENANT_TEAM_PERMISSIONS', + group_name=group, + tenant_name=tenant_name, + ) + + tenant_group_permissions = [] + for p in g_permissions: + tenant_group_permissions.append( + Permission.find_permission_by_name( + session=session, + permission_name=p, + permission_type=PermissionType.TENANT.name, + ) + ) + return tenant_group_permissions + + @staticmethod + def validate_params(data): + if not data: + raise exceptions.RequiredParameter('data') + if not data.get('permissions'): + raise exceptions.RequiredParameter('permissions') + + +class TenantPolicyService: + @staticmethod + def update_group_permissions(session, username, groups, uri, data=None, check_perm=None): + TenantPolicyValidationService.validate_params(data) + new_permissions = data['permissions'] + + # raises UnauthorizedOperation exception, if there is no admin access + TenantPolicyValidationService.validate_admin_access(username, groups, 'UPDATE_TENANT_TEAM_PERMISSIONS') + + TenantPolicyValidationService.validate_permissions(session, TenantPolicy.TENANT_NAME, new_permissions, uri) + + TenantPolicyService.delete_tenant_policy(session=session, group=uri, tenant_name=TenantPolicy.TENANT_NAME) + TenantPolicyService.attach_group_tenant_policy( + session=session, + group=uri, + permissions=new_permissions, + tenant_name=TenantPolicy.TENANT_NAME, + ) + + return True + + @staticmethod + def list_tenant_permissions(session, username, groups): + TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAM_PERMISSIONS') + + group_invitation_permissions = [] + for p in permissions.TENANT_ALL: + group_invitation_permissions.append( + Permission.find_permission_by_name( + session=session, + permission_name=p, + permission_type=PermissionType.TENANT.name, + ) + ) + return group_invitation_permissions + + @staticmethod + def list_tenant_groups(session, username, groups, data=None): + if not groups: + raise exceptions.RequiredParameter('groups') + + TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAMS') + + return TenantPolicy.list_tenant_groups(session, data) + + @staticmethod + def check_user_tenant_permission(session, username: str, groups: [str], tenant_name: str, permission_name: str): + if TenantPolicyValidationService.is_tenant_admin(groups): + return True + + tenant_policy = TenantPolicy.has_user_tenant_permission( + session=session, + username=username, + groups=groups, + permission_name=permission_name, + tenant_name=tenant_name, + ) + + if not tenant_policy: + raise exceptions.TenantUnauthorized( + username=username, + action=permission_name, + tenant_name=tenant_name, + ) + + else: + return tenant_policy + + @staticmethod + def attach_group_tenant_policy( + session, + group: str, + permissions: [str], + tenant_name: str, + ) -> TenantPolicyModel: + TenantPolicyValidationService.validate_attach_tenant_policy(group, permissions, tenant_name) + + policy = TenantPolicyService.save_group_tenant_policy(session, group, tenant_name) + + TenantPolicyService.add_permission_to_group_tenant_policy(session, group, permissions, tenant_name, policy) + + return policy + + @staticmethod + def find_tenant_policy(session, group_uri: str, tenant_name: str): + TenantPolicyValidationService.validate_find_tenant_policy(group_uri, tenant_name) + return TenantPolicy.find_tenant_policy(session, group_uri, tenant_name) + + @staticmethod + def save_group_tenant_policy(session, group, tenant_name): + TenantPolicyValidationService.validate_save_tenant_policy(group, tenant_name) + + policy = TenantPolicy.find_tenant_policy(session, group, tenant_name) + if not policy: + policy = TenantPolicyModel( + principalId=group, + principalType='GROUP', + tenant=TenantService.get_tenant_by_name(session, tenant_name), + ) + session.add(policy) + session.commit() + return policy + + @staticmethod + def add_permission_to_group_tenant_policy(session, group, permissions, tenant_name, policy): + TenantPolicyValidationService.validate_add_permission_to_tenant_policy_params( + group, permissions, policy, tenant_name + ) + + for permission in permissions: + if not TenantPolicy.has_group_tenant_permission( + session, + group_uri=group, + permission_name=permission, + tenant_name=tenant_name, + ): + TenantPolicyService.associate_permission_to_tenant_policy(session, policy, permission) + + @staticmethod + def associate_permission_to_tenant_policy(session, policy, permission): + policy_permission = TenantPolicyPermission( + sid=policy.sid, + permissionUri=Permission.get_permission_by_name( + session, permission, PermissionType.TENANT.name + ).permissionUri, + ) + session.add(policy_permission) + session.commit() + + @staticmethod + def list_group_tenant_permissions(session, username, groups, uri, data=None, check_perm=None): + if not groups: + raise exceptions.RequiredParameter('groups') + if not uri: + raise exceptions.RequiredParameter('groupUri') + + TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAM_PERMISSIONS') + + return TenantPolicyService.get_tenant_policy_permissions( + session=session, + group_uri=uri, + tenant_name='dataall', + ) + + @staticmethod + def get_tenant_policy_permissions(session, group_uri, tenant_name): + if not group_uri: + raise exceptions.RequiredParameter(param_name='group_uri') + if not tenant_name: + raise exceptions.RequiredParameter(param_name='tenant_name') + + policy = TenantPolicy.find_tenant_policy( + session=session, + group_uri=group_uri, + tenant_name=tenant_name, + ) + permissions = [] + for p in policy.permissions: + permissions.append(p.permission) + return permissions + + @staticmethod + def delete_tenant_policy( + session, + group: str, + tenant_name: str, + ) -> bool: + policy = TenantPolicy.find_tenant_policy(session, group_uri=group, tenant_name=tenant_name) + if policy: + for permission in policy.permissions: + session.delete(permission) + session.delete(policy) + session.commit() + + return True diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index 238b69c8a..b3f8fcfc7 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -10,7 +10,8 @@ from dataall.core.tasks.service_handlers import Worker from dataall.core.permissions.constants import permissions from dataall.core.permissions.db import save_permissions_with_tenant -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService + from dataall.base.db import get_engine, Base from dataall.base.searchproxy import connect, run_query from dataall.base.loader import load_modules, ImportMode @@ -72,7 +73,7 @@ def request_context(headers, mock=False): for group in groups: with engine.scoped_session() as session: - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group=group, permissions=permissions.TENANT_ALL, diff --git a/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py b/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py index 21caefa15..7380b9cfa 100644 --- a/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py +++ b/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py @@ -14,8 +14,7 @@ from dataall.base.db import Resource from dataall.core.permissions.db.resource_policy.resource_policy_models import ResourcePolicyPermission from dataall.core.permissions.api.enums import PermissionType -from dataall.core.permissions.db.tenant.tenant_models import TenantPolicyPermission - +from dataall.core.permissions.db.tenant.tenant_models import TenantPolicyPermission # revision identifiers, used by Alembic. diff --git a/backend/migrations/versions/e177eb044b31_init_tenant.py b/backend/migrations/versions/e177eb044b31_init_tenant.py index 23685c82e..67cca6722 100644 --- a/backend/migrations/versions/e177eb044b31_init_tenant.py +++ b/backend/migrations/versions/e177eb044b31_init_tenant.py @@ -12,7 +12,7 @@ from sqlalchemy import orm from dataall.core.permissions.db.tenant.tenant_repositories import Tenant -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.permissions.constants.permissions import TENANT_ALL revision = 'e177eb044b31' @@ -29,7 +29,7 @@ def upgrade(): Tenant.save_tenant(session, name='dataall', description='Tenant dataall') print('Tenant initialized successfully') print('Attaching superusers group DHAdmins...') - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group='DHAdmins', permissions=TENANT_ALL, diff --git a/tests/conftest.py b/tests/conftest.py index 8e91cd26d..2fba7d211 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -9,7 +9,7 @@ from dataall.core.groups.db.group_models import Group from dataall.core.permissions.db import Tenant, Permission -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.permissions.constants.permissions import TENANT_ALL from tests.client import create_app, ClientWrapper @@ -97,7 +97,7 @@ def _create_group(db, tenant, name, user): session.add(group) session.commit() - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group=name, permissions=TENANT_ALL, diff --git a/tests/core/permissions/test_permission.py b/tests/core/permissions/test_permission.py index 94567bd88..240e5cf8d 100644 --- a/tests/core/permissions/test_permission.py +++ b/tests/core/permissions/test_permission.py @@ -2,9 +2,10 @@ from dataall.core.permissions.db.permission.permission_repositories import Permission from dataall.core.permissions.db.permission.permission_models import PermissionType -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import exceptions from dataall.core.permissions.constants.permissions import MANAGE_GROUPS, ENVIRONMENT_ALL, ORGANIZATION_ALL, TENANT_ALL +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService def permissions(db, all_perms): @@ -34,14 +35,14 @@ def permissions(db, all_perms): def test_attach_tenant_policy(db, group, tenant): permissions(db, ORGANIZATION_ALL + ENVIRONMENT_ALL) with db.scoped_session() as session: - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group=group.name, permissions=[MANAGE_GROUPS], tenant_name='dataall', ) - assert TenantPolicy.check_user_tenant_permission( + assert TenantPolicyService.check_user_tenant_permission( session=session, username='alice', groups=[group.name], @@ -53,7 +54,7 @@ def test_attach_tenant_policy(db, group, tenant): def test_unauthorized_tenant_policy(db, group): with pytest.raises(exceptions.TenantUnauthorized): with db.scoped_session() as session: - assert TenantPolicy.check_user_tenant_permission( + assert TenantPolicyService.check_user_tenant_permission( session=session, username='alice', groups=[group.name], diff --git a/tests/modules/datasets/test_dataset_permissions.py b/tests/modules/datasets/test_dataset_permissions.py index b2ad887d0..0e02fe2b8 100644 --- a/tests/modules/datasets/test_dataset_permissions.py +++ b/tests/modules/datasets/test_dataset_permissions.py @@ -14,6 +14,7 @@ from tests.core.permissions.test_permission import * from dataall.core.organizations.services.organization_service import OrganizationService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService def test_attach_resource_policy(db, user, group, dataset_fixture): @@ -37,14 +38,14 @@ def test_attach_resource_policy(db, user, group, dataset_fixture): def test_attach_tenant_policy(db, user, group, dataset_fixture, permissions, tenant): with db.scoped_session() as session: - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group=group.name, permissions=[MANAGE_DATASETS], tenant_name='dataall', ) - assert TenantPolicy.check_user_tenant_permission( + assert TenantPolicyService.check_user_tenant_permission( session=session, username=user.username, groups=[group.name], @@ -69,7 +70,7 @@ def test_create_dataset(db, user, group, dataset_fixture, permissions, tenant): with db.scoped_session() as session: set_context(RequestContext(db, user.username, [group.name], user_id=user.username)) - TenantPolicy.attach_group_tenant_policy( + TenantPolicyService.attach_group_tenant_policy( session=session, group=group.name, permissions=TENANT_ALL, From a6d6a18ce298f27b791dffca7997daac57147559 Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Tue, 26 Mar 2024 13:16:37 +0000 Subject: [PATCH 03/11] further separation of Services and Repositories --- backend/api_handler.py | 8 +- .../dataall/core/environment/api/resolvers.py | 18 +- .../environment/env_permission_checker.py | 4 +- .../services/environment_service.py | 30 +-- .../services/organization_service.py | 12 +- backend/dataall/core/permissions/__init__.py | 1 - .../dataall/core/permissions/api/resolvers.py | 29 +-- .../dataall/core/permissions/db/__init__.py | 14 - .../db/group/group_policy_repositories.py | 22 +- .../db/permission/permission_repositories.py | 105 +------- .../resource_policy/resource_policy_models.py | 1 - .../resource_policy_repositories.py | 240 +++--------------- .../db/tenant/tenant_policy_repositories.py | 79 +++--- .../db/tenant/tenant_repositories.py | 32 +-- .../decorators/permission_checker.py | 6 +- .../services/group_policy_service.py | 23 ++ .../services/permission_service.py | 88 +++++++ .../services/resource_policy_service.py | 185 ++++++++++++++ .../services/tenant_policy_service.py | 220 ++++++++++------ .../stacks/db/keyvaluetag_repositories.py | 6 +- .../core/stacks/db/stack_repositories.py | 4 +- .../dataall/core/vpc/services/vpc_service.py | 8 +- .../services/dashboard_quicksight_service.py | 4 +- .../dashboards/services/dashboard_service.py | 8 +- .../services/dashboard_share_service.py | 6 +- .../services/datapipelines_service.py | 8 +- .../services/share_item_service.py | 6 +- .../services/share_object_service.py | 19 +- .../services/dataset_column_service.py | 4 +- .../services/dataset_profiling_service.py | 4 +- .../datasets/services/dataset_service.py | 36 +-- .../services/dataset_table_service.py | 6 +- .../mlstudio/services/mlstudio_service.py | 8 +- .../notebooks/services/notebook_service.py | 8 +- .../worksheets/services/worksheet_service.py | 6 +- backend/local_graphql_server.py | 5 +- .../versions/033c3d6c1849_init_permissions.py | 5 +- .../04d92886fabe_add_consumption_roles.py | 9 +- ...618805341_rename_sgm_studio_permissions.py | 2 +- .../72b8a90b6ee8__share_request_purpose.py | 18 +- ...f74bd_update_permissions_modularization.py | 12 +- ...215e_backfill_dataset_table_permissions.py | 24 +- .../versions/e177eb044b31_init_tenant.py | 5 +- tests/conftest.py | 6 +- tests/core/environments/test_environment.py | 4 +- tests/core/permissions/test_permission.py | 11 +- tests/core/permissions/test_tenant.py | 12 +- tests/modules/conftest.py | 4 +- tests/modules/datasets/conftest.py | 16 +- .../datasets/test_dataset_permissions.py | 10 +- 50 files changed, 716 insertions(+), 685 deletions(-) create mode 100644 backend/dataall/core/permissions/services/group_policy_service.py create mode 100644 backend/dataall/core/permissions/services/permission_service.py create mode 100644 backend/dataall/core/permissions/services/resource_policy_service.py diff --git a/backend/api_handler.py b/backend/api_handler.py index 3fbc76ccf..74696fe64 100644 --- a/backend/api_handler.py +++ b/backend/api_handler.py @@ -16,8 +16,6 @@ from dataall.base.aws.sqs import SqsQueue from dataall.base.aws.parameter_store import ParameterStoreManager from dataall.base.context import set_context, dispose_context, RequestContext -from dataall.core.permissions.db import save_permissions_with_tenant -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine from dataall.core.permissions.constants import permissions @@ -39,7 +37,7 @@ ENGINE = get_engine(envname=ENVNAME) Worker.queue = SqsQueue.send -save_permissions_with_tenant(ENGINE) +TenantPolicyService.save_permissions_with_tenant(ENGINE) def resolver_adapter(resolver): @@ -144,14 +142,14 @@ def handler(event, context): log.debug('groups are %s', ','.join(groups)) with ENGINE.scoped_session() as session: for group in groups: - policy = TenantPolicyService.find_tenant_policy(session, group, 'dataall') + policy = TenantPolicyService.find_tenant_policy(session, group, TenantPolicyService.TENANT_NAME) if not policy: print(f'No policy found for Team {group}. Attaching TENANT_ALL permissions') TenantPolicyService.attach_group_tenant_policy( session=session, group=group, permissions=permissions.TENANT_ALL, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) except Exception as e: diff --git a/backend/dataall/core/environment/api/resolvers.py b/backend/dataall/core/environment/api/resolvers.py index bf492da4c..726d0a566 100644 --- a/backend/dataall/core/environment/api/resolvers.py +++ b/backend/dataall/core/environment/api/resolvers.py @@ -16,7 +16,7 @@ from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.environment.api.enums import EnvironmentPermission -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.api import stack_helper from dataall.core.stacks.aws.cloudformation import CloudFormation from dataall.core.stacks.db.stack_repositories import Stack @@ -442,7 +442,7 @@ def get_environment_assume_role_url( groupUri: str = None, ): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -466,7 +466,7 @@ def get_environment_assume_role_url( @is_feature_enabled('core.features.env_aws_actions') def generate_environment_access_token(context, source, environmentUri: str = None, groupUri: str = None): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -514,7 +514,7 @@ def delete_environment(context: Context, source, environmentUri: str = None, del def enable_subscriptions(context: Context, source, environmentUri: str = None, input: dict = None): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -549,7 +549,7 @@ def enable_subscriptions(context: Context, source, environmentUri: str = None, i def disable_subscriptions(context: Context, source, environmentUri: str = None): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -572,7 +572,7 @@ def get_pivot_role_template(context: Context, source, organizationUri=None): from dataall.base.utils import Parameter with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -612,7 +612,7 @@ def get_pivot_role_template(context: Context, source, organizationUri=None): def get_cdk_exec_policy_template(context: Context, source, organizationUri=None): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -652,7 +652,7 @@ def get_cdk_exec_policy_template(context: Context, source, organizationUri=None) def get_external_id(context: Context, source, organizationUri=None): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -670,7 +670,7 @@ def get_external_id(context: Context, source, organizationUri=None): def get_pivot_role_name(context: Context, source, organizationUri=None): with context.engine.scoped_session() as session: - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/environment/env_permission_checker.py b/backend/dataall/core/environment/env_permission_checker.py index 19338b4c9..6a5607f1e 100644 --- a/backend/dataall/core/environment/env_permission_checker.py +++ b/backend/dataall/core/environment/env_permission_checker.py @@ -1,11 +1,11 @@ from dataall.base.context import get_context, RequestContext -from dataall.core.permissions.db.group.group_policy_repositories import GroupPolicy from dataall.base.utils.decorator_utls import process_func +from dataall.core.permissions.services.group_policy_service import GroupPolicyService def _check_group_environment_permission(session, permission, uri, admin_group): context: RequestContext = get_context() - GroupPolicy.check_group_environment_permission( + GroupPolicyService.check_group_environment_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/environment/services/environment_service.py b/backend/dataall/core/environment/services/environment_service.py index 66b667e34..a4d77177d 100644 --- a/backend/dataall/core/environment/services/environment_service.py +++ b/backend/dataall/core/environment/services/environment_service.py @@ -6,14 +6,14 @@ from sqlalchemy.sql import and_ from dataall.base.context import get_context +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.api import stack_helper from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentParameter, ConsumptionRole from dataall.core.environment.db.environment_repositories import EnvironmentParameterRepository, EnvironmentRepository from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager -from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.db.permission.permission_models import PermissionType -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.vpc.db.vpc_models import Vpc from dataall.base.db.paginator import paginate @@ -106,7 +106,7 @@ def create_environment(session, uri, data=None): environmentAthenaWorkGroup=env.EnvironmentDefaultAthenaWorkGroup, ) session.add(env_group) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, resource_uri=env.environmentUri, group=data['SamlGroupName'], @@ -181,7 +181,7 @@ def update_environment(session, uri, data=None): EnvironmentService._update_env_parameters(session, environment, data) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, resource_uri=environment.environmentUri, group=environment.SamlGroupName, @@ -260,7 +260,7 @@ def invite_group(session, uri, data=None) -> (Environment, EnvironmentGroup): ) session.add(environment_group) session.commit() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group, resource_uri=environment.environmentUri, @@ -288,7 +288,7 @@ def validate_permissions(session, uri, g_permissions, group): env_group_permissions = [] for p in g_permissions: env_group_permissions.append( - Permission.find_permission_by_name( + PermissionRepository.find_permission_by_name( session=session, permission_name=p, permission_type=PermissionType.RESOURCE.name, @@ -339,7 +339,7 @@ def remove_group(session, uri, group): session.delete(group_membership) session.commit() - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=group, resource_uri=environment.environmentUri, @@ -366,13 +366,13 @@ def update_group_permissions(session, uri, data=None): message=f'Team {group.name} is not a member of the environment {environment.name}', ) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=group, resource_uri=environment.environmentUri, resource_type=Environment.__name__, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group, resource_uri=environment.environmentUri, @@ -392,7 +392,7 @@ def list_group_permissions_internal(session, uri, group_uri): """No permission check, only for internal usages""" environment = EnvironmentService.get_environment_by_uri(session, uri) - return ResourcePolicy.get_resource_policy_permissions( + return ResourcePolicyService.get_resource_policy_permissions( session=session, group_uri=group_uri, resource_uri=environment.environmentUri, @@ -403,7 +403,7 @@ def list_group_invitation_permissions(session, username, groups, uri, data=None, group_invitation_permissions = [] for p in permissions.ENVIRONMENT_INVITATION_REQUEST: group_invitation_permissions.append( - Permission.find_permission_by_name( + PermissionRepository.find_permission_by_name( session=session, permission_name=p, permission_type=PermissionType.RESOURCE.name, @@ -447,7 +447,7 @@ def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGr session.add(consumption_role) session.commit() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group, resource_uri=consumption_role.consumptionRoleUri, @@ -478,7 +478,7 @@ def remove_consumption_role(session, uri, env_uri): resource_prefix=environment.resourcePrefix, ).delete_all_policies() - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=consumption_role.groupUri, resource_uri=consumption_role.consumptionRoleUri, @@ -502,7 +502,7 @@ def update_consumption_role(session, uri, env_uri, input): raise exceptions.RequiredParameter('consumptionRoleName') consumption_role = EnvironmentService.get_environment_consumption_role(session, uri, env_uri) if consumption_role: - ResourcePolicy.update_resource_policy( + ResourcePolicyService.update_resource_policy( session=session, resource_uri=uri, resource_type=ConsumptionRole.__name__, @@ -939,7 +939,7 @@ def delete_environment(session, uri, environment): for group in env_groups: session.delete(group) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, resource_uri=uri, group=group.groupUri, diff --git a/backend/dataall/core/organizations/services/organization_service.py b/backend/dataall/core/organizations/services/organization_service.py index 110cf9382..2aa892e72 100644 --- a/backend/dataall/core/organizations/services/organization_service.py +++ b/backend/dataall/core/organizations/services/organization_service.py @@ -8,7 +8,7 @@ from dataall.core.organizations.db import organization_models as models from dataall.core.permissions.constants import permissions from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService class OrganizationService: @@ -47,7 +47,7 @@ def create_organization(data): ) session.add(activity) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=data['SamlGroupName'], permissions=permissions.ORGANIZATION_ALL, @@ -76,7 +76,7 @@ def update_organization(uri, data): targetType='org', ) session.add(activity) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=organization.SamlGroupName, permissions=permissions.ORGANIZATION_ALL, @@ -151,7 +151,7 @@ def archive_organization(uri): message='The organization you tried to delete has linked environments', ) session.delete(org) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=org.SamlGroupName, resource_uri=org.organizationUri, @@ -182,7 +182,7 @@ def invite_group(uri, data): invitedBy=context.username, ) session.add(org_group) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group, resource_uri=organization.organizationUri, @@ -220,7 +220,7 @@ def remove_group(uri, group): session.delete(group_membership) session.commit() - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=group, resource_uri=organization.organizationUri, diff --git a/backend/dataall/core/permissions/__init__.py b/backend/dataall/core/permissions/__init__.py index 9e9b57c06..e69de29bb 100644 --- a/backend/dataall/core/permissions/__init__.py +++ b/backend/dataall/core/permissions/__init__.py @@ -1 +0,0 @@ -from dataall.core.permissions import api diff --git a/backend/dataall/core/permissions/api/resolvers.py b/backend/dataall/core/permissions/api/resolvers.py index 12cc51cc5..ad46fab30 100644 --- a/backend/dataall/core/permissions/api/resolvers.py +++ b/backend/dataall/core/permissions/api/resolvers.py @@ -3,36 +3,29 @@ from dataall.base.aws.sts import SessionHelper from dataall.base.aws.parameter_store import ParameterStoreManager -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.base.db.exceptions import RequiredParameter from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService log = logging.getLogger(__name__) def update_group_permissions(context, source, input=None): - with context.engine.scoped_session() as session: - return TenantPolicyService.update_group_permissions( - session=session, - username=context.username, - groups=context.groups, - uri=input['groupUri'], - data=input, - check_perm=True, - ) + if not input['groupUri']: + raise RequiredParameter('groupUri') + return TenantPolicyService.update_group_permissions( + data=input, + check_perm=True, + ) def list_tenant_permissions(context, source): - with context.engine.scoped_session() as session: - return TenantPolicyService.list_tenant_permissions( - session=session, username=context.username, groups=context.groups - ) + return TenantPolicyService.list_tenant_permissions() def list_tenant_groups(context, source, filter=None): - with context.engine.scoped_session() as session: - return TenantPolicyService.list_tenant_groups( - session=session, username=context.username, groups=context.groups, data=filter if filter else {} - ) + if filter is None: + filter = {} + return TenantPolicyService.list_tenant_groups(filter) def update_ssm_parameter(context, source, name: str = None, value: str = None): diff --git a/backend/dataall/core/permissions/db/__init__.py b/backend/dataall/core/permissions/db/__init__.py index f8795af0d..e69de29bb 100644 --- a/backend/dataall/core/permissions/db/__init__.py +++ b/backend/dataall/core/permissions/db/__init__.py @@ -1,14 +0,0 @@ -import logging - -from dataall.core.permissions.db.permission import permission_models -from dataall.core.permissions.db.permission.permission_repositories import Permission -from dataall.core.permissions.db.tenant.tenant_repositories import Tenant - -log = logging.getLogger('Permissions') - - -def save_permissions_with_tenant(engine, envname=None): - with engine.scoped_session() as session: - log.info('Initiating permissions') - Tenant.save_tenant(session, name='dataall', description='Tenant dataall') - Permission.init_permissions(session) diff --git a/backend/dataall/core/permissions/db/group/group_policy_repositories.py b/backend/dataall/core/permissions/db/group/group_policy_repositories.py index cdc6991b1..e6b1f5c76 100644 --- a/backend/dataall/core/permissions/db/group/group_policy_repositories.py +++ b/backend/dataall/core/permissions/db/group/group_policy_repositories.py @@ -1,30 +1,10 @@ from dataall.core.environment.db.environment_models import EnvironmentGroup -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.base.db.exceptions import UnauthorizedOperation -class GroupPolicy: +class GroupPolicyRepository: """Checks permission of environment group""" - @staticmethod - def check_group_environment_permission(session, username, groups, uri, group, permission_name): - GroupPolicy.check_group_environment_membership( - session=session, - username=username, - user_groups=groups, - group=group, - environment_uri=uri, - permission_name=permission_name, - ) - - ResourcePolicy.check_user_resource_permission( - session=session, - username=username, - groups=[group], - resource_uri=uri, - permission_name=permission_name, - ) - @staticmethod def check_group_environment_membership(session, environment_uri, group, username, user_groups, permission_name): if group and group not in user_groups: diff --git a/backend/dataall/core/permissions/db/permission/permission_repositories.py b/backend/dataall/core/permissions/db/permission/permission_repositories.py index 4576448c8..4f77bb8ee 100644 --- a/backend/dataall/core/permissions/db/permission/permission_repositories.py +++ b/backend/dataall/core/permissions/db/permission/permission_repositories.py @@ -1,119 +1,42 @@ import logging from dataall.core.permissions.api.enums import PermissionType -from dataall.base.db import exceptions -from dataall.core.permissions.constants import permissions -from dataall.core.permissions.db.permission import permission_models as models +from dataall.core.permissions.db.permission.permission_models import Permission logger = logging.getLogger(__name__) -class Permission: +class PermissionRepository: @staticmethod - def find_permission_by_name(session, permission_name: str, permission_type: str) -> models.Permission: + def find_permission_by_name(session, permission_name: str, permission_type: str) -> Permission: if permission_name: permission = ( - session.query(models.Permission) + session.query(Permission) .filter( - models.Permission.name == permission_name, - models.Permission.type == permission_type, + Permission.name == permission_name, + Permission.type == permission_type, ) .first() ) return permission @staticmethod - def get_permission_by_name(session, permission_name: str, permission_type: str) -> models.Permission: - if not permission_name: - raise exceptions.RequiredParameter(param_name='permission_name') - permission = Permission.find_permission_by_name(session, permission_name, permission_type) - if not permission: - raise exceptions.ObjectNotFound('Permission', permission_name) - return permission - - @staticmethod - def find_permission_by_uri(session, permission_uri: str, permission_type: str) -> models.Permission: + def find_permission_by_uri(session, permission_uri: str, permission_type: str) -> Permission: if permission_uri: permission = ( - session.query(models.Permission) + session.query(Permission) .filter( - models.Permission.permissionUri == permission_uri, - models.Permission.type == permission_type, + Permission.permissionUri == permission_uri, + Permission.type == permission_type, ) .first() ) return permission @staticmethod - def get_permission_by_uri(session, permission_uri: str, permission_type: str) -> models.Permission: - if not permission_uri: - raise exceptions.RequiredParameter(param_name='permission_uri') - permission = Permission.find_permission_by_uri(session, permission_uri, permission_type) - if not permission: - raise exceptions.ObjectNotFound('Permission', permission_uri) - return permission - - @staticmethod - def save_permission(session, name: str, description: str, permission_type: str) -> models.Permission: - if not name: - raise exceptions.RequiredParameter('name') - if not type: - raise exceptions.RequiredParameter('permission_type') - permission = Permission.find_permission_by_name(session, name, permission_type) - if permission: - logger.info(f'Permission {permission.name} already exists') - else: - permission = models.Permission( - name=name, - description=description if description else f'Allows {name}', - type=permission_type, - ) - session.add(permission) - return permission + def count_resource_permissions(session): + return session.query(Permission).filter(Permission.type == PermissionType.RESOURCE.name).count() @staticmethod - def init_permissions(session): - perms = [] - count_resource_permissions = ( - session.query(models.Permission).filter(models.Permission.type == PermissionType.RESOURCE.name).count() - ) - - logger.debug( - f'count_resource_permissions: {count_resource_permissions}, RESOURCES_ALL: {len(permissions.RESOURCES_ALL_WITH_DESC)}' - ) - - if count_resource_permissions < len(permissions.RESOURCES_ALL_WITH_DESC): - for name, desc in permissions.RESOURCES_ALL_WITH_DESC.items(): - perms.append( - Permission.save_permission( - session, - name=name, - description=desc, - permission_type=PermissionType.RESOURCE.name, - ) - ) - logger.info(f'Saved permission {name} successfully') - logger.info(f'Saved {len(perms)} resource permissions successfully') - - count_tenant_permissions = ( - session.query(models.Permission).filter(models.Permission.type == PermissionType.TENANT.name).count() - ) - - logger.debug( - f'count_tenant_permissions: {count_tenant_permissions}, TENANT_ALL: {len(permissions.TENANT_ALL_WITH_DESC)}' - ) - - if count_tenant_permissions < len(permissions.TENANT_ALL_WITH_DESC): - for name, desc in permissions.TENANT_ALL_WITH_DESC.items(): - perms.append( - Permission.save_permission( - session, - name=name, - description=desc, - permission_type=PermissionType.TENANT.name, - ) - ) - logger.info(f'Saved permission {name} successfully') - logger.info(f'Saved {len(perms)} permissions successfully') - session.commit() - return perms + def count_tenant_permissions(session): + return session.query(Permission).filter(Permission.type == PermissionType.TENANT.name).count() diff --git a/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py b/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py index dbfc9e750..591787e91 100644 --- a/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py +++ b/backend/dataall/core/permissions/db/resource_policy/resource_policy_models.py @@ -1,6 +1,5 @@ import datetime -from dataall.core.permissions.api.enums import PermissionType from sqlalchemy import Column, String, DateTime, ForeignKey, Enum as DBEnum from sqlalchemy.orm import relationship diff --git a/backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py b/backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py index 15570863d..3fe59b61b 100644 --- a/backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py +++ b/backend/dataall/core/permissions/db/resource_policy/resource_policy_repositories.py @@ -3,57 +3,34 @@ from sqlalchemy.sql import and_ -from dataall.core.permissions.db.permission.permission_repositories import Permission -from dataall.core.permissions.api.enums import PermissionType -from dataall.base.db import exceptions -from dataall.core.permissions.db.permission import permission_models -from dataall.core.permissions.db.resource_policy import resource_policy_models as models -logger = logging.getLogger(__name__) +from dataall.core.permissions.db.permission.permission_models import Permission +from dataall.core.permissions.db.resource_policy.resource_policy_models import ResourcePolicy, ResourcePolicyPermission +logger = logging.getLogger(__name__) -class ResourcePolicy: - @staticmethod - def check_user_resource_permission(session, username: str, groups: [str], resource_uri: str, permission_name: str): - resource_policy = ResourcePolicy.has_user_resource_permission( - session=session, - username=username, - groups=groups, - permission_name=permission_name, - resource_uri=resource_uri, - ) - if not resource_policy: - raise exceptions.ResourceUnauthorized( - username=username, - action=permission_name, - resource_uri=resource_uri, - ) - else: - return resource_policy +class ResourcePolicyRepository: @staticmethod def has_user_resource_permission( - session, username: str, groups: [str], resource_uri: str, permission_name: str - ) -> Optional[models.ResourcePolicy]: - if not username or not permission_name or not resource_uri: - return None - - policy: models.ResourcePolicy = ( - session.query(models.ResourcePolicy) + session, groups: [str], resource_uri: str, permission_name: str + ) -> Optional[ResourcePolicy]: + policy: ResourcePolicy = ( + session.query(ResourcePolicy) .join( - models.ResourcePolicyPermission, - models.ResourcePolicy.sid == models.ResourcePolicyPermission.sid, + ResourcePolicyPermission, + ResourcePolicy.sid == ResourcePolicyPermission.sid, ) .join( - permission_models.Permission, - permission_models.Permission.permissionUri == models.ResourcePolicyPermission.permissionUri, + Permission, + Permission.permissionUri == ResourcePolicyPermission.permissionUri, ) .filter( and_( - models.ResourcePolicy.principalId.in_(groups), - models.ResourcePolicy.principalType == 'GROUP', - permission_models.Permission.name == permission_name, - models.ResourcePolicy.resourceUri == resource_uri, + ResourcePolicy.principalId.in_(groups), + ResourcePolicy.principalType == 'GROUP', + Permission.name == permission_name, + ResourcePolicy.resourceUri == resource_uri, ) ) .first() @@ -67,26 +44,23 @@ def has_user_resource_permission( @staticmethod def has_group_resource_permission( session, group_uri: str, resource_uri: str, permission_name: str - ) -> Optional[models.ResourcePolicy]: - if not group_uri or not permission_name or not resource_uri: - return None - - policy: models.ResourcePolicy = ( - session.query(models.ResourcePolicy) + ) -> Optional[ResourcePolicy]: + policy: ResourcePolicy = ( + session.query(ResourcePolicy) .join( - models.ResourcePolicyPermission, - models.ResourcePolicy.sid == models.ResourcePolicyPermission.sid, + ResourcePolicyPermission, + ResourcePolicy.sid == ResourcePolicyPermission.sid, ) .join( - permission_models.Permission, - permission_models.Permission.permissionUri == models.ResourcePolicyPermission.permissionUri, + Permission, + Permission.permissionUri == ResourcePolicyPermission.permissionUri, ) .filter( and_( - models.ResourcePolicy.principalId == group_uri, - models.ResourcePolicy.principalType == 'GROUP', - permission_models.Permission.name == permission_name, - models.ResourcePolicy.resourceUri == resource_uri, + ResourcePolicy.principalId == group_uri, + ResourcePolicy.principalType == 'GROUP', + Permission.name == permission_name, + ResourcePolicy.resourceUri == resource_uri, ) ) .first() @@ -98,167 +72,15 @@ def has_group_resource_permission( return policy @staticmethod - def find_resource_policy(session, group_uri: str, resource_uri: str) -> models.ResourcePolicy: - if not group_uri: - raise exceptions.RequiredParameter(param_name='group') - if not resource_uri: - raise exceptions.RequiredParameter(param_name='resource_uri') + def find_resource_policy(session, group_uri: str, resource_uri: str) -> ResourcePolicy: resource_policy = ( - session.query(models.ResourcePolicy) + session.query(ResourcePolicy) .filter( and_( - models.ResourcePolicy.principalId == group_uri, - models.ResourcePolicy.resourceUri == resource_uri, + ResourcePolicy.principalId == group_uri, + ResourcePolicy.resourceUri == resource_uri, ) ) .first() ) return resource_policy - - @staticmethod - def update_resource_policy( - session, resource_uri: str, resource_type: str, old_group: str, new_group: str, new_permissions: [str] - ) -> models.ResourcePolicy: - ResourcePolicy.delete_resource_policy( - session=session, - group=old_group, - resource_uri=resource_uri, - resource_type=resource_type, - ) - return ResourcePolicy.attach_resource_policy( - session=session, - group=new_group, - resource_uri=resource_uri, - permissions=new_permissions, - resource_type=resource_type, - ) - - @staticmethod - def attach_resource_policy( - session, - group: str, - permissions: [str], - resource_uri: str, - resource_type: str, - ) -> models.ResourcePolicy: - ResourcePolicy.validate_attach_resource_policy_params(group, permissions, resource_uri, resource_type) - - policy = ResourcePolicy.save_resource_policy(session, group, resource_uri, resource_type) - - ResourcePolicy.add_permission_to_resource_policy(session, group, permissions, resource_uri, policy) - - return policy - - @staticmethod - def delete_resource_policy( - session, - group: str, - resource_uri: str, - resource_type: str = None, - ) -> bool: - ResourcePolicy.validate_delete_resource_policy_params(group, resource_uri) - policy = ResourcePolicy.find_resource_policy(session, group_uri=group, resource_uri=resource_uri) - if policy: - for permission in policy.permissions: - session.delete(permission) - session.delete(policy) - session.commit() - - return True - - @staticmethod - def validate_attach_resource_policy_params(group, permissions, resource_uri, resource_type): - if not group: - raise exceptions.RequiredParameter(param_name='group') - if not permissions: - raise exceptions.RequiredParameter(param_name='permissions') - if not resource_uri: - raise exceptions.RequiredParameter(param_name='resource_uri') - if not resource_type: - raise exceptions.RequiredParameter(param_name='resource_type') - - @staticmethod - def save_resource_policy(session, group, resource_uri, resource_type): - ResourcePolicy.validate_save_resource_policy_params(group, resource_uri, resource_type) - policy = ResourcePolicy.find_resource_policy(session, group, resource_uri) - if not policy: - policy = models.ResourcePolicy( - principalId=group, - principalType='GROUP', - resourceUri=resource_uri, - resourceType=resource_type, - ) - session.add(policy) - session.commit() - return policy - - @staticmethod - def validate_save_resource_policy_params(group, resource_uri, resource_type): - if not group: - raise exceptions.RequiredParameter(param_name='group') - if not resource_uri: - raise exceptions.RequiredParameter(param_name='resource_uri') - if not resource_type: - raise exceptions.RequiredParameter(param_name='resource_type') - - @staticmethod - def add_permission_to_resource_policy(session, group, permissions, resource_uri, policy): - ResourcePolicy.validate_add_permission_to_resource_policy_params(group, permissions, policy, resource_uri) - - for permission in permissions: - if not ResourcePolicy.has_group_resource_permission( - session, - group_uri=group, - permission_name=permission, - resource_uri=resource_uri, - ): - ResourcePolicy.associate_permission_to_resource_policy(session, policy, permission) - - @staticmethod - def validate_add_permission_to_resource_policy_params(group, permissions, policy, resource_uri): - if not group: - raise exceptions.RequiredParameter(param_name='group') - if not permissions: - raise exceptions.RequiredParameter(param_name='permissions') - if not resource_uri: - raise exceptions.RequiredParameter(param_name='resource_uri') - if not policy: - raise exceptions.RequiredParameter(param_name='policy') - - @staticmethod - def validate_delete_resource_policy_params(group, resource_uri): - if not group: - raise exceptions.RequiredParameter(param_name='group') - if not resource_uri: - raise exceptions.RequiredParameter(param_name='resource_uri') - - @staticmethod - def associate_permission_to_resource_policy(session, policy, permission): - if not policy: - raise exceptions.RequiredParameter(param_name='policy') - if not permission: - raise exceptions.RequiredParameter(param_name='permission') - policy_permission = models.ResourcePolicyPermission( - sid=policy.sid, - permissionUri=Permission.get_permission_by_name( - session, permission, permission_type=PermissionType.RESOURCE.name - ).permissionUri, - ) - session.add(policy_permission) - session.commit() - - @staticmethod - def get_resource_policy_permissions(session, group_uri, resource_uri): - if not group_uri: - raise exceptions.RequiredParameter(param_name='group_uri') - if not resource_uri: - raise exceptions.RequiredParameter(param_name='resource_uri') - policy = ResourcePolicy.find_resource_policy( - session=session, - group_uri=group_uri, - resource_uri=resource_uri, - ) - permissions = [] - for p in policy.permissions: - permissions.append(p.permission) - return permissions diff --git a/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py index 3763de9fa..8d50ed137 100644 --- a/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py @@ -2,41 +2,36 @@ from sqlalchemy.sql import and_ -from dataall.core.permissions.api.enums import PermissionType -from dataall.base.db import exceptions, paginate -from dataall.core.permissions.constants import permissions -from dataall.core.permissions.db.permission import permission_models -from dataall.core.permissions.db.tenant import tenant_models as models -from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.base.db import paginate +from dataall.core.permissions.db.permission.permission_models import Permission +from dataall.core.permissions.db.tenant.tenant_models import TenantPolicy, Tenant, TenantPolicyPermission logger = logging.getLogger(__name__) -class TenantPolicy: - TENANT_NAME = 'dataall' +class TenantPolicyRepository: + ADMIN_GROUP = 'DAAdministrators' @staticmethod - def has_user_tenant_permission(session, username: str, groups: [str], tenant_name: str, permission_name: str): - if not username or not permission_name: - return False - tenant_policy: models.TenantPolicy = ( - session.query(models.TenantPolicy) + def has_user_tenant_permission(session, groups: [str], tenant_name: str, permission_name: str): + tenant_policy: TenantPolicy = ( + session.query(TenantPolicy) .join( - models.TenantPolicyPermission, - models.TenantPolicy.sid == models.TenantPolicyPermission.sid, + TenantPolicyPermission, + TenantPolicy.sid == TenantPolicyPermission.sid, ) .join( - models.Tenant, - models.Tenant.tenantUri == models.TenantPolicy.tenantUri, + Tenant, + Tenant.tenantUri == TenantPolicy.tenantUri, ) .join( - permission_models.Permission, - permission_models.Permission.permissionUri == models.TenantPolicyPermission.permissionUri, + Permission, + Permission.permissionUri == TenantPolicyPermission.permissionUri, ) .filter( - models.TenantPolicy.principalId.in_(groups), - permission_models.Permission.name == permission_name, - models.Tenant.name == tenant_name, + TenantPolicy.principalId.in_(groups), + Permission.name == permission_name, + Tenant.name == tenant_name, ) .first() ) @@ -47,25 +42,25 @@ def has_group_tenant_permission(session, group_uri: str, tenant_name: str, permi if not group_uri or not permission_name: return False - tenant_policy: models.TenantPolicy = ( - session.query(models.TenantPolicy) + tenant_policy: TenantPolicy = ( + session.query(TenantPolicy) .join( - models.TenantPolicyPermission, - models.TenantPolicy.sid == models.TenantPolicyPermission.sid, + TenantPolicyPermission, + TenantPolicy.sid == TenantPolicyPermission.sid, ) .join( - models.Tenant, - models.Tenant.tenantUri == models.TenantPolicy.tenantUri, + Tenant, + Tenant.tenantUri == TenantPolicy.tenantUri, ) .join( - permission_models.Permission, - permission_models.Permission.permissionUri == models.TenantPolicyPermission.permissionUri, + Permission, + Permission.permissionUri == TenantPolicyPermission.permissionUri, ) .filter( and_( - models.TenantPolicy.principalId == group_uri, - permission_models.Permission.name == permission_name, - models.Tenant.name == tenant_name, + TenantPolicy.principalId == group_uri, + Permission.name == permission_name, + Tenant.name == tenant_name, ) ) .first() @@ -79,12 +74,12 @@ def has_group_tenant_permission(session, group_uri: str, tenant_name: str, permi @staticmethod def find_tenant_policy(session, group_uri: str, tenant_name: str): tenant_policy = ( - session.query(models.TenantPolicy) - .join(models.Tenant, models.Tenant.tenantUri == models.TenantPolicy.tenantUri) + session.query(TenantPolicy) + .join(Tenant, Tenant.tenantUri == TenantPolicy.tenantUri) .filter( and_( - models.TenantPolicy.principalId == group_uri, - models.Tenant.name == tenant_name, + TenantPolicy.principalId == group_uri, + Tenant.name == tenant_name, ) ) .first() @@ -94,17 +89,17 @@ def find_tenant_policy(session, group_uri: str, tenant_name: str): @staticmethod def list_tenant_groups(session, data=None): query = session.query( - models.TenantPolicy.principalId.label('name'), - models.TenantPolicy.principalId.label('groupUri'), + TenantPolicy.principalId.label('name'), + TenantPolicy.principalId.label('groupUri'), ).filter( and_( - models.TenantPolicy.principalType == 'GROUP', - models.TenantPolicy.principalId != 'DAAdministrators', + TenantPolicy.principalType == 'GROUP', + TenantPolicy.principalId != TenantPolicyRepository.ADMIN_GROUP, ) ) if data and data.get('term'): - query = query.filter(models.TenantPolicy.principalId.ilike('%' + data.get('term') + '%')) + query = query.filter(TenantPolicy.principalId.ilike('%' + data.get('term') + '%')) return paginate( query=query, diff --git a/backend/dataall/core/permissions/db/tenant/tenant_repositories.py b/backend/dataall/core/permissions/db/tenant/tenant_repositories.py index 685a31e55..62d59d5fc 100644 --- a/backend/dataall/core/permissions/db/tenant/tenant_repositories.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_repositories.py @@ -1,36 +1,12 @@ import logging -from dataall.core.permissions.db.tenant import tenant_models as models +from dataall.core.permissions.db.tenant.tenant_models import Tenant logger = logging.getLogger(__name__) -class Tenant: +class TenantRepository: @staticmethod - def find_tenant_by_name(session, tenant_name: str) -> models.Tenant: - if tenant_name: - tenant = session.query(models.Tenant).filter(models.Tenant.name == tenant_name).first() - return tenant - - @staticmethod - def get_tenant_by_name(session, tenant_name: str) -> models.Tenant: - if not tenant_name: - raise Exception('Tenant name is required') - tenant = Tenant.find_tenant_by_name(session, tenant_name) - if not tenant: - raise Exception('TenantNotFound') - return tenant - - @staticmethod - def save_tenant(session, name: str, description: str) -> models.Tenant: - if not name: - raise Exception('Tenant name is required') - - tenant = Tenant.find_tenant_by_name(session, name) - if tenant: - return tenant - else: - tenant = models.Tenant(name=name, description=description if description else f'Tenant {name}') - session.add(tenant) - session.commit() + def find_tenant_by_name(session, tenant_name: str) -> Tenant: + tenant = session.query(Tenant).filter(Tenant.name == tenant_name).first() return tenant diff --git a/backend/dataall/core/permissions/decorators/permission_checker.py b/backend/dataall/core/permissions/decorators/permission_checker.py index a9fee2796..412b963d0 100644 --- a/backend/dataall/core/permissions/decorators/permission_checker.py +++ b/backend/dataall/core/permissions/decorators/permission_checker.py @@ -6,7 +6,7 @@ from typing import Protocol, Callable from dataall.base.context import RequestContext, get_context -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.utils.decorator_utls import process_func @@ -23,14 +23,14 @@ def _check_tenant_permission(session, permission): session=session, username=context.username, groups=context.groups, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, permission_name=permission, ) def _check_resource_permission(session, uri, permission): context: RequestContext = get_context() - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/permissions/services/group_policy_service.py b/backend/dataall/core/permissions/services/group_policy_service.py new file mode 100644 index 000000000..35df748cc --- /dev/null +++ b/backend/dataall/core/permissions/services/group_policy_service.py @@ -0,0 +1,23 @@ +from dataall.core.permissions.db.group.group_policy_repositories import GroupPolicyRepository +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService + + +class GroupPolicyService: + @staticmethod + def check_group_environment_permission(session, username, groups, uri, group, permission_name): + GroupPolicyRepository.check_group_environment_membership( + session=session, + username=username, + user_groups=groups, + group=group, + environment_uri=uri, + permission_name=permission_name, + ) + + ResourcePolicyService.check_user_resource_permission( + session=session, + username=username, + groups=[group], + resource_uri=uri, + permission_name=permission_name, + ) diff --git a/backend/dataall/core/permissions/services/permission_service.py b/backend/dataall/core/permissions/services/permission_service.py new file mode 100644 index 000000000..c156e7d2d --- /dev/null +++ b/backend/dataall/core/permissions/services/permission_service.py @@ -0,0 +1,88 @@ +from dataall.core.permissions.api.enums import PermissionType +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository +from dataall.base.db import exceptions +from dataall.core.permissions.db.permission.permission_models import Permission +from dataall.core.permissions.constants.permissions import RESOURCES_ALL_WITH_DESC, TENANT_ALL_WITH_DESC + +import logging + +logger = logging.getLogger(__name__) + + +class PermissionService: + @staticmethod + def get_permission_by_name(session, permission_name: str, permission_type: str) -> Permission: + if not permission_name: + raise exceptions.RequiredParameter(param_name='permission_name') + permission = PermissionRepository.find_permission_by_name(session, permission_name, permission_type) + if not permission: + raise exceptions.ObjectNotFound('Permission', permission_name) + return permission + + @staticmethod + def get_permission_by_uri(session, permission_uri: str, permission_type: str) -> Permission: + if not permission_uri: + raise exceptions.RequiredParameter(param_name='permission_uri') + permission = PermissionRepository.find_permission_by_uri(session, permission_uri, permission_type) + if not permission: + raise exceptions.ObjectNotFound('Permission', permission_uri) + return permission + + @staticmethod + def save_permission(session, name: str, description: str, permission_type: str) -> Permission: + if not name: + raise exceptions.RequiredParameter('name') + if not type: + raise exceptions.RequiredParameter('permission_type') + permission = PermissionRepository.find_permission_by_name(session, name, permission_type) + if permission: + logger.info(f'Permission {permission.name} already exists') + else: + permission = Permission( + name=name, + description=description if description else f'Allows {name}', + type=permission_type, + ) + session.add(permission) + return permission + + @staticmethod + def init_permissions(session): + perms = [] + count_resource_permissions = PermissionRepository.count_resource_permissions(session) + + logger.debug( + f'count_resource_permissions: {count_resource_permissions}, RESOURCES_ALL: {len(RESOURCES_ALL_WITH_DESC)}' + ) + + if count_resource_permissions < len(RESOURCES_ALL_WITH_DESC): + for name, desc in RESOURCES_ALL_WITH_DESC.items(): + perms.append( + PermissionService.save_permission( + session, + name=name, + description=desc, + permission_type=PermissionType.RESOURCE.name, + ) + ) + logger.info(f'Saved permission {name} successfully') + logger.info(f'Saved {len(perms)} resource permissions successfully') + + count_tenant_permissions = PermissionRepository.count_tenant_permissions(session) + + logger.debug(f'count_tenant_permissions: {count_tenant_permissions}, TENANT_ALL: {len(TENANT_ALL_WITH_DESC)}') + + if count_tenant_permissions < len(TENANT_ALL_WITH_DESC): + for name, desc in TENANT_ALL_WITH_DESC.items(): + perms.append( + PermissionService.save_permission( + session, + name=name, + description=desc, + permission_type=PermissionType.TENANT.name, + ) + ) + logger.info(f'Saved permission {name} successfully') + logger.info(f'Saved {len(perms)} permissions successfully') + session.commit() + return perms diff --git a/backend/dataall/core/permissions/services/resource_policy_service.py b/backend/dataall/core/permissions/services/resource_policy_service.py new file mode 100644 index 000000000..89cbda261 --- /dev/null +++ b/backend/dataall/core/permissions/services/resource_policy_service.py @@ -0,0 +1,185 @@ +from dataall.core.permissions.api.enums import PermissionType +from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicyRepository +from dataall.base.db import exceptions +from dataall.core.permissions.db.resource_policy.resource_policy_models import ResourcePolicy, ResourcePolicyPermission +from dataall.core.permissions.services.permission_service import PermissionService + + +class ResourcePolicyRequestValidationService: + @staticmethod + def validate_find_or_delete_resource_policy_params(group_uri, resource_uri): + if not group_uri: + raise exceptions.RequiredParameter(param_name='group') + if not resource_uri: + raise exceptions.RequiredParameter(param_name='resource_uri') + + @staticmethod + def validate_save_resource_policy_params(group, resource_uri, resource_type): + if not group: + raise exceptions.RequiredParameter(param_name='group') + if not resource_uri: + raise exceptions.RequiredParameter(param_name='resource_uri') + if not resource_type: + raise exceptions.RequiredParameter(param_name='resource_type') + + @staticmethod + def validate_add_permission_to_resource_policy_params(group, permissions, policy, resource_uri): + if not group: + raise exceptions.RequiredParameter(param_name='group') + if not permissions: + raise exceptions.RequiredParameter(param_name='permissions') + if not resource_uri: + raise exceptions.RequiredParameter(param_name='resource_uri') + if not policy: + raise exceptions.RequiredParameter(param_name='policy') + + @staticmethod + def validate_attach_resource_policy_params(group, permissions, resource_uri, resource_type): + if not group: + raise exceptions.RequiredParameter(param_name='group') + if not permissions: + raise exceptions.RequiredParameter(param_name='permissions') + if not resource_uri: + raise exceptions.RequiredParameter(param_name='resource_uri') + if not resource_type: + raise exceptions.RequiredParameter(param_name='resource_type') + + +class ResourcePolicyService: + @staticmethod + def check_user_resource_permission(session, username: str, groups: [str], resource_uri: str, permission_name: str): + resource_policy = None + if username and permission_name and resource_uri: + resource_policy = ResourcePolicyRepository.has_user_resource_permission( + session=session, + groups=groups, + permission_name=permission_name, + resource_uri=resource_uri, + ) + + if not resource_policy: + raise exceptions.ResourceUnauthorized( + username=username, + action=permission_name, + resource_uri=resource_uri, + ) + else: + return resource_policy + + @staticmethod + def delete_resource_policy( + session, + group: str, + resource_uri: str, + resource_type: str = None, + ) -> bool: + ResourcePolicyRequestValidationService.validate_find_or_delete_resource_policy_params(group, resource_uri) + policy = ResourcePolicyRepository.find_resource_policy(session, group_uri=group, resource_uri=resource_uri) + if policy: + for permission in policy.permissions: + session.delete(permission) + session.delete(policy) + session.commit() + + return True + + @staticmethod + def update_resource_policy( + session, resource_uri: str, resource_type: str, old_group: str, new_group: str, new_permissions: [str] + ) -> ResourcePolicy: + ResourcePolicyService.delete_resource_policy( + session=session, + group=old_group, + resource_uri=resource_uri, + resource_type=resource_type, + ) + return ResourcePolicyService.attach_resource_policy( + session=session, + group=new_group, + resource_uri=resource_uri, + permissions=new_permissions, + resource_type=resource_type, + ) + + @staticmethod + def attach_resource_policy( + session, + group: str, + permissions: [str], + resource_uri: str, + resource_type: str, + ) -> ResourcePolicy: + ResourcePolicyRequestValidationService.validate_attach_resource_policy_params( + group, permissions, resource_uri, resource_type + ) + + policy = ResourcePolicyService.save_resource_policy(session, group, resource_uri, resource_type) + + ResourcePolicyService.add_permission_to_resource_policy(session, group, permissions, resource_uri, policy) + + return policy + + @staticmethod + def save_resource_policy(session, group, resource_uri, resource_type): + ResourcePolicyRequestValidationService.validate_save_resource_policy_params(group, resource_uri, resource_type) + policy = ResourcePolicyRepository.find_resource_policy(session, group, resource_uri) + if not policy: + policy = ResourcePolicy( + principalId=group, + principalType='GROUP', + resourceUri=resource_uri, + resourceType=resource_type, + ) + session.add(policy) + session.commit() + return policy + + @staticmethod + def add_permission_to_resource_policy(session, group, permissions, resource_uri, policy): + ResourcePolicyRequestValidationService.validate_add_permission_to_resource_policy_params( + group, permissions, policy, resource_uri + ) + + for permission in permissions: + has_permissions = None + if group and permission and resource_uri: + has_permissions = ResourcePolicyRepository.has_group_resource_permission( + session, + group_uri=group, + permission_name=permission, + resource_uri=resource_uri, + ) + + if not has_permissions: + ResourcePolicyService.associate_permission_to_resource_policy(session, policy, permission) + + @staticmethod + def associate_permission_to_resource_policy(session, policy, permission): + if not policy: + raise exceptions.RequiredParameter(param_name='policy') + if not permission: + raise exceptions.RequiredParameter(param_name='permission') + policy_permission = ResourcePolicyPermission( + sid=policy.sid, + permissionUri=PermissionService.get_permission_by_name( + session, permission, permission_type=PermissionType.RESOURCE.name + ).permissionUri, + ) + session.add(policy_permission) + session.commit() + + @staticmethod + def get_resource_policy_permissions(session, group_uri, resource_uri): + if not group_uri: + raise exceptions.RequiredParameter(param_name='group_uri') + if not resource_uri: + raise exceptions.RequiredParameter(param_name='resource_uri') + policy = ResourcePolicyRepository.find_resource_policy( + session=session, + group_uri=group_uri, + resource_uri=resource_uri, + ) + permissions = [] + for p in policy.permissions: + permissions.append(p.permission) + return permissions diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py index 84af88048..4082b3860 100644 --- a/backend/dataall/core/permissions/services/tenant_policy_service.py +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -1,30 +1,29 @@ -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy -from dataall.core.permissions.constants import permissions -from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository +from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions -from dataall.core.permissions.db.tenant.tenant_models import TenantPolicy as TenantPolicyModel, TenantPolicyPermission -from dataall.core.permissions.db.tenant.tenant_repositories import Tenant as TenantService +from dataall.core.permissions.db.tenant.tenant_models import TenantPolicy, TenantPolicyPermission +from dataall.base.context import get_context +from dataall.core.permissions.db.tenant.tenant_repositories import TenantRepository +from dataall.core.permissions.services.permission_service import PermissionService +from dataall.core.permissions.db.tenant.tenant_models import Tenant +import logging +log = logging.getLogger('Permissions') -class TenantPolicyValidationService: + +class RequestValidationService: @staticmethod - def is_tenant_admin(groups: [str]): + def validate_groups_param(groups): if not groups: - return False - - if 'DAAdministrators' in groups: - return True - - return False + raise exceptions.RequiredParameter('groups') @staticmethod - def validate_admin_access(username, groups, action): - if not TenantPolicyValidationService.is_tenant_admin(groups): - raise exceptions.UnauthorizedOperation( - action=action, - message=f'User: {username} is not allowed to manage tenant permissions', - ) + def validate_group_uri_param(groups, uri): + RequestValidationService.validate_groups_param(groups) + if not uri: + raise exceptions.RequiredParameter('groupUri') @staticmethod def validate_find_tenant_policy(group_uri, tenant_name): @@ -53,10 +52,6 @@ def validate_save_tenant_policy(group, tenant_name): def validate_add_permission_to_tenant_policy_params(group, permissions, policy, tenant_name): if not group: raise exceptions.RequiredParameter(param_name='group') - TenantPolicyValidationService.validate_add_permissions_params(permissions, policy, tenant_name) - - @staticmethod - def validate_add_permissions_params(permissions, policy, tenant_name): if not permissions: raise exceptions.RequiredParameter(param_name='permissions') if not tenant_name: @@ -64,11 +59,38 @@ def validate_add_permissions_params(permissions, policy, tenant_name): if not policy: raise exceptions.RequiredParameter(param_name='policy') + @staticmethod + def validate_params(data): + if not data: + raise exceptions.RequiredParameter('data') + if not data.get('permissions'): + raise exceptions.RequiredParameter('permissions') + + +class TenantPolicyValidationService: + @staticmethod + def is_tenant_admin(groups: [str]): + if not groups: + return False + + if TenantPolicyRepository.ADMIN_GROUP in groups: + return True + + return False + + @staticmethod + def validate_admin_access(username, groups, action): + if not TenantPolicyValidationService.is_tenant_admin(groups): + raise exceptions.UnauthorizedOperation( + action=action, + message=f'User: {username} is not allowed to manage tenant permissions', + ) + @staticmethod def validate_permissions(session, tenant_name, g_permissions, group): g_permissions = list(set(g_permissions)) - if g_permissions not in permissions.TENANT_ALL: + if g_permissions not in TENANT_ALL: exceptions.TenantPermissionUnauthorized( action='UPDATE_TENANT_TEAM_PERMISSIONS', group_name=group, @@ -78,7 +100,7 @@ def validate_permissions(session, tenant_name, g_permissions, group): tenant_group_permissions = [] for p in g_permissions: tenant_group_permissions.append( - Permission.find_permission_by_name( + PermissionRepository.find_permission_by_name( session=session, permission_name=p, permission_type=PermissionType.TENANT.name, @@ -86,67 +108,83 @@ def validate_permissions(session, tenant_name, g_permissions, group): ) return tenant_group_permissions - @staticmethod - def validate_params(data): - if not data: - raise exceptions.RequiredParameter('data') - if not data.get('permissions'): - raise exceptions.RequiredParameter('permissions') - class TenantPolicyService: + TENANT_NAME = 'dataall' + @staticmethod - def update_group_permissions(session, username, groups, uri, data=None, check_perm=None): - TenantPolicyValidationService.validate_params(data) + def update_group_permissions(data, check_perm=None): + context = get_context() + username = context.username + groups = context.groups + + uri = data.get('groupUri') + + RequestValidationService.validate_params(data) new_permissions = data['permissions'] # raises UnauthorizedOperation exception, if there is no admin access TenantPolicyValidationService.validate_admin_access(username, groups, 'UPDATE_TENANT_TEAM_PERMISSIONS') - TenantPolicyValidationService.validate_permissions(session, TenantPolicy.TENANT_NAME, new_permissions, uri) + with context.db_engine.scoped_session() as session: + TenantPolicyValidationService.validate_permissions( + session, TenantPolicyService.TENANT_NAME, new_permissions, uri + ) - TenantPolicyService.delete_tenant_policy(session=session, group=uri, tenant_name=TenantPolicy.TENANT_NAME) - TenantPolicyService.attach_group_tenant_policy( - session=session, - group=uri, - permissions=new_permissions, - tenant_name=TenantPolicy.TENANT_NAME, - ) + TenantPolicyService.delete_tenant_policy( + session=session, group=uri, tenant_name=TenantPolicyService.TENANT_NAME + ) + TenantPolicyService.attach_group_tenant_policy( + session=session, + group=uri, + permissions=new_permissions, + tenant_name=TenantPolicyService.TENANT_NAME, + ) - return True + return True @staticmethod - def list_tenant_permissions(session, username, groups): + def list_tenant_permissions(): + context = get_context() + username = context.username + groups = context.groups + TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAM_PERMISSIONS') group_invitation_permissions = [] - for p in permissions.TENANT_ALL: - group_invitation_permissions.append( - Permission.find_permission_by_name( - session=session, - permission_name=p, - permission_type=PermissionType.TENANT.name, + with context.db_engine.scoped_session() as session: + for p in TENANT_ALL: + group_invitation_permissions.append( + PermissionRepository.find_permission_by_name( + session=session, + permission_name=p, + permission_type=PermissionType.TENANT.name, + ) ) - ) - return group_invitation_permissions + return group_invitation_permissions @staticmethod - def list_tenant_groups(session, username, groups, data=None): - if not groups: - raise exceptions.RequiredParameter('groups') + def list_tenant_groups(data): + context = get_context() + username = context.username + groups = context.groups - TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAMS') + RequestValidationService.validate_groups_param(groups) - return TenantPolicy.list_tenant_groups(session, data) + TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAMS') + with context.db_engine.scoped_session() as session: + return TenantPolicyRepository.list_tenant_groups(session, data) @staticmethod def check_user_tenant_permission(session, username: str, groups: [str], tenant_name: str, permission_name: str): if TenantPolicyValidationService.is_tenant_admin(groups): return True - tenant_policy = TenantPolicy.has_user_tenant_permission( + if not username or not permission_name: + return False + + tenant_policy = TenantPolicyRepository.has_user_tenant_permission( session=session, - username=username, groups=groups, permission_name=permission_name, tenant_name=tenant_name, @@ -168,8 +206,8 @@ def attach_group_tenant_policy( group: str, permissions: [str], tenant_name: str, - ) -> TenantPolicyModel: - TenantPolicyValidationService.validate_attach_tenant_policy(group, permissions, tenant_name) + ) -> TenantPolicy: + RequestValidationService.validate_attach_tenant_policy(group, permissions, tenant_name) policy = TenantPolicyService.save_group_tenant_policy(session, group, tenant_name) @@ -179,19 +217,19 @@ def attach_group_tenant_policy( @staticmethod def find_tenant_policy(session, group_uri: str, tenant_name: str): - TenantPolicyValidationService.validate_find_tenant_policy(group_uri, tenant_name) - return TenantPolicy.find_tenant_policy(session, group_uri, tenant_name) + RequestValidationService.validate_find_tenant_policy(group_uri, tenant_name) + return TenantPolicyRepository.find_tenant_policy(session, group_uri, tenant_name) @staticmethod def save_group_tenant_policy(session, group, tenant_name): - TenantPolicyValidationService.validate_save_tenant_policy(group, tenant_name) + RequestValidationService.validate_save_tenant_policy(group, tenant_name) - policy = TenantPolicy.find_tenant_policy(session, group, tenant_name) + policy = TenantPolicyRepository.find_tenant_policy(session, group, tenant_name) if not policy: - policy = TenantPolicyModel( + policy = TenantPolicy( principalId=group, principalType='GROUP', - tenant=TenantService.get_tenant_by_name(session, tenant_name), + tenant=TenantPolicyService.get_tenant_by_name(session, tenant_name), ) session.add(policy) session.commit() @@ -199,12 +237,12 @@ def save_group_tenant_policy(session, group, tenant_name): @staticmethod def add_permission_to_group_tenant_policy(session, group, permissions, tenant_name, policy): - TenantPolicyValidationService.validate_add_permission_to_tenant_policy_params( + RequestValidationService.validate_add_permission_to_tenant_policy_params( group, permissions, policy, tenant_name ) for permission in permissions: - if not TenantPolicy.has_group_tenant_permission( + if not TenantPolicyRepository.has_group_tenant_permission( session, group_uri=group, permission_name=permission, @@ -216,7 +254,7 @@ def add_permission_to_group_tenant_policy(session, group, permissions, tenant_na def associate_permission_to_tenant_policy(session, policy, permission): policy_permission = TenantPolicyPermission( sid=policy.sid, - permissionUri=Permission.get_permission_by_name( + permissionUri=PermissionService.get_permission_by_name( session, permission, PermissionType.TENANT.name ).permissionUri, ) @@ -225,27 +263,20 @@ def associate_permission_to_tenant_policy(session, policy, permission): @staticmethod def list_group_tenant_permissions(session, username, groups, uri, data=None, check_perm=None): - if not groups: - raise exceptions.RequiredParameter('groups') - if not uri: - raise exceptions.RequiredParameter('groupUri') - + RequestValidationService.validate_group_uri_param(groups, uri) TenantPolicyValidationService.validate_admin_access(username, groups, 'LIST_TENANT_TEAM_PERMISSIONS') return TenantPolicyService.get_tenant_policy_permissions( session=session, group_uri=uri, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) @staticmethod def get_tenant_policy_permissions(session, group_uri, tenant_name): - if not group_uri: - raise exceptions.RequiredParameter(param_name='group_uri') - if not tenant_name: - raise exceptions.RequiredParameter(param_name='tenant_name') + RequestValidationService.validate_find_tenant_policy(group_uri, tenant_name) - policy = TenantPolicy.find_tenant_policy( + policy = TenantPolicyRepository.find_tenant_policy( session=session, group_uri=group_uri, tenant_name=tenant_name, @@ -261,7 +292,7 @@ def delete_tenant_policy( group: str, tenant_name: str, ) -> bool: - policy = TenantPolicy.find_tenant_policy(session, group_uri=group, tenant_name=tenant_name) + policy = TenantPolicyRepository.find_tenant_policy(session, group_uri=group, tenant_name=tenant_name) if policy: for permission in policy.permissions: session.delete(permission) @@ -269,3 +300,28 @@ def delete_tenant_policy( session.commit() return True + + @staticmethod + def get_tenant_by_name(session, tenant_name: str) -> Tenant: + tenant = TenantRepository.find_tenant_by_name(session, tenant_name) + if not tenant: + raise Exception('TenantNotFound') + return tenant + + @staticmethod + def save_tenant(session, name: str, description: str) -> Tenant: + tenant = TenantRepository.find_tenant_by_name(session, name) + if tenant: + return tenant + else: + tenant = Tenant(name=name, description=description if description else f'Tenant {name}') + session.add(tenant) + session.commit() + return tenant + + @staticmethod + def save_permissions_with_tenant(engine, envname=None): + with engine.scoped_session() as session: + log.info('Initiating permissions') + TenantPolicyService.save_tenant(session, name=TenantPolicyService.TENANT_NAME, description='Tenant dataall') + PermissionService.init_permissions(session) diff --git a/backend/dataall/core/stacks/db/keyvaluetag_repositories.py b/backend/dataall/core/stacks/db/keyvaluetag_repositories.py index 642359fa3..ecf518472 100644 --- a/backend/dataall/core/stacks/db/keyvaluetag_repositories.py +++ b/backend/dataall/core/stacks/db/keyvaluetag_repositories.py @@ -1,7 +1,7 @@ import logging from dataall.base.context import get_context -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db import stack_models as models from dataall.core.stacks.db.target_type_repositories import TargetType from dataall.base.db import exceptions @@ -20,7 +20,7 @@ def update_key_value_tags(session, uri: str, data: dict = None) -> [models.KeyVa raise exceptions.RequiredParameter('targetType') context = get_context() - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -52,7 +52,7 @@ def update_key_value_tags(session, uri: str, data: dict = None) -> [models.KeyVa @staticmethod def list_key_value_tags(session, uri, target_type) -> dict: context = get_context() - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/stacks/db/stack_repositories.py b/backend/dataall/core/stacks/db/stack_repositories.py index f4258801b..cf56ee62e 100644 --- a/backend/dataall/core/stacks/db/stack_repositories.py +++ b/backend/dataall/core/stacks/db/stack_repositories.py @@ -2,7 +2,7 @@ from dataall.base.context import get_context from dataall.core.environment.db.environment_models import Environment -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db import stack_models as models from dataall.core.stacks.db.target_type_repositories import TargetType from dataall.base.db import exceptions @@ -70,7 +70,7 @@ def update_stack(session, uri: str, target_type: str) -> [models.Stack]: raise exceptions.RequiredParameter('targetType') context = get_context() - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/core/vpc/services/vpc_service.py b/backend/dataall/core/vpc/services/vpc_service.py index c07e2803d..9ac2b765c 100644 --- a/backend/dataall/core/vpc/services/vpc_service.py +++ b/backend/dataall/core/vpc/services/vpc_service.py @@ -2,10 +2,10 @@ from dataall.base.db import exceptions from dataall.core.permissions.constants import permissions from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.db.environment_repositories import EnvironmentRepository from dataall.core.activity.db.activity_models import Activity +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.vpc.db.vpc_repositories import VpcRepository from dataall.core.vpc.db.vpc_models import Vpc @@ -56,7 +56,7 @@ def create_network(uri: str, admin_group: str, data: dict): ) session.add(activity) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=vpc.SamlGroupName, permissions=permissions.NETWORK_ALL, @@ -65,7 +65,7 @@ def create_network(uri: str, admin_group: str, data: dict): ) if environment.SamlGroupName != vpc.SamlGroupName: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, permissions=permissions.NETWORK_ALL, @@ -81,7 +81,7 @@ def create_network(uri: str, admin_group: str, data: dict): def delete_network(uri): with _session() as session: vpc = VpcRepository.get_vpc_by_uri(session=session, vpc_uri=uri) - ResourcePolicy.delete_resource_policy(session=session, resource_uri=uri, group=vpc.SamlGroupName) + ResourcePolicyService.delete_resource_policy(session=session, resource_uri=uri, group=vpc.SamlGroupName) return VpcRepository.delete_network(session=session, uri=uri) @staticmethod diff --git a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py index 17999eccb..1968e7f9d 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py @@ -4,7 +4,7 @@ from dataall.base.aws.sts import SessionHelper from dataall.base.context import get_context from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicy +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.base.db.exceptions import UnauthorizedOperation, TenantUnauthorized, AWSResourceNotFound from dataall.core.permissions.constants.permissions import TENANT_ALL @@ -127,7 +127,7 @@ def get_quicksight_reader_session(cls, dashboard_uri): @staticmethod def _check_user_must_be_admin(): context = get_context() - admin = TenantPolicy.is_tenant_admin(context.groups) + admin = TenantPolicyRepository.is_tenant_admin(context.groups) if not admin: raise TenantUnauthorized( diff --git a/backend/dataall/modules/dashboards/services/dashboard_service.py b/backend/dataall/modules/dashboards/services/dashboard_service.py index f898bb01c..5af70316c 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_service.py @@ -2,8 +2,8 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.modules.vote.db.vote_repositories import VoteRepository from dataall.base.db.exceptions import UnauthorizedOperation @@ -99,7 +99,9 @@ def delete_dashboard(uri) -> bool: dashboard = DashboardRepository.get_dashboard_by_uri(session, uri) DashboardRepository.delete_dashboard(session, dashboard) - ResourcePolicy.delete_resource_policy(session=session, resource_uri=uri, group=dashboard.SamlGroupName) + ResourcePolicyService.delete_resource_policy( + session=session, resource_uri=uri, group=dashboard.SamlGroupName + ) GlossaryRepository.delete_glossary_terms_links( session, target_uri=dashboard.dashboardUri, target_type='Dashboard' ) @@ -116,7 +118,7 @@ def _set_dashboard_resource_policy(session, environment, dashboard, group): @staticmethod def _attach_dashboard_policy(session, group: str, dashboard: Dashboard): - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group, permissions=DASHBOARD_ALL, diff --git a/backend/dataall/modules/dashboards/services/dashboard_share_service.py b/backend/dataall/modules/dashboards/services/dashboard_share_service.py index d813f8808..61516afb1 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_share_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_share_service.py @@ -1,7 +1,7 @@ from dataall.base.context import get_context -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.base.db.exceptions import InvalidInput, UnauthorizedOperation +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dashboards import DashboardRepository from dataall.modules.dashboards.db.dashboard_models import DashboardShareStatus, Dashboard from dataall.modules.dashboards.services.dashboard_permissions import ( @@ -60,7 +60,7 @@ def reject_dashboard_share(uri: str): share = DashboardRepository.get_dashboard_share_by_uri(session, uri) DashboardShareService._change_share_status(share, DashboardShareStatus.REJECTED) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=share.SamlGroupName, resource_uri=share.dashboardUri, @@ -118,7 +118,7 @@ def _check_share_status(share): @staticmethod def _create_share_policy(session, principal_id, dashboard_uri): - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=principal_id, permissions=[GET_DASHBOARD], diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_service.py b/backend/dataall/modules/datapipelines/services/datapipelines_service.py index c418feefb..ed7936db0 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_service.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_service.py @@ -5,8 +5,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.stack_repositories import Stack @@ -61,7 +61,7 @@ def create_pipeline( data=data, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=admin_group, permissions=PIPELINE_ALL, @@ -70,7 +70,7 @@ def create_pipeline( ) if environment.SamlGroupName != pipeline.SamlGroupName: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, permissions=PIPELINE_ALL, @@ -230,7 +230,7 @@ def delete_pipeline(uri: str, deleteFromAWS: bool): session.delete(pipeline) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, resource_uri=pipeline.DataPipelineUri, group=pipeline.SamlGroupName, diff --git a/backend/dataall/modules/dataset_sharing/services/share_item_service.py b/backend/dataall/modules/dataset_sharing/services/share_item_service.py index c6764a533..ab58f81e9 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_item_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_item_service.py @@ -1,9 +1,9 @@ import logging +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.tasks.service_handlers import Worker from dataall.base.context import get_context from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils @@ -107,7 +107,7 @@ def revoke_items_share_object(uri, revoked_uris): session, uri, ShareableType.Table.value, [ShareItemStatus.Revoke_Approved.value] ) for item in revoke_table_items: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=share.groupUri, resource_uri=item.itemUri, @@ -195,7 +195,7 @@ def remove_shared_item(uri: str): and share_item.status == ShareItemStatus.Share_Failed.value ): share = ShareObjectRepository.get_share_by_uri(session, share_item.shareUri) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=share.groupUri, resource_uri=share_item.itemUri, diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py index dd24fcd2b..3423da893 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py @@ -1,10 +1,11 @@ from warnings import warn + +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.tasks.service_handlers import Worker from dataall.base.context import get_context from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentGroup, ConsumptionRole from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.permissions.constants.permissions import GET_ENVIRONMENT from dataall.core.tasks.db.task_models import Task @@ -193,7 +194,7 @@ def create_share_object( # Attaching REQUESTER permissions to: # requester group (groupUri) # environment.SamlGroupName (if not dataset admins) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group_uri, permissions=SHARE_OBJECT_REQUESTER, @@ -203,7 +204,7 @@ def create_share_object( # Attaching APPROVER permissions to: # dataset.stewards (includes the dataset Admins) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=SHARE_OBJECT_APPROVER, @@ -211,7 +212,7 @@ def create_share_object( resource_type=ShareObject.__name__, ) if dataset.stewards != dataset.SamlAdminGroupName: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.stewards, permissions=SHARE_OBJECT_APPROVER, @@ -253,7 +254,7 @@ def submit_share_object(cls, uri: str): # if parent dataset has auto-approve flag, we trigger the next transition to approved state if dataset.autoApprovalEnabled: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=share.groupUri, permissions=SHARE_OBJECT_APPROVER, @@ -278,7 +279,7 @@ def approve_share_object(cls, uri: str): session, uri, ShareableType.Table.value, [ShareItemStatus.Share_Approved.value] ) for table in share_table_items: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=share.groupUri, permissions=DATASET_TABLE_READ, @@ -357,20 +358,20 @@ def delete_share_object(cls, uri: str): if new_state == ShareObjectStatus.Deleted.value: # Delete share resource policy permissions # Deleting REQUESTER permissions - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=share.groupUri, resource_uri=share.shareUri, ) # Deleting APPROVER permissions - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.SamlAdminGroupName, resource_uri=share.shareUri, ) if dataset.stewards != dataset.SamlAdminGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=share.shareUri, diff --git a/backend/dataall/modules/datasets/services/dataset_column_service.py b/backend/dataall/modules/datasets/services/dataset_column_service.py index 8bc4d993b..00440d294 100644 --- a/backend/dataall/modules/datasets/services/dataset_column_service.py +++ b/backend/dataall/modules/datasets/services/dataset_column_service.py @@ -1,9 +1,9 @@ +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.tasks.service_handlers import Worker from dataall.base.aws.sts import SessionHelper from dataall.base.context import get_context from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.modules.datasets.aws.glue_table_client import GlueTableClient from dataall.modules.datasets.db.dataset_column_repositories import DatasetColumnRepository from dataall.modules.datasets.db.dataset_table_repositories import DatasetTableRepository @@ -35,7 +35,7 @@ def paginate_active_columns_for_table(uri: str, filter=None): ConfidentialityClassification.get_confidentiality_level(dataset.confidentiality) != ConfidentialityClassification.Unclassified.value ): - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/modules/datasets/services/dataset_profiling_service.py b/backend/dataall/modules/datasets/services/dataset_profiling_service.py index 1fb29a0a3..994518936 100644 --- a/backend/dataall/modules/datasets/services/dataset_profiling_service.py +++ b/backend/dataall/modules/datasets/services/dataset_profiling_service.py @@ -1,6 +1,6 @@ import json -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.tasks.service_handlers import Worker from dataall.base.context import get_context from dataall.core.environment.db.environment_models import Environment @@ -108,7 +108,7 @@ def _check_preview_permissions_if_needed(session, table_uri): ConfidentialityClassification.get_confidentiality_level(dataset.confidentiality) != ConfidentialityClassification.Unclassified.value ): - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, diff --git a/backend/dataall/modules/datasets/services/dataset_service.py b/backend/dataall/modules/datasets/services/dataset_service.py index b8101b107..130acae7f 100644 --- a/backend/dataall/modules/datasets/services/dataset_service.py +++ b/backend/dataall/modules/datasets/services/dataset_service.py @@ -4,13 +4,13 @@ from dataall.base.aws.quicksight import QuicksightClient from dataall.base.db import exceptions from dataall.base.utils.naming_convention import NamingConventionPattern +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.tasks.service_handlers import Worker from dataall.base.aws.sts import SessionHelper from dataall.modules.dataset_sharing.aws.kms_client import KmsClient from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag @@ -128,7 +128,7 @@ def create_dataset(uri, admin_group, data: dict): DatasetBucketRepository.create_dataset_bucket(session, dataset, data) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=DATASET_ALL, @@ -136,7 +136,7 @@ def create_dataset(uri, admin_group, data: dict): resource_type=Dataset.__name__, ) if dataset.stewards and dataset.stewards != dataset.SamlAdminGroupName: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.stewards, permissions=DATASET_READ, @@ -145,7 +145,7 @@ def create_dataset(uri, admin_group, data: dict): ) if environment.SamlGroupName != dataset.SamlAdminGroupName: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, permissions=DATASET_ALL, @@ -246,7 +246,7 @@ def update_dataset(uri: str, data: dict): DatasetService._transfer_stewardship_to_owners(session, dataset) dataset.stewards = dataset.SamlAdminGroupName - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=DATASET_ALL, @@ -407,12 +407,14 @@ def delete_dataset(uri: str, delete_from_aws: bool = False): KeyValueTag.delete_key_value_tags(session, dataset.datasetUri, 'dataset') VoteRepository.delete_votes(session, dataset.datasetUri, 'dataset') - ResourcePolicy.delete_resource_policy(session=session, resource_uri=uri, group=dataset.SamlAdminGroupName) + ResourcePolicyService.delete_resource_policy( + session=session, resource_uri=uri, group=dataset.SamlAdminGroupName + ) env = EnvironmentService.get_environment_by_uri(session, dataset.environmentUri) if dataset.SamlAdminGroupName != env.SamlGroupName: - ResourcePolicy.delete_resource_policy(session=session, resource_uri=uri, group=env.SamlGroupName) + ResourcePolicyService.delete_resource_policy(session=session, resource_uri=uri, group=env.SamlGroupName) if dataset.stewards: - ResourcePolicy.delete_resource_policy(session=session, resource_uri=uri, group=dataset.stewards) + ResourcePolicyService.delete_resource_policy(session=session, resource_uri=uri, group=dataset.stewards) DatasetRepository.delete_dataset_lock(session=session, dataset=dataset) DatasetRepository.delete_dataset(session, dataset) @@ -475,7 +477,7 @@ def list_datasets_owned_by_env_group(env_uri: str, group_uri: str, data: dict): def _transfer_stewardship_to_owners(session, dataset): env = EnvironmentService.get_environment_by_uri(session, dataset.environmentUri) if dataset.stewards != env.SamlGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=dataset.datasetUri, @@ -485,7 +487,7 @@ def _transfer_stewardship_to_owners(session, dataset): dataset_tables = [t.tableUri for t in DatasetRepository.get_dataset_tables(session, dataset.datasetUri)] for tableUri in dataset_tables: if dataset.stewards != env.SamlGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=tableUri, @@ -495,7 +497,7 @@ def _transfer_stewardship_to_owners(session, dataset): dataset_shares = ShareObjectRepository.find_dataset_shares(session, dataset.datasetUri) if dataset_shares: for share in dataset_shares: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=share.shareUri, @@ -506,12 +508,12 @@ def _transfer_stewardship_to_owners(session, dataset): def _transfer_stewardship_to_new_stewards(session, dataset, new_stewards): env = EnvironmentService.get_environment_by_uri(session, dataset.environmentUri) if dataset.stewards != dataset.SamlAdminGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=dataset.datasetUri, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=new_stewards, permissions=DATASET_READ, @@ -522,12 +524,12 @@ def _transfer_stewardship_to_new_stewards(session, dataset, new_stewards): dataset_tables = [t.tableUri for t in DatasetRepository.get_dataset_tables(session, dataset.datasetUri)] for tableUri in dataset_tables: if dataset.stewards != dataset.SamlAdminGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=tableUri, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=new_stewards, permissions=DATASET_TABLE_READ, @@ -538,7 +540,7 @@ def _transfer_stewardship_to_new_stewards(session, dataset, new_stewards): dataset_shares = ShareObjectRepository.find_dataset_shares(session, dataset.datasetUri) if dataset_shares: for share in dataset_shares: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=new_stewards, permissions=SHARE_OBJECT_APPROVER, @@ -546,7 +548,7 @@ def _transfer_stewardship_to_new_stewards(session, dataset, new_stewards): resource_type=ShareObject.__name__, ) if dataset.stewards != dataset.SamlAdminGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=share.shareUri, diff --git a/backend/dataall/modules/datasets/services/dataset_table_service.py b/backend/dataall/modules/datasets/services/dataset_table_service.py index 645c5f2a6..0daeff854 100644 --- a/backend/dataall/modules/datasets/services/dataset_table_service.py +++ b/backend/dataall/modules/datasets/services/dataset_table_service.py @@ -1,9 +1,9 @@ import logging from dataall.base.context import get_context +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.base.db.exceptions import ResourceShared from dataall.modules.dataset_sharing.db.share_object_repositories import ShareObjectRepository @@ -93,7 +93,7 @@ def preview(table_uri: str): ConfidentialityClassification.get_confidentiality_level(dataset.confidentiality) != ConfidentialityClassification.Unclassified.value ): - ResourcePolicy.check_user_resource_permission( + ResourcePolicyService.check_user_resource_permission( session=session, username=context.username, groups=context.groups, @@ -172,7 +172,7 @@ def _attach_dataset_table_permission(session, dataset: Dataset, table_uri): dataset.stewards if dataset.stewards is not None else dataset.SamlAdminGroupName, } for group in permission_group: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group, permissions=DATASET_TABLE_READ, diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_service.py b/backend/dataall/modules/mlstudio/services/mlstudio_service.py index 98d547610..a443a0dbd 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_service.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_service.py @@ -11,8 +11,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.stack_repositories import Stack from dataall.base.db import exceptions @@ -148,7 +148,7 @@ def create_sagemaker_studio_user(*, uri: str, admin_group: str, request: Sagemak ) SageMakerStudioRepository.save_sagemaker_studio_user(session, sagemaker_studio_user) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=request.SamlAdminGroupName, permissions=SGMSTUDIO_USER_ALL, @@ -157,7 +157,7 @@ def create_sagemaker_studio_user(*, uri: str, admin_group: str, request: Sagemak ) if env.SamlGroupName != sagemaker_studio_user.SamlAdminGroupName: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=env.SamlGroupName, permissions=SGMSTUDIO_USER_ALL, @@ -268,7 +268,7 @@ def delete_sagemaker_studio_user(*, uri: str, delete_from_aws: bool): env = EnvironmentService.get_environment_by_uri(session, user.environmentUri) session.delete(user) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, resource_uri=user.sagemakerStudioUserUri, group=user.SamlAdminGroupName, diff --git a/backend/dataall/modules/notebooks/services/notebook_service.py b/backend/dataall/modules/notebooks/services/notebook_service.py index 60576b263..5f0ce2db8 100644 --- a/backend/dataall/modules/notebooks/services/notebook_service.py +++ b/backend/dataall/modules/notebooks/services/notebook_service.py @@ -12,8 +12,8 @@ from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.db.stack_repositories import Stack @@ -121,7 +121,7 @@ def create_notebook(*, uri: str, admin_group: str, request: NotebookCreationRequ resource_prefix=env.resourcePrefix, ).build_compliant_name() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=request.SamlAdminGroupName, permissions=NOTEBOOK_ALL, @@ -130,7 +130,7 @@ def create_notebook(*, uri: str, admin_group: str, request: NotebookCreationRequ ) if env.SamlGroupName != admin_group: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=env.SamlGroupName, permissions=NOTEBOOK_ALL, @@ -202,7 +202,7 @@ def delete_notebook(*, uri: str, delete_from_aws: bool): KeyValueTag.delete_key_value_tags(session, notebook.notebookUri, 'notebook') session.delete(notebook) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, resource_uri=notebook.notebookUri, group=notebook.SamlAdminGroupName, diff --git a/backend/dataall/modules/worksheets/services/worksheet_service.py b/backend/dataall/modules/worksheets/services/worksheet_service.py index 902c0db99..5b6b2bb1a 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_service.py +++ b/backend/dataall/modules/worksheets/services/worksheet_service.py @@ -2,9 +2,9 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.base.db import exceptions +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.worksheets.aws.athena_client import AthenaClient from dataall.modules.worksheets.db.worksheet_models import Worksheet from dataall.modules.worksheets.db.worksheet_repositories import WorksheetRepository @@ -56,7 +56,7 @@ def create_worksheet(session, username, uri, data=None) -> Worksheet: ) session.add(activity) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=data['SamlAdminGroupName'], permissions=WORKSHEET_ALL, @@ -95,7 +95,7 @@ def get_worksheet(session, uri): def delete_worksheet(session, uri) -> bool: worksheet = WorksheetService.get_worksheet_by_uri(session, uri) session.delete(worksheet) - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=worksheet.SamlAdminGroupName, resource_uri=uri, diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index b3f8fcfc7..e8a7dd0ee 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -9,7 +9,6 @@ from dataall.base.api import get_executable_schema from dataall.core.tasks.service_handlers import Worker from dataall.core.permissions.constants import permissions -from dataall.core.permissions.db import save_permissions_with_tenant from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine, Base @@ -36,7 +35,7 @@ CDKPROXY_URL = 'http://cdkproxy:2805' if ENVNAME == 'dkrcompose' else 'http://localhost:2805' config.set_property('cdk_proxy_url', CDKPROXY_URL) -save_permissions_with_tenant(engine) +TenantPolicyService.save_permissions_with_tenant(engine) class Context: @@ -77,7 +76,7 @@ def request_context(headers, mock=False): session=session, group=group, permissions=permissions.TENANT_ALL, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) set_context(RequestContext(db_engine=engine, username=username, groups=groups, user_id=username)) diff --git a/backend/migrations/versions/033c3d6c1849_init_permissions.py b/backend/migrations/versions/033c3d6c1849_init_permissions.py index 53882396c..d4482e403 100644 --- a/backend/migrations/versions/033c3d6c1849_init_permissions.py +++ b/backend/migrations/versions/033c3d6c1849_init_permissions.py @@ -12,7 +12,8 @@ import sqlalchemy as sa from sqlalchemy import orm -from dataall.core.permissions.db import Permission +from dataall.core.permissions.db import PermissionRepository +from dataall.core.permissions.services.permission_service import PermissionService # revision identifiers, used by Alembic. revision = '033c3d6c1849' @@ -27,7 +28,7 @@ def upgrade(): bind = op.get_bind() session = orm.Session(bind=bind) print('Initializing permissions...') - Permission.init_permissions(session) + PermissionService.init_permissions(session) print('Permissions initialized successfully') except Exception as e: print(f'Failed to init permissions due to: {e}') diff --git a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py index 6f2334a4a..e2efc9a27 100644 --- a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py +++ b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py @@ -14,12 +14,13 @@ from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.permission.permission_repositories import Permission -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import utils from dataall.core.permissions.constants import permissions from datetime import datetime +from dataall.core.permissions.services.permission_service import PermissionService +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareObjectStatus # revision identifiers, used by Alembic. @@ -111,7 +112,7 @@ def upgrade(): bind = op.get_bind() session = orm.Session(bind=bind) print('Re-Initializing permissions...') - Permission.init_permissions(session) + PermissionService.init_permissions(session) print('Permissions re-initialized successfully') except Exception as e: print(f'Failed to init permissions due to: {e}') @@ -127,7 +128,7 @@ def upgrade(): session=session, uri=env.environmentUri, filter=None ) for group in groups: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, resource_uri=env.environmentUri, group=group.groupUri, diff --git a/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py b/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py index 180a74388..f8361465e 100644 --- a/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py +++ b/backend/migrations/versions/4a0618805341_rename_sgm_studio_permissions.py @@ -9,7 +9,7 @@ from alembic import op from sqlalchemy import String, orm, and_ -from dataall.core.permissions.db.permission.permission_repositories import Permission as PermissionService +from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.db.permission.permission_models import Permission from dataall.core.permissions.api.enums import PermissionType from dataall.core.permissions.db.tenant.tenant_models import TenantPolicyPermission diff --git a/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py b/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py index b9602ef98..ece8964fe 100644 --- a/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py +++ b/backend/migrations/versions/72b8a90b6ee8__share_request_purpose.py @@ -11,7 +11,7 @@ from sqlalchemy.ext.declarative import declarative_base from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.db.share_object_models import ShareObject from dataall.modules.dataset_sharing.services.share_permissions import SHARE_OBJECT_APPROVER, SHARE_OBJECT_REQUESTER from dataall.modules.datasets_base.db.dataset_repositories import DatasetRepository @@ -44,7 +44,7 @@ def upgrade(): # Env Admins # Delete Share Object Permissions on Share Env Admin if Not Share Requester Group if share.groupUri != environment.SamlGroupName: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=environment.SamlGroupName, resource_uri=share.shareUri, @@ -55,12 +55,12 @@ def upgrade(): # Dataset Admins # Delete and Recreate Dataset Share Object Permissions to be Share Object Approver Permission Set - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.SamlAdminGroupName, resource_uri=share.shareUri, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=SHARE_OBJECT_APPROVER, @@ -74,12 +74,12 @@ def upgrade(): # Dataset Stewards # Delete and Recreate Dataset Share Object Permissions to be Share Object Approver Permission Set if dataset.SamlAdminGroupName != dataset.stewards: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.stewards, resource_uri=share.shareUri, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.stewards, permissions=SHARE_OBJECT_APPROVER, @@ -111,7 +111,7 @@ def downgrade(): # Env Admins # Add SHARE_OBJECT_REQUESTER to Env Admin Group - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, permissions=SHARE_OBJECT_REQUESTER, @@ -126,12 +126,12 @@ def downgrade(): # Remove SHARE_OBJECT_APPROVER Permissions if Exists Separate from Stewards(i.e. if steward != owner) # Add SHARE_OBJECT_REQUESTER Permissions to Dataset Admin Group if dataset.SamlAdminGroupName != dataset.stewards: - ResourcePolicy.delete_resource_policy( + ResourcePolicyService.delete_resource_policy( session=session, group=dataset.SamlAdminGroupName, resource_uri=share.shareUri, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=SHARE_OBJECT_REQUESTER, diff --git a/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py b/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py index 7380b9cfa..53e0ff8e4 100644 --- a/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py +++ b/backend/migrations/versions/917b923f74bd_update_permissions_modularization.py @@ -10,12 +10,12 @@ from sqlalchemy import Boolean, Column, String, orm from sqlalchemy.ext.declarative import declarative_base -from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import Resource from dataall.core.permissions.db.resource_policy.resource_policy_models import ResourcePolicyPermission from dataall.core.permissions.api.enums import PermissionType from dataall.core.permissions.db.tenant.tenant_models import TenantPolicyPermission - +from dataall.core.permissions.services.permission_service import PermissionService # revision identifiers, used by Alembic. revision = '917b923f74bd' @@ -118,7 +118,7 @@ def downgrade(): def delete_unused_permissions(session): for name in UNUSED_RESOURCE_PERMISSIONS: try: - perm = Permission.get_permission_by_name(session, name, PermissionType.RESOURCE.value) + perm = PermissionService.get_permission_by_name(session, name, PermissionType.RESOURCE.value) ( session.query(ResourcePolicyPermission) .filter(ResourcePolicyPermission.permissionUri == perm.permissionUri) @@ -130,7 +130,7 @@ def delete_unused_permissions(session): for name in UNUSED_TENANT_PERMISSIONS: try: - perm = Permission.get_permission_by_name(session, name, PermissionType.TENANT.value) + perm = PermissionService.get_permission_by_name(session, name, PermissionType.TENANT.value) ( session.query(TenantPolicyPermission) .filter(TenantPolicyPermission.permissionUri == perm.permissionUri) @@ -143,7 +143,7 @@ def delete_unused_permissions(session): def save_deleted_permissions(session): for name in UNUSED_RESOURCE_PERMISSIONS: - Permission.save_permission(session, name, name, PermissionType.RESOURCE.value) + PermissionService.save_permission(session, name, name, PermissionType.RESOURCE.value) for name in UNUSED_TENANT_PERMISSIONS: - Permission.save_permission(session, name, name, PermissionType.TENANT.value) + PermissionService.save_permission(session, name, name, PermissionType.TENANT.value) diff --git a/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py b/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py index dad686e94..f40aa2b10 100644 --- a/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py +++ b/backend/migrations/versions/d05f9a5b215e_backfill_dataset_table_permissions.py @@ -13,10 +13,12 @@ from sqlalchemy.ext.declarative import declarative_base from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.permission.permission_repositories import Permission -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import utils, Resource from datetime import datetime + +from dataall.core.permissions.services.permission_service import PermissionService +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ( ShareObjectStatus, ShareableType, @@ -82,7 +84,7 @@ def upgrade(): bind = op.get_bind() session = orm.Session(bind=bind) print('Re-Initializing permissions...') - Permission.init_permissions(session) + PermissionService.init_permissions(session) print('Permissions re-initialized successfully') except Exception as e: print(f'Failed to init permissions due to: {e}') @@ -96,15 +98,13 @@ def upgrade(): dataset = DatasetRepository.get_dataset_by_uri(session, table.datasetUri) env = EnvironmentService.get_environment_by_uri(session, dataset.environmentUri) - groups = set( - [ - dataset.SamlAdminGroupName, - env.SamlGroupName, - dataset.stewards if dataset.stewards is not None else dataset.SamlAdminGroupName, - ] - ) + groups = { + dataset.SamlAdminGroupName, + env.SamlGroupName, + dataset.stewards if dataset.stewards is not None else dataset.SamlAdminGroupName, + } for group in groups: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, resource_uri=table.tableUri, group=group, @@ -133,7 +133,7 @@ def upgrade(): ) for shared_table in share_table_items: share = ShareObjectRepository.get_share_by_uri(session, shared_table.shareUri) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=share.principalId, permissions=DATASET_TABLE_READ, diff --git a/backend/migrations/versions/e177eb044b31_init_tenant.py b/backend/migrations/versions/e177eb044b31_init_tenant.py index 67cca6722..9a38a0e65 100644 --- a/backend/migrations/versions/e177eb044b31_init_tenant.py +++ b/backend/migrations/versions/e177eb044b31_init_tenant.py @@ -11,7 +11,6 @@ # revision identifiers, used by Alembic. from sqlalchemy import orm -from dataall.core.permissions.db.tenant.tenant_repositories import Tenant from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.permissions.constants.permissions import TENANT_ALL @@ -26,14 +25,14 @@ def upgrade(): bind = op.get_bind() session = orm.Session(bind=bind) print('Initializing permissions...') - Tenant.save_tenant(session, name='dataall', description='Tenant dataall') + TenantPolicyService.save_tenant(session, name=TenantPolicyService.TENANT_NAME, description='Tenant dataall') print('Tenant initialized successfully') print('Attaching superusers group DHAdmins...') TenantPolicyService.attach_group_tenant_policy( session=session, group='DHAdmins', permissions=TENANT_ALL, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) print('Attaching superusers groups DHAdmins') except Exception as e: diff --git a/tests/conftest.py b/tests/conftest.py index 2fba7d211..310077947 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -8,7 +8,7 @@ from glob import glob from dataall.core.groups.db.group_models import Group -from dataall.core.permissions.db import Tenant, Permission +from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.permissions.constants.permissions import TENANT_ALL from tests.client import create_app, ClientWrapper @@ -129,7 +129,7 @@ def group4(db, tenant, user3): @pytest.fixture(scope='module', autouse=True) def tenant(db, permissions): with db.scoped_session() as session: - tenant = Tenant.save_tenant(session, name='dataall', description='Tenant dataall') + tenant = TenantPolicyService.save_tenant(session, name='dataall', description='Tenant dataall') yield tenant @@ -142,7 +142,7 @@ def patch_request(module_mocker): @pytest.fixture(scope='module', autouse=True) def permissions(db): with db.scoped_session() as session: - yield Permission.init_permissions(session) + yield PermissionService.init_permissions(session) @pytest.fixture(scope='function', autouse=True) diff --git a/tests/core/environments/test_environment.py b/tests/core/environments/test_environment.py index 9c7c4ff94..f3bf1e144 100644 --- a/tests/core/environments/test_environment.py +++ b/tests/core/environments/test_environment.py @@ -1,8 +1,8 @@ from dataall.core.environment.api.enums import EnvironmentPermission from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.constants.permissions import REMOVE_ENVIRONMENT_CONSUMPTION_ROLE +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService def get_env(client, env_fixture, group): @@ -706,7 +706,7 @@ def test_update_consumption_role(client, org_fixture, env_fixture, user, group, consumption_role_uri = consumption_role.data.addConsumptionRoleToEnvironment.consumptionRoleUri with db.scoped_session() as session: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, resource_uri=consumption_role_uri, group=group.name, diff --git a/tests/core/permissions/test_permission.py b/tests/core/permissions/test_permission.py index 240e5cf8d..45cb29061 100644 --- a/tests/core/permissions/test_permission.py +++ b/tests/core/permissions/test_permission.py @@ -1,7 +1,8 @@ import pytest -from dataall.core.permissions.db.permission.permission_repositories import Permission +from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.db.permission.permission_models import PermissionType +from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import exceptions from dataall.core.permissions.constants.permissions import MANAGE_GROUPS, ENVIRONMENT_ALL, ORGANIZATION_ALL, TENANT_ALL @@ -13,7 +14,7 @@ def permissions(db, all_perms): permissions = [] for p in all_perms: permissions.append( - Permission.save_permission( + PermissionService.save_permission( session, name=p, description=p, @@ -22,7 +23,7 @@ def permissions(db, all_perms): ) for p in TENANT_ALL: permissions.append( - Permission.save_permission( + PermissionService.save_permission( session, name=p, description=p, @@ -39,7 +40,7 @@ def test_attach_tenant_policy(db, group, tenant): session=session, group=group.name, permissions=[MANAGE_GROUPS], - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) assert TenantPolicyService.check_user_tenant_permission( @@ -47,7 +48,7 @@ def test_attach_tenant_policy(db, group, tenant): username='alice', groups=[group.name], permission_name=MANAGE_GROUPS, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) diff --git a/tests/core/permissions/test_tenant.py b/tests/core/permissions/test_tenant.py index a15f275a8..fd5dc8b21 100644 --- a/tests/core/permissions/test_tenant.py +++ b/tests/core/permissions/test_tenant.py @@ -1,4 +1,5 @@ from dataall.core.permissions.constants import permissions +from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository def test_list_tenant_permissions(client, user, group, tenant): @@ -11,8 +12,9 @@ def test_list_tenant_permissions(client, user, group, tenant): } """, username=user.username, - groups=[group.name, 'DAAdministrators'], + groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], ) + assert len(response.data.listTenantPermissions) >= 1 response = client.query( @@ -42,7 +44,7 @@ def test_list_tenant_permissions(client, user, group, tenant): } """, username=user.username, - groups=[group.name, 'DAAdministrators'], + groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], ) assert group.name in [node.groupUri for node in response.data.listTenantGroups.nodes] @@ -60,7 +62,7 @@ def test_update_permissions(client, user, group, tenant): groupUri=group.name, permissions=[permissions.MANAGE_ORGANIZATIONS, permissions.MANAGE_GROUPS], ), - groups=[group.name, 'DAAdministrators'], + groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], ) print(response) assert response.data.updateGroupTenantPermissions @@ -76,7 +78,7 @@ def test_update_permissions(client, user, group, tenant): } """, username=user.username, - groups=[group.name, 'DAAdministrators'], + groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], groupUri=group.name, ) assert len(response.data.getGroup.tenantPermissions) == 2 @@ -92,7 +94,7 @@ def test_update_permissions(client, user, group, tenant): groupUri=group.name, permissions=[permissions.MANAGE_ORGANIZATIONS, permissions.MANAGE_GROUPS], ), - groups=[group.name, 'DAAdministrators'], + groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], ) print(response) assert response.data.updateGroupTenantPermissions diff --git a/tests/modules/conftest.py b/tests/modules/conftest.py index 883ccbd8e..bc725d294 100644 --- a/tests/modules/conftest.py +++ b/tests/modules/conftest.py @@ -4,8 +4,8 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup, EnvironmentParameter from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.core.permissions.constants.permissions import ENVIRONMENT_ALL +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.stacks.db.stack_models import KeyValueTag @@ -31,7 +31,7 @@ def factory(environment: Environment, group: str) -> EnvironmentGroup: ) session.add(env_group) session.commit() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, resource_uri=environment.environmentUri, group=group, diff --git a/tests/modules/datasets/conftest.py b/tests/modules/datasets/conftest.py index 249bdbf74..7d578ac58 100644 --- a/tests/modules/datasets/conftest.py +++ b/tests/modules/datasets/conftest.py @@ -5,7 +5,7 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareableType, PrincipalType from dataall.modules.dataset_sharing.db.share_object_models import ShareObject, ShareObjectItem from dataall.modules.dataset_sharing.services.share_permissions import SHARE_OBJECT_REQUESTER, SHARE_OBJECT_APPROVER @@ -196,7 +196,7 @@ def factory(dataset: Dataset, name, username) -> DatasetTable: session.add(table) session.commit() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=DATASET_TABLE_READ, @@ -236,7 +236,7 @@ def table_fixture(db, dataset_fixture, table, group, user): table1 = table(dataset=dataset_fixture, name='table1', username=user.username) with db.scoped_session() as session: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group.groupUri, permissions=DATASET_TABLE_READ, @@ -251,7 +251,7 @@ def table_confidential_fixture(db, dataset_confidential_fixture, table, group, u table2 = table(dataset=dataset_confidential_fixture, name='table2', username=user.username) with db.scoped_session() as session: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group.groupUri, permissions=DATASET_TABLE_READ, @@ -305,7 +305,7 @@ def factory( session.add(dataset) session.commit() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, permissions=DATASET_ALL, @@ -386,21 +386,21 @@ def factory( session.add(share) session.commit() - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=env_group.groupUri, permissions=SHARE_OBJECT_REQUESTER, resource_uri=share.shareUri, resource_type=ShareObject.__name__, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.SamlAdminGroupName, permissions=SHARE_OBJECT_APPROVER, resource_uri=share.shareUri, resource_type=ShareObject.__name__, ) - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=dataset.stewards, permissions=SHARE_OBJECT_APPROVER, diff --git a/tests/modules/datasets/test_dataset_permissions.py b/tests/modules/datasets/test_dataset_permissions.py index 0e02fe2b8..363310401 100644 --- a/tests/modules/datasets/test_dataset_permissions.py +++ b/tests/modules/datasets/test_dataset_permissions.py @@ -1,7 +1,7 @@ from dataall.base.context import set_context, RequestContext from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.resource_policy.resource_policy_repositories import ResourcePolicy from dataall.base.db.exceptions import ResourceUnauthorized +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.datasets.services.dataset_permissions import ( DATASET_WRITE, UPDATE_DATASET, @@ -20,14 +20,14 @@ def test_attach_resource_policy(db, user, group, dataset_fixture): permissions(db, ENVIRONMENT_ALL + ORGANIZATION_ALL + DATASET_READ + DATASET_WRITE + DATASET_TABLE_READ) with db.scoped_session() as session: - ResourcePolicy.attach_resource_policy( + ResourcePolicyService.attach_resource_policy( session=session, group=group.name, permissions=DATASET_WRITE, resource_uri=dataset_fixture.datasetUri, resource_type=Dataset.__name__, ) - assert ResourcePolicy.check_user_resource_permission( + assert ResourcePolicyService.check_user_resource_permission( session=session, username=user.username, groups=[group.name], @@ -57,7 +57,7 @@ def test_attach_tenant_policy(db, user, group, dataset_fixture, permissions, ten def test_unauthorized_resource_policy(db, user, group, dataset_fixture, permissions): with pytest.raises(ResourceUnauthorized): with db.scoped_session() as session: - assert ResourcePolicy.check_user_resource_permission( + assert ResourcePolicyService.check_user_resource_permission( session=session, username=user.username, groups=[group.name], @@ -74,7 +74,7 @@ def test_create_dataset(db, user, group, dataset_fixture, permissions, tenant): session=session, group=group.name, permissions=TENANT_ALL, - tenant_name='dataall', + tenant_name=TenantPolicyService.TENANT_NAME, ) org_with_perm = OrganizationService.create_organization( data={ From 654c034c498a98d128554fd6e2920ce25cab9aad Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Tue, 26 Mar 2024 13:31:04 +0000 Subject: [PATCH 04/11] further separation of Services and Repositories for GroupPolicy --- .../db/group/group_policy_repositories.py | 14 ++-------- .../services/group_policy_service.py | 26 +++++++++++++++---- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/backend/dataall/core/permissions/db/group/group_policy_repositories.py b/backend/dataall/core/permissions/db/group/group_policy_repositories.py index e6b1f5c76..1e575ea44 100644 --- a/backend/dataall/core/permissions/db/group/group_policy_repositories.py +++ b/backend/dataall/core/permissions/db/group/group_policy_repositories.py @@ -6,13 +6,7 @@ class GroupPolicyRepository: """Checks permission of environment group""" @staticmethod - def check_group_environment_membership(session, environment_uri, group, username, user_groups, permission_name): - if group and group not in user_groups: - raise UnauthorizedOperation( - action=permission_name, - message=f'User: {username} is not a member of the team {group}', - ) - + def check_group_environment_membership(session, environment_uri, group): belongs_to_env = ( session.query(EnvironmentGroup) .filter(EnvironmentGroup.environmentUri == environment_uri) @@ -20,8 +14,4 @@ def check_group_environment_membership(session, environment_uri, group, username .count() ) - if not belongs_to_env: - raise UnauthorizedOperation( - action=permission_name, - message=f'Team: {group} is not a member of the environment {environment_uri}', - ) + return belongs_to_env > 0 diff --git a/backend/dataall/core/permissions/services/group_policy_service.py b/backend/dataall/core/permissions/services/group_policy_service.py index 35df748cc..9eb69b353 100644 --- a/backend/dataall/core/permissions/services/group_policy_service.py +++ b/backend/dataall/core/permissions/services/group_policy_service.py @@ -1,18 +1,34 @@ from dataall.core.permissions.db.group.group_policy_repositories import GroupPolicyRepository from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.base.db.exceptions import UnauthorizedOperation + + +class GroupPolicyRequestValidationService: + @staticmethod + def validate_team_member(username, user_groups, group, permission_name): + if group and group not in user_groups: + raise UnauthorizedOperation( + action=permission_name, + message=f'User: {username} is not a member of the team {group}', + ) class GroupPolicyService: @staticmethod def check_group_environment_permission(session, username, groups, uri, group, permission_name): - GroupPolicyRepository.check_group_environment_membership( + GroupPolicyRequestValidationService.validate_team_member( + username=username, user_groups=groups, group=group, permission_name=permission_name + ) + + if not GroupPolicyRepository.check_group_environment_membership( session=session, - username=username, - user_groups=groups, group=group, environment_uri=uri, - permission_name=permission_name, - ) + ): + raise UnauthorizedOperation( + action=permission_name, + message=f'Team: {group} is not a member of the environment {uri}', + ) ResourcePolicyService.check_user_resource_permission( session=session, From 9a3a024a4cac8436b149c19e6edc9c2dab324e44 Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Tue, 26 Mar 2024 13:41:01 +0000 Subject: [PATCH 05/11] fixing outdated import in migrations --- backend/migrations/versions/033c3d6c1849_init_permissions.py | 1 - 1 file changed, 1 deletion(-) diff --git a/backend/migrations/versions/033c3d6c1849_init_permissions.py b/backend/migrations/versions/033c3d6c1849_init_permissions.py index d4482e403..3b62f745a 100644 --- a/backend/migrations/versions/033c3d6c1849_init_permissions.py +++ b/backend/migrations/versions/033c3d6c1849_init_permissions.py @@ -12,7 +12,6 @@ import sqlalchemy as sa from sqlalchemy import orm -from dataall.core.permissions.db import PermissionRepository from dataall.core.permissions.services.permission_service import PermissionService # revision identifiers, used by Alembic. From 2e34b4d0eba3af84a78c7ed633f612769b4f61ac Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Wed, 27 Mar 2024 16:21:26 +0000 Subject: [PATCH 06/11] Review-comments fulfillment and decorators --- .../services/environment_service.py | 61 +++++------ .../services/organization_service.py | 24 ++--- .../dataall/core/permissions/api/resolvers.py | 6 +- .../db/permission/permission_repositories.py | 13 --- .../db/tenant/tenant_policy_repositories.py | 3 - .../core/permissions/decorators/__init__.py | 0 .../decorators/permission_checker.py | 100 ------------------ .../services/permission_service.py | 9 -- .../services/resource_policy_service.py | 54 ++++++++++ .../services/tenant_policy_service.py | 51 +++++++-- .../dataall/core/vpc/services/vpc_service.py | 10 +- .../catalog/services/glossaries_service.py | 12 +-- .../services/dashboard_quicksight_service.py | 6 +- .../dashboards/services/dashboard_service.py | 18 ++-- .../services/dashboard_share_service.py | 16 +-- .../services/datapipelines_service.py | 26 ++--- .../services/share_item_service.py | 15 ++- .../services/share_object_service.py | 19 ++-- .../services/dataset_column_service.py | 9 +- .../services/dataset_location_service.py | 23 ++-- .../services/dataset_profiling_service.py | 5 +- .../datasets/services/dataset_service.py | 26 ++--- .../services/dataset_table_service.py | 16 +-- .../mlstudio/services/mlstudio_service.py | 12 +-- .../notebooks/services/notebook_service.py | 18 ++-- .../worksheets/services/worksheet_service.py | 12 +-- backend/local_graphql_server.py | 4 +- 27 files changed, 265 insertions(+), 303 deletions(-) delete mode 100644 backend/dataall/core/permissions/decorators/__init__.py delete mode 100644 backend/dataall/core/permissions/decorators/permission_checker.py diff --git a/backend/dataall/core/environment/services/environment_service.py b/backend/dataall/core/environment/services/environment_service.py index a4d77177d..2c06ccfd6 100644 --- a/backend/dataall/core/environment/services/environment_service.py +++ b/backend/dataall/core/environment/services/environment_service.py @@ -7,6 +7,7 @@ from dataall.base.context import get_context from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.stacks.api import stack_helper from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentParameter, ConsumptionRole @@ -14,7 +15,7 @@ from dataall.core.environment.services.environment_resource_manager import EnvironmentResourceManager from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.db.permission.permission_models import PermissionType -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission + from dataall.core.vpc.db.vpc_models import Vpc from dataall.base.db.paginator import paginate from dataall.base.utils.naming_convention import ( @@ -37,8 +38,8 @@ class EnvironmentService: @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.LINK_ENVIRONMENT) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.LINK_ENVIRONMENT) def create_environment(session, uri, data=None): context = get_context() EnvironmentService._validate_creation_params(data, uri, session) @@ -55,7 +56,6 @@ def create_environment(session, uri, data=None): SamlGroupName=data['SamlGroupName'], validated=False, isOrganizationDefaultEnvironment=False, - userRoleInEnvironment=EnvironmentPermission.Owner.value, EnvironmentDefaultIAMRoleName=data.get('EnvironmentDefaultIAMRoleArn', 'unknown').split('/')[-1], EnvironmentDefaultIAMRoleArn=data.get('EnvironmentDefaultIAMRoleArn', 'unknown'), CDKRoleArn=f"arn:aws:iam::{data.get('AwsAccountId')}:role/{data['cdk_role_name']}", @@ -165,8 +165,8 @@ def _validate_account_region(data, session): ) @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.UPDATE_ENVIRONMENT) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.UPDATE_ENVIRONMENT) def update_environment(session, uri, data=None): EnvironmentService._validate_resource_prefix(data) environment = EnvironmentService.get_environment_by_uri(session, uri) @@ -202,8 +202,8 @@ def _update_env_parameters(session, env: Environment, data): EnvironmentParameterRepository(session).update_params(env_uri, new_params) @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.INVITE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.INVITE_ENVIRONMENT_GROUP) def invite_group(session, uri, data=None) -> (Environment, EnvironmentGroup): EnvironmentService.validate_invite_params(data) @@ -296,8 +296,8 @@ def validate_permissions(session, uri, g_permissions, group): ) @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.REMOVE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ENVIRONMENT_GROUP) def remove_group(session, uri, group): environment = EnvironmentService.get_environment_by_uri(session, uri) @@ -348,8 +348,8 @@ def remove_group(session, uri, group): return environment @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.UPDATE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.UPDATE_ENVIRONMENT_GROUP) def update_group_permissions(session, uri, data=None): EnvironmentService.validate_invite_params(data) @@ -382,7 +382,7 @@ def update_group_permissions(session, uri, data=None): return environment @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS) def list_group_permissions(session, uri, group_uri): # the permission checked return EnvironmentService.list_group_permissions_internal(session, uri, group_uri) @@ -412,8 +412,8 @@ def list_group_invitation_permissions(session, username, groups, uri, data=None, return group_invitation_permissions @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.ADD_ENVIRONMENT_CONSUMPTION_ROLES) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.ADD_ENVIRONMENT_CONSUMPTION_ROLES) def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGroup): group: str = data['groupUri'] IAMRoleArn: str = data['IAMRoleArn'] @@ -457,8 +457,8 @@ def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGr return consumption_role @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) def remove_consumption_role(session, uri, env_uri): consumption_role = EnvironmentService.get_environment_consumption_role(session, uri, env_uri) environment = EnvironmentService.get_environment_by_uri(session, env_uri) @@ -491,8 +491,8 @@ def remove_consumption_role(session, uri, env_uri): return True @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) def update_consumption_role(session, uri, env_uri, input): if not input: raise exceptions.RequiredParameter('input') @@ -648,7 +648,7 @@ def query_user_environment_groups(session, groups, uri, filter) -> Query: return query @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) def paginated_user_environment_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_user_environment_groups(session, get_context().groups, uri, data), @@ -669,7 +669,7 @@ def query_all_environment_groups(session, uri, filter) -> Query: return query @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) def paginated_all_environment_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_all_environment_groups(session, uri, data), @@ -678,7 +678,7 @@ def paginated_all_environment_groups(session, uri, data=None) -> dict: ).to_dict() @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) def list_environment_groups(session, uri) -> [str]: return [ g.groupUri @@ -710,7 +710,7 @@ def query_environment_invited_groups(session, uri, filter) -> Query: return query @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) def paginated_environment_invited_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_environment_invited_groups(session, uri, data), @@ -747,7 +747,7 @@ def query_user_environment_consumption_roles(session, groups, uri, filter) -> Qu return query.order_by(ConsumptionRole.consumptionRoleUri) @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) def paginated_user_environment_consumption_roles(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_user_environment_consumption_roles(session, get_context().groups, uri, data), @@ -775,7 +775,7 @@ def query_all_environment_consumption_roles(session, uri, filter) -> Query: return query.order_by(ConsumptionRole.consumptionRoleUri) @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) def paginated_all_environment_consumption_roles(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_all_environment_consumption_roles(session, uri, data), @@ -819,7 +819,7 @@ def query_environment_networks(session, uri, filter) -> Query: return query @staticmethod - @has_resource_permission(permissions.LIST_ENVIRONMENT_NETWORKS) + @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_NETWORKS) def paginated_environment_networks(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_environment_networks(session, uri, data), @@ -885,7 +885,7 @@ def get_environment_by_uri(session, uri) -> Environment: return EnvironmentRepository.get_environment_by_uri(session, uri) @staticmethod - @has_resource_permission(permissions.GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(permissions.GET_ENVIRONMENT) def find_environment_by_uri(session, uri) -> Environment: return EnvironmentService.get_environment_by_uri(session, uri) @@ -901,12 +901,12 @@ def list_all_active_environments(session) -> [Environment]: return environments @staticmethod - @has_resource_permission(permissions.GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(permissions.GET_ENVIRONMENT) def get_stack(session, uri, stack_uri) -> Stack: return session.query(Stack).get(stack_uri) @staticmethod - @has_resource_permission(permissions.DELETE_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(permissions.DELETE_ENVIRONMENT) def delete_environment(session, uri, environment): env_groups = session.query(EnvironmentGroup).filter(EnvironmentGroup.environmentUri == uri).all() env_roles = session.query(ConsumptionRole).filter(ConsumptionRole.environmentUri == uri).all() @@ -922,7 +922,8 @@ def delete_environment(session, uri, environment): if env_resources > 0: raise exceptions.EnvironmentResourcesFound( action='Delete Environment', - message=f'Found {env_resources} resources on environment {environment.label} - Delete all environment related objects before proceeding', + message=f'Found {env_resources} resources on environment {environment.label} - Delete all environment ' + f'related objects before proceeding', ) else: PolicyManager( diff --git a/backend/dataall/core/organizations/services/organization_service.py b/backend/dataall/core/organizations/services/organization_service.py index 2aa892e72..eea8863e3 100644 --- a/backend/dataall/core/organizations/services/organization_service.py +++ b/backend/dataall/core/organizations/services/organization_service.py @@ -7,15 +7,15 @@ from dataall.core.organizations.db.organization_models import OrganizationGroup from dataall.core.organizations.db import organization_models as models from dataall.core.permissions.constants import permissions -from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService class OrganizationService: """Service that serves request related to organization""" @staticmethod - @has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) def create_organization(data): context = get_context() with context.db_engine.scoped_session() as session: @@ -58,7 +58,7 @@ def create_organization(data): return org @staticmethod - @has_resource_permission(permissions.UPDATE_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(permissions.UPDATE_ORGANIZATION) def update_organization(uri, data): context = get_context() with context.db_engine.scoped_session() as session: @@ -86,7 +86,7 @@ def update_organization(uri, data): return organization @staticmethod - @has_resource_permission(permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(permissions.GET_ORGANIZATION) def get_organization(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -102,7 +102,7 @@ def list_organizations(filter): ) @staticmethod - @has_resource_permission(permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(permissions.GET_ORGANIZATION) def list_organization_environments(filter, uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -138,8 +138,8 @@ def resolve_user_role(organization): return OrganisationUserRole.NoPermission.value @staticmethod - @has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) - @has_resource_permission(permissions.DELETE_ORGANIZATION) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(permissions.DELETE_ORGANIZATION) def archive_organization(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -161,8 +161,8 @@ def archive_organization(uri): return True @staticmethod - @has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) - @has_resource_permission(permissions.INVITE_ORGANIZATION_GROUP) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(permissions.INVITE_ORGANIZATION_GROUP) def invite_group(uri, data): context = get_context() with context.db_engine.scoped_session() as session: @@ -193,8 +193,8 @@ def invite_group(uri, data): return organization @staticmethod - @has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) - @has_resource_permission(permissions.REMOVE_ORGANIZATION_GROUP) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ORGANIZATION_GROUP) def remove_group(uri, group): context = get_context() with context.db_engine.scoped_session() as session: @@ -229,7 +229,7 @@ def remove_group(uri, group): return organization @staticmethod - @has_resource_permission(permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(permissions.GET_ORGANIZATION) def list_organization_groups(filter, uri): context = get_context() with context.db_engine.scoped_session() as session: diff --git a/backend/dataall/core/permissions/api/resolvers.py b/backend/dataall/core/permissions/api/resolvers.py index ad46fab30..d4f891044 100644 --- a/backend/dataall/core/permissions/api/resolvers.py +++ b/backend/dataall/core/permissions/api/resolvers.py @@ -10,8 +10,6 @@ def update_group_permissions(context, source, input=None): - if not input['groupUri']: - raise RequiredParameter('groupUri') return TenantPolicyService.update_group_permissions( data=input, check_perm=True, @@ -23,9 +21,7 @@ def list_tenant_permissions(context, source): def list_tenant_groups(context, source, filter=None): - if filter is None: - filter = {} - return TenantPolicyService.list_tenant_groups(filter) + return TenantPolicyService.list_tenant_groups(filter if filter else {}) def update_ssm_parameter(context, source, name: str = None, value: str = None): diff --git a/backend/dataall/core/permissions/db/permission/permission_repositories.py b/backend/dataall/core/permissions/db/permission/permission_repositories.py index 4f77bb8ee..87789e0bf 100644 --- a/backend/dataall/core/permissions/db/permission/permission_repositories.py +++ b/backend/dataall/core/permissions/db/permission/permission_repositories.py @@ -20,19 +20,6 @@ def find_permission_by_name(session, permission_name: str, permission_type: str) ) return permission - @staticmethod - def find_permission_by_uri(session, permission_uri: str, permission_type: str) -> Permission: - if permission_uri: - permission = ( - session.query(Permission) - .filter( - Permission.permissionUri == permission_uri, - Permission.type == permission_type, - ) - .first() - ) - return permission - @staticmethod def count_resource_permissions(session): return session.query(Permission).filter(Permission.type == PermissionType.RESOURCE.name).count() diff --git a/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py index 8d50ed137..2f27e42d9 100644 --- a/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py +++ b/backend/dataall/core/permissions/db/tenant/tenant_policy_repositories.py @@ -39,9 +39,6 @@ def has_user_tenant_permission(session, groups: [str], tenant_name: str, permiss @staticmethod def has_group_tenant_permission(session, group_uri: str, tenant_name: str, permission_name: str): - if not group_uri or not permission_name: - return False - tenant_policy: TenantPolicy = ( session.query(TenantPolicy) .join( diff --git a/backend/dataall/core/permissions/decorators/__init__.py b/backend/dataall/core/permissions/decorators/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/backend/dataall/core/permissions/decorators/permission_checker.py b/backend/dataall/core/permissions/decorators/permission_checker.py deleted file mode 100644 index 412b963d0..000000000 --- a/backend/dataall/core/permissions/decorators/permission_checker.py +++ /dev/null @@ -1,100 +0,0 @@ -""" -Contains decorators that check if user has a permission to access -and interact with resources or do some actions in the app -""" - -from typing import Protocol, Callable - -from dataall.base.context import RequestContext, get_context -from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService -from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.base.utils.decorator_utls import process_func - - -class Identifiable(Protocol): - """Protocol to identify resources for checking permissions""" - - def get_resource_uri(self) -> str: ... - - -def _check_tenant_permission(session, permission): - context: RequestContext = get_context() - TenantPolicyService.check_user_tenant_permission( - session=session, - username=context.username, - groups=context.groups, - tenant_name=TenantPolicyService.TENANT_NAME, - permission_name=permission, - ) - - -def _check_resource_permission(session, uri, permission): - context: RequestContext = get_context() - ResourcePolicyService.check_user_resource_permission( - session=session, - username=context.username, - groups=context.groups, - resource_uri=uri, - permission_name=permission, - ) - - -def has_resource_permission( - permission: str, param_name: str = None, resource_name: str = None, parent_resource: Callable = None -): - """ - Decorator that check if a user has access to the resource. - The method or function decorated with this decorator must have a URI of accessing resource - Good rule of thumb: if there is a URI that accesses a specific resource, - hence it has URI - it must be decorated with this decorator - """ - if not param_name: - param_name = 'uri' - - def decorator(f): - fn, fn_decorator = process_func(f) - - def decorated(*args, **kwargs): - uri: str - if resource_name: - resource: Identifiable = kwargs[resource_name] - uri = resource.get_resource_uri() - else: - if param_name not in kwargs: - raise KeyError(f"{f.__name__} doesn't have parameter {param_name}") - uri = kwargs[param_name] - - with get_context().db_engine.scoped_session() as session: - if parent_resource: - try: - uri = parent_resource(session, uri) - except TypeError: - uri = parent_resource.__func__(session, uri) - - _check_resource_permission(session, uri, permission) - - return fn(*args, **kwargs) - - return fn_decorator(decorated) - - return decorator - - -def has_tenant_permission(permission: str): - """ - Decorator to check if a user has a permission to do some action. - All the information about the user is retrieved from RequestContext - """ - - def decorator(f): - fn, fn_decorator = process_func(f) - - def decorated(*args, **kwargs): - with get_context().db_engine.scoped_session() as session: - _check_tenant_permission(session, permission) - - return fn(*args, **kwargs) - - return fn_decorator(decorated) - - return decorator diff --git a/backend/dataall/core/permissions/services/permission_service.py b/backend/dataall/core/permissions/services/permission_service.py index c156e7d2d..80885c325 100644 --- a/backend/dataall/core/permissions/services/permission_service.py +++ b/backend/dataall/core/permissions/services/permission_service.py @@ -19,15 +19,6 @@ def get_permission_by_name(session, permission_name: str, permission_type: str) raise exceptions.ObjectNotFound('Permission', permission_name) return permission - @staticmethod - def get_permission_by_uri(session, permission_uri: str, permission_type: str) -> Permission: - if not permission_uri: - raise exceptions.RequiredParameter(param_name='permission_uri') - permission = PermissionRepository.find_permission_by_uri(session, permission_uri, permission_type) - if not permission: - raise exceptions.ObjectNotFound('Permission', permission_uri) - return permission - @staticmethod def save_permission(session, name: str, description: str, permission_type: str) -> Permission: if not name: diff --git a/backend/dataall/core/permissions/services/resource_policy_service.py b/backend/dataall/core/permissions/services/resource_policy_service.py index 89cbda261..4a2d16302 100644 --- a/backend/dataall/core/permissions/services/resource_policy_service.py +++ b/backend/dataall/core/permissions/services/resource_policy_service.py @@ -3,6 +3,15 @@ from dataall.base.db import exceptions from dataall.core.permissions.db.resource_policy.resource_policy_models import ResourcePolicy, ResourcePolicyPermission from dataall.core.permissions.services.permission_service import PermissionService +from typing import Protocol, Callable +from dataall.base.context import get_context +from functools import wraps + + +class Identifiable(Protocol): + """Protocol to identify resources for checking permissions""" + + def get_resource_uri(self) -> str: ... class ResourcePolicyRequestValidationService: @@ -183,3 +192,48 @@ def get_resource_policy_permissions(session, group_uri, resource_uri): for p in policy.permissions: permissions.append(p.permission) return permissions + + def has_resource_permission( + permission: str, param_name: str = None, resource_name: str = None, parent_resource: Callable = None + ): + """ + Decorator that check if a user has access to the resource. + The method or function decorated with this decorator must have a URI of accessing resource + Good rule of thumb: if there is a URI that accesses a specific resource, + hence it has URI - it must be decorated with this decorator + """ + if not param_name: + param_name = 'uri' + + def decorator(f): + @wraps(f) + def wrapper(*args, **kwargs): + uri: str + if resource_name: + resource: Identifiable = kwargs[resource_name] + uri = resource.get_resource_uri() + else: + if param_name not in kwargs: + raise KeyError(f"{f.__name__} doesn't have parameter {param_name}") + uri = kwargs[param_name] + + context = get_context() + with context.db_engine.scoped_session() as session: + if parent_resource: + try: + uri = parent_resource(session, uri) + except TypeError: + uri = parent_resource.__func__(session, uri) + + ResourcePolicyService.check_user_resource_permission( + session=session, + username=context.username, + groups=context.groups, + resource_uri=uri, + permission_name=permission, + ) + return f(*args, **kwargs) + + return wrapper + + return decorator diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py index 4082b3860..62a1addee 100644 --- a/backend/dataall/core/permissions/services/tenant_policy_service.py +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -9,6 +9,8 @@ from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.db.tenant.tenant_models import Tenant import logging +from functools import wraps + log = logging.getLogger('Permissions') @@ -60,11 +62,13 @@ def validate_add_permission_to_tenant_policy_params(group, permissions, policy, raise exceptions.RequiredParameter(param_name='policy') @staticmethod - def validate_params(data): + def validate_update_group_permission_params(data): if not data: raise exceptions.RequiredParameter('data') if not data.get('permissions'): raise exceptions.RequiredParameter('permissions') + if not data.get('groupUri'): + raise exceptions.RequiredParameter('groupUri') class TenantPolicyValidationService: @@ -114,13 +118,14 @@ class TenantPolicyService: @staticmethod def update_group_permissions(data, check_perm=None): + RequestValidationService.validate_update_group_permission_params(data) + context = get_context() username = context.username groups = context.groups uri = data.get('groupUri') - RequestValidationService.validate_params(data) new_permissions = data['permissions'] # raises UnauthorizedOperation exception, if there is no admin access @@ -242,12 +247,18 @@ def add_permission_to_group_tenant_policy(session, group, permissions, tenant_na ) for permission in permissions: - if not TenantPolicyRepository.has_group_tenant_permission( - session, - group_uri=group, - permission_name=permission, - tenant_name=tenant_name, - ): + already_associated = True + if not group or not permission: + already_associated = False + else: + already_associated = TenantPolicyRepository.has_group_tenant_permission( + session, + group_uri=group, + permission_name=permission, + tenant_name=tenant_name, + ) + + if not already_associated: TenantPolicyService.associate_permission_to_tenant_policy(session, policy, permission) @staticmethod @@ -325,3 +336,27 @@ def save_permissions_with_tenant(engine, envname=None): log.info('Initiating permissions') TenantPolicyService.save_tenant(session, name=TenantPolicyService.TENANT_NAME, description='Tenant dataall') PermissionService.init_permissions(session) + + def has_tenant_permission(permission: str): + """ + Decorator to check if a user has a permission to do some action. + All the information about the user is retrieved from RequestContext + """ + + def decorator(f): + @wraps(f) + def wrapper(*args, **kwds): + context = get_context() + with context.db_engine.scoped_session() as session: + TenantPolicyService.check_user_tenant_permission( + session=session, + username=context.username, + groups=context.groups, + tenant_name=TenantPolicyService.TENANT_NAME, + permission_name=permission, + ) + return f(*args, **kwds) + + return wrapper + + return decorator diff --git a/backend/dataall/core/vpc/services/vpc_service.py b/backend/dataall/core/vpc/services/vpc_service.py index 9ac2b765c..d28476617 100644 --- a/backend/dataall/core/vpc/services/vpc_service.py +++ b/backend/dataall/core/vpc/services/vpc_service.py @@ -1,11 +1,11 @@ from dataall.base.context import get_context from dataall.base.db import exceptions from dataall.core.permissions.constants import permissions -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.db.environment_repositories import EnvironmentRepository from dataall.core.activity.db.activity_models import Activity from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.vpc.db.vpc_repositories import VpcRepository from dataall.core.vpc.db.vpc_models import Vpc @@ -16,8 +16,8 @@ def _session(): class VpcService: @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.CREATE_NETWORK) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.CREATE_NETWORK) @has_group_permission(permissions.CREATE_NETWORK) def create_network(uri: str, admin_group: str, data: dict): with _session() as session: @@ -76,8 +76,8 @@ def create_network(uri: str, admin_group: str, data: dict): return vpc @staticmethod - @has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @has_resource_permission(permissions.DELETE_NETWORK) + @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(permissions.DELETE_NETWORK) def delete_network(uri): with _session() as session: vpc = VpcRepository.get_vpc_by_uri(session=session, vpc_uri=uri) diff --git a/backend/dataall/modules/catalog/services/glossaries_service.py b/backend/dataall/modules/catalog/services/glossaries_service.py index 5580f404c..7d522c449 100644 --- a/backend/dataall/modules/catalog/services/glossaries_service.py +++ b/backend/dataall/modules/catalog/services/glossaries_service.py @@ -1,7 +1,7 @@ import logging from dataall.base.context import get_context -from dataall.core.permissions.decorators.permission_checker import has_tenant_permission +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository from dataall.modules.catalog.db.glossary_models import GlossaryNode @@ -17,19 +17,19 @@ def _session(): class GlossariesService: @staticmethod - @has_tenant_permission(MANAGE_GLOSSARIES) + @TenantPolicyService.has_tenant_permission(MANAGE_GLOSSARIES) def create_glossary(data: dict = None) -> GlossaryNode: with _session() as session: return GlossaryRepository.create_glossary(session=session, data=data) @staticmethod - @has_tenant_permission(MANAGE_GLOSSARIES) + @TenantPolicyService.has_tenant_permission(MANAGE_GLOSSARIES) def create_category(uri: str, data: dict = None): with _session() as session: return GlossaryRepository.create_category(session=session, uri=uri, data=data) @staticmethod - @has_tenant_permission(MANAGE_GLOSSARIES) + @TenantPolicyService.has_tenant_permission(MANAGE_GLOSSARIES) def create_term(uri: str, data: dict = None): with _session() as session: return GlossaryRepository.create_term(session=session, uri=uri, data=data) @@ -94,13 +94,13 @@ def get_link_target(targetUri: str, targetType: str): return target @staticmethod - @has_tenant_permission(MANAGE_GLOSSARIES) + @TenantPolicyService.has_tenant_permission(MANAGE_GLOSSARIES) def update_node(uri: str = None, data: dict = None): with _session() as session: return GlossaryRepository.update_node(session=session, uri=uri, data=data) @staticmethod - @has_tenant_permission(MANAGE_GLOSSARIES) + @TenantPolicyService.has_tenant_permission(MANAGE_GLOSSARIES) def delete_node(uri: str = None): with _session() as session: return GlossaryRepository.delete_node(session=session, uri=uri) diff --git a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py index 1968e7f9d..d18d24e60 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py @@ -5,9 +5,9 @@ from dataall.base.context import get_context from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository -from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.base.db.exceptions import UnauthorizedOperation, TenantUnauthorized, AWSResourceNotFound from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dashboards import DashboardRepository, Dashboard from dataall.modules.dashboards.aws.dashboard_quicksight_client import DashboardQuicksightClient from dataall.modules.dashboards.services.dashboard_permissions import GET_DASHBOARD, CREATE_DASHBOARD @@ -19,7 +19,7 @@ class DashboardQuicksightService: _REGION = os.getenv('AWS_REGION', 'eu-west-1') @classmethod - @has_resource_permission(GET_DASHBOARD) + @ResourcePolicyService.has_resource_permission(GET_DASHBOARD) def get_quicksight_reader_url(cls, uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -57,7 +57,7 @@ def get_quicksight_reader_url(cls, uri): return client.get_anonymous_session(dashboard_id=dash.DashboardId) @classmethod - @has_resource_permission(CREATE_DASHBOARD) + @ResourcePolicyService.has_resource_permission(CREATE_DASHBOARD) def get_quicksight_designer_url(cls, uri: str): context = get_context() with context.db_engine.scoped_session() as session: diff --git a/backend/dataall/modules/dashboards/services/dashboard_service.py b/backend/dataall/modules/dashboards/services/dashboard_service.py index 5af70316c..0b7055622 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_service.py @@ -3,8 +3,8 @@ from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository -from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.modules.vote.db.vote_repositories import VoteRepository from dataall.base.db.exceptions import UnauthorizedOperation from dataall.modules.dashboards import DashboardRepository, Dashboard @@ -24,15 +24,15 @@ class DashboardService: """Service that serves request related to dashboard""" @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(GET_DASHBOARD) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(GET_DASHBOARD) def get_dashboard(uri: str) -> Dashboard: with get_context().db_engine.scoped_session() as session: return DashboardRepository.get_dashboard_by_uri(session, uri) @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(CREATE_DASHBOARD) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(CREATE_DASHBOARD) @has_group_permission(CREATE_DASHBOARD) def import_dashboard(uri: str, admin_group: str, data: dict = None) -> Dashboard: context = get_context() @@ -76,8 +76,8 @@ def import_dashboard(uri: str, admin_group: str, data: dict = None) -> Dashboard return dashboard @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(UPDATE_DASHBOARD) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(UPDATE_DASHBOARD) def update_dashboard(uri: str, data: dict = None) -> Dashboard: with get_context().db_engine.scoped_session() as session: dashboard = DashboardRepository.get_dashboard_by_uri(session, uri) @@ -92,8 +92,8 @@ def update_dashboard(uri: str, data: dict = None) -> Dashboard: return dashboard @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(DELETE_DASHBOARD) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(DELETE_DASHBOARD) def delete_dashboard(uri) -> bool: with get_context().db_engine.scoped_session() as session: dashboard = DashboardRepository.get_dashboard_by_uri(session, uri) diff --git a/backend/dataall/modules/dashboards/services/dashboard_share_service.py b/backend/dataall/modules/dashboards/services/dashboard_share_service.py index 61516afb1..201b5b212 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_share_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_share_service.py @@ -1,7 +1,7 @@ from dataall.base.context import get_context -from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.base.db.exceptions import InvalidInput, UnauthorizedOperation from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.modules.dashboards import DashboardRepository from dataall.modules.dashboards.db.dashboard_models import DashboardShareStatus, Dashboard from dataall.modules.dashboards.services.dashboard_permissions import ( @@ -20,7 +20,7 @@ def _get_dashboard_uri_by_share_uri(session, uri): return dashboard.dashboardUri @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) def request_dashboard_share(uri: str, principal_id: str): context = get_context() with context.db_engine.scoped_session() as session: @@ -43,8 +43,8 @@ def request_dashboard_share(uri: str, principal_id: str): return share @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(SHARE_DASHBOARD, parent_resource=_get_dashboard_uri_by_share_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(SHARE_DASHBOARD, parent_resource=_get_dashboard_uri_by_share_uri) def approve_dashboard_share(uri: str): with get_context().db_engine.scoped_session() as session: share = DashboardRepository.get_dashboard_share_by_uri(session, uri) @@ -53,8 +53,8 @@ def approve_dashboard_share(uri: str): return share @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(SHARE_DASHBOARD, parent_resource=_get_dashboard_uri_by_share_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(SHARE_DASHBOARD, parent_resource=_get_dashboard_uri_by_share_uri) def reject_dashboard_share(uri: str): with get_context().db_engine.scoped_session() as session: share = DashboardRepository.get_dashboard_share_by_uri(session, uri) @@ -82,8 +82,8 @@ def list_dashboard_shares(uri: str, data: dict): ) @staticmethod - @has_tenant_permission(MANAGE_DASHBOARDS) - @has_resource_permission(SHARE_DASHBOARD) + @TenantPolicyService.has_tenant_permission(MANAGE_DASHBOARDS) + @ResourcePolicyService.has_resource_permission(SHARE_DASHBOARD) def share_dashboard(uri: str, principal_id: str): context = get_context() with context.db_engine.scoped_session() as session: diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_service.py b/backend/dataall/modules/datapipelines/services/datapipelines_service.py index ed7936db0..aa0504d9e 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_service.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_service.py @@ -5,8 +5,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.stack_repositories import Stack @@ -35,8 +35,8 @@ def _session(): class DataPipelineService: @staticmethod - @has_tenant_permission(MANAGE_PIPELINES) - @has_resource_permission(CREATE_PIPELINE) + @TenantPolicyService.has_tenant_permission(MANAGE_PIPELINES) + @ResourcePolicyService.has_resource_permission(CREATE_PIPELINE) @has_group_permission(CREATE_PIPELINE) def create_pipeline( uri: str, @@ -101,8 +101,8 @@ def create_pipeline( return pipeline @staticmethod - @has_tenant_permission(MANAGE_PIPELINES) - @has_resource_permission(CREATE_PIPELINE) + @TenantPolicyService.has_tenant_permission(MANAGE_PIPELINES) + @ResourcePolicyService.has_resource_permission(CREATE_PIPELINE) @has_group_permission(CREATE_PIPELINE) def create_pipeline_environment( uri: str, @@ -142,8 +142,8 @@ def create_pipeline_environment( return pipeline_env @staticmethod - @has_tenant_permission(MANAGE_PIPELINES) - @has_resource_permission(UPDATE_PIPELINE) + @TenantPolicyService.has_tenant_permission(MANAGE_PIPELINES) + @ResourcePolicyService.has_resource_permission(UPDATE_PIPELINE) def update_pipeline(uri, data=None) -> DataPipeline: with _session() as session: pipeline: DataPipeline = DatapipelinesRepository.get_pipeline_by_uri(session, uri) @@ -156,8 +156,8 @@ def update_pipeline(uri, data=None) -> DataPipeline: return pipeline @staticmethod - @has_tenant_permission(MANAGE_PIPELINES) - @has_resource_permission(UPDATE_PIPELINE) + @TenantPolicyService.has_tenant_permission(MANAGE_PIPELINES) + @ResourcePolicyService.has_resource_permission(UPDATE_PIPELINE) def update_pipeline_environment(uri, data=None) -> DataPipelineEnvironment: with _session() as session: pipeline_env = DatapipelinesRepository.get_pipeline_environment( @@ -182,8 +182,8 @@ def list_pipelines(*, filter: dict) -> dict: ) @staticmethod - @has_tenant_permission(MANAGE_PIPELINES) - @has_resource_permission(GET_PIPELINE) + @TenantPolicyService.has_tenant_permission(MANAGE_PIPELINES) + @ResourcePolicyService.has_resource_permission(GET_PIPELINE) def get_pipeline( uri: str, ) -> DataPipeline: @@ -204,7 +204,7 @@ def get_clone_url_http(uri: str): return f'codecommit::{env.region}://{pipeline.repo}' @staticmethod - @has_resource_permission(DELETE_PIPELINE) + @ResourcePolicyService.has_resource_permission(DELETE_PIPELINE) def delete_pipeline(uri: str, deleteFromAWS: bool): with _session() as session: pipeline = DatapipelinesRepository.get_pipeline_by_uri(session, uri) @@ -262,7 +262,7 @@ def delete_pipeline_environment(envPipelineUri: str): return True @staticmethod - @has_resource_permission(CREDENTIALS_PIPELINE) + @ResourcePolicyService.has_resource_permission(CREDENTIALS_PIPELINE) def get_credentials(uri): with _session() as session: pipeline = DatapipelinesRepository.get_pipeline_by_uri(session, uri) diff --git a/backend/dataall/modules/dataset_sharing/services/share_item_service.py b/backend/dataall/modules/dataset_sharing/services/share_item_service.py index ab58f81e9..d21cc0fc7 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_item_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_item_service.py @@ -4,7 +4,6 @@ from dataall.core.tasks.service_handlers import Worker from dataall.base.context import get_context from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils from dataall.base.db.exceptions import ObjectNotFound, UnauthorizedOperation @@ -45,7 +44,7 @@ def _get_share_uri(session, uri): return share.shareUri @staticmethod - @has_resource_permission(GET_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(GET_SHARE_OBJECT) def verify_items_share_object(uri, item_uris): context = get_context() with context.db_engine.scoped_session() as session: @@ -60,7 +59,7 @@ def verify_items_share_object(uri, item_uris): return True @staticmethod - @has_resource_permission(APPROVE_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(APPROVE_SHARE_OBJECT) def reapply_items_share_object(uri, item_uris): context = get_context() with context.db_engine.scoped_session() as session: @@ -75,7 +74,7 @@ def reapply_items_share_object(uri, item_uris): return True @staticmethod - @has_resource_permission(GET_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(GET_SHARE_OBJECT) def revoke_items_share_object(uri, revoked_uris): context = get_context() with context.db_engine.scoped_session() as session: @@ -129,7 +128,7 @@ def revoke_items_share_object(uri, revoked_uris): return share @staticmethod - @has_resource_permission(ADD_ITEM) + @ResourcePolicyService.has_resource_permission(ADD_ITEM) def add_shared_item(uri: str, data: dict = None): context = get_context() with context.db_engine.scoped_session() as session: @@ -186,7 +185,7 @@ def add_shared_item(uri: str, data: dict = None): return share_item @staticmethod - @has_resource_permission(REMOVE_ITEM, parent_resource=_get_share_uri) + @ResourcePolicyService.has_resource_permission(REMOVE_ITEM, parent_resource=_get_share_uri) def remove_shared_item(uri: str): with get_context().db_engine.scoped_session() as session: share_item = ShareObjectRepository.get_share_item_by_uri(session, uri) @@ -207,7 +206,7 @@ def remove_shared_item(uri: str): return True @staticmethod - @has_resource_permission(GET_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(GET_SHARE_OBJECT) def resolve_shared_item(uri, item: ShareObjectItem): with get_context().db_engine.scoped_session() as session: return ShareObjectRepository.get_share_item(session, item.itemType, item.itemUri) @@ -227,7 +226,7 @@ def list_shareable_objects(share, filter, is_revokable=False): return ShareObjectRepository.list_shareable_items(session, share, states, filter) @staticmethod - @has_resource_permission(LIST_ENVIRONMENT_SHARED_WITH_OBJECTS) + @ResourcePolicyService.has_resource_permission(LIST_ENVIRONMENT_SHARED_WITH_OBJECTS) def paginated_shared_with_environment_datasets(session, uri, data) -> dict: return ShareObjectRepository.paginate_shared_datasets(session, uri, data) diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py index 3423da893..da38bb99b 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py @@ -6,7 +6,6 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentGroup, ConsumptionRole from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.permissions.constants.permissions import GET_ENVIRONMENT from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils @@ -50,19 +49,19 @@ class ShareObjectService: @staticmethod - @has_resource_permission(GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(GET_ENVIRONMENT) def get_share_object_in_environment(uri, shareUri): with get_context().db_engine.scoped_session() as session: return ShareObjectRepository.get_share_by_uri(session, shareUri) @staticmethod - @has_resource_permission(GET_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(GET_SHARE_OBJECT) def get_share_object(uri): with get_context().db_engine.scoped_session() as session: return ShareObjectRepository.get_share_by_uri(session, uri) @classmethod - @has_resource_permission(CREATE_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(CREATE_SHARE_OBJECT) def create_share_object( cls, uri: str, @@ -222,7 +221,7 @@ def create_share_object( return share @classmethod - @has_resource_permission(SUBMIT_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(SUBMIT_SHARE_OBJECT) def submit_share_object(cls, uri: str): context = get_context() with context.db_engine.scoped_session() as session: @@ -266,7 +265,7 @@ def submit_share_object(cls, uri: str): return share @classmethod - @has_resource_permission(APPROVE_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(APPROVE_SHARE_OBJECT) def approve_share_object(cls, uri: str): context = get_context() with context.db_engine.scoped_session() as session: @@ -305,7 +304,7 @@ def approve_share_object(cls, uri: str): return share @staticmethod - @has_resource_permission(SUBMIT_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(SUBMIT_SHARE_OBJECT) def update_share_request_purpose(uri: str, request_purpose) -> bool: with get_context().db_engine.scoped_session() as session: share = ShareObjectRepository.get_share_by_uri(session, uri) @@ -314,7 +313,7 @@ def update_share_request_purpose(uri: str, request_purpose) -> bool: return True @staticmethod - @has_resource_permission(REJECT_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(REJECT_SHARE_OBJECT) def update_share_reject_purpose(uri: str, reject_purpose) -> bool: with get_context().db_engine.scoped_session() as session: share = ShareObjectRepository.get_share_by_uri(session, uri) @@ -323,7 +322,7 @@ def update_share_reject_purpose(uri: str, reject_purpose) -> bool: return True @classmethod - @has_resource_permission(REJECT_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(REJECT_SHARE_OBJECT) def reject_share_object(cls, uri: str, reject_purpose: str): context = get_context() with context.db_engine.scoped_session() as session: @@ -341,7 +340,7 @@ def reject_share_object(cls, uri: str, reject_purpose: str): return share @classmethod - @has_resource_permission(DELETE_SHARE_OBJECT) + @ResourcePolicyService.has_resource_permission(DELETE_SHARE_OBJECT) def delete_share_object(cls, uri: str): with get_context().db_engine.scoped_session() as session: share, dataset, states = cls._get_share_data(session, uri) diff --git a/backend/dataall/modules/datasets/services/dataset_column_service.py b/backend/dataall/modules/datasets/services/dataset_column_service.py index 00440d294..5e5214e83 100644 --- a/backend/dataall/modules/datasets/services/dataset_column_service.py +++ b/backend/dataall/modules/datasets/services/dataset_column_service.py @@ -2,7 +2,6 @@ from dataall.core.tasks.service_handlers import Worker from dataall.base.aws.sts import SessionHelper from dataall.base.context import get_context -from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task from dataall.modules.datasets.aws.glue_table_client import GlueTableClient from dataall.modules.datasets.db.dataset_column_repositories import DatasetColumnRepository @@ -45,7 +44,9 @@ def paginate_active_columns_for_table(uri: str, filter=None): return DatasetColumnRepository.paginate_active_columns_for_table(session, uri, filter) @classmethod - @has_resource_permission(UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri, param_name='table_uri') + @ResourcePolicyService.has_resource_permission( + UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri, param_name='table_uri' + ) def sync_table_columns(cls, table_uri: str): context = get_context() with context.db_engine.scoped_session() as session: @@ -57,7 +58,9 @@ def sync_table_columns(cls, table_uri: str): return cls.paginate_active_columns_for_table(uri=table_uri, filter={}) @staticmethod - @has_resource_permission(UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri_for_column, param_name='column_uri') + @ResourcePolicyService.has_resource_permission( + UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri_for_column, param_name='column_uri' + ) def update_table_column_description(column_uri: str, description) -> DatasetTableColumn: with get_context().db_engine.scoped_session() as session: column: DatasetTableColumn = DatasetColumnRepository.get_column(session, column_uri) diff --git a/backend/dataall/modules/datasets/services/dataset_location_service.py b/backend/dataall/modules/datasets/services/dataset_location_service.py index a71964b4c..5a61b21c3 100644 --- a/backend/dataall/modules/datasets/services/dataset_location_service.py +++ b/backend/dataall/modules/datasets/services/dataset_location_service.py @@ -1,6 +1,7 @@ from dataall.base.context import get_context +from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.base.db.exceptions import ResourceShared, ResourceAlreadyExists from dataall.modules.dataset_sharing.db.share_object_repositories import ShareObjectRepository from dataall.modules.datasets.aws.s3_location_client import S3LocationClient @@ -23,8 +24,8 @@ def _get_dataset_uri(session, uri): return location.datasetUri @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(CREATE_DATASET_FOLDER) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(CREATE_DATASET_FOLDER) def create_storage_location(uri: str, data: dict): with get_context().db_engine.scoped_session() as session: exists = DatasetLocationRepository.exists(session, uri, data['prefix']) @@ -47,22 +48,22 @@ def create_storage_location(uri: str, data: dict): return location @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(LIST_DATASET_FOLDERS) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(LIST_DATASET_FOLDERS) def list_dataset_locations(uri: str, filter: dict = None): with get_context().db_engine.scoped_session() as session: return DatasetLocationRepository.list_dataset_locations(session=session, uri=uri, data=filter) @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(LIST_DATASET_FOLDERS, parent_resource=_get_dataset_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(LIST_DATASET_FOLDERS, parent_resource=_get_dataset_uri) def get_storage_location(uri): with get_context().db_engine.scoped_session() as session: return DatasetLocationRepository.get_location_by_uri(session, uri) @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(UPDATE_DATASET_FOLDER, parent_resource=_get_dataset_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(UPDATE_DATASET_FOLDER, parent_resource=_get_dataset_uri) def update_storage_location(uri: str, data: dict): with get_context().db_engine.scoped_session() as session: location = DatasetLocationRepository.get_location_by_uri(session, uri) @@ -77,8 +78,8 @@ def update_storage_location(uri: str, data: dict): return location @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(DELETE_DATASET_FOLDER, parent_resource=_get_dataset_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(DELETE_DATASET_FOLDER, parent_resource=_get_dataset_uri) def remove_storage_location(uri: str = None): with get_context().db_engine.scoped_session() as session: location = DatasetLocationRepository.get_location_by_uri(session, uri) diff --git a/backend/dataall/modules/datasets/services/dataset_profiling_service.py b/backend/dataall/modules/datasets/services/dataset_profiling_service.py index 994518936..954117251 100644 --- a/backend/dataall/modules/datasets/services/dataset_profiling_service.py +++ b/backend/dataall/modules/datasets/services/dataset_profiling_service.py @@ -5,7 +5,6 @@ from dataall.base.context import get_context from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission from dataall.core.tasks.db.task_models import Task from dataall.base.db.exceptions import ObjectNotFound from dataall.modules.datasets.aws.glue_profiler_client import GlueDatasetProfilerClient @@ -21,7 +20,7 @@ class DatasetProfilingService: @staticmethod - @has_resource_permission(PROFILE_DATASET_TABLE) + @ResourcePolicyService.has_resource_permission(PROFILE_DATASET_TABLE) def start_profiling_run(uri, table_uri, glue_table_name): context = get_context() with context.db_engine.scoped_session() as session: @@ -63,7 +62,7 @@ def resolve_profiling_run_status(run_uri): Worker.queue(engine=context.db_engine, task_ids=[task.taskUri]) @staticmethod - @has_resource_permission(GET_DATASET) + @ResourcePolicyService.has_resource_permission(GET_DATASET) def list_profiling_runs(uri): with get_context().db_engine.scoped_session() as session: return DatasetProfilingRepository.list_profiling_runs(session, uri) diff --git a/backend/dataall/modules/datasets/services/dataset_service.py b/backend/dataall/modules/datasets/services/dataset_service.py index 130acae7f..05e601728 100644 --- a/backend/dataall/modules/datasets/services/dataset_service.py +++ b/backend/dataall/modules/datasets/services/dataset_service.py @@ -5,13 +5,13 @@ from dataall.base.db import exceptions from dataall.base.utils.naming_convention import NamingConventionPattern from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.tasks.service_handlers import Worker from dataall.base.aws.sts import SessionHelper from dataall.modules.dataset_sharing.aws.kms_client import KmsClient from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.db.stack_repositories import Stack @@ -110,8 +110,8 @@ def check_imported_resources(dataset: Dataset): return True @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(CREATE_DATASET) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(CREATE_DATASET) @has_group_permission(CREATE_DATASET) def create_dataset(uri, admin_group, data: dict): context = get_context() @@ -169,7 +169,7 @@ def import_dataset(uri, admin_group, data): return DatasetService.create_dataset(uri=uri, admin_group=admin_group, data=data) @staticmethod - @has_tenant_permission(MANAGE_DATASETS) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) def get_dataset(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -216,8 +216,8 @@ def list_tables(dataset_uri, data: dict): ) @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(UPDATE_DATASET) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(UPDATE_DATASET) def update_dataset(uri: str, data: dict): with get_context().db_engine.scoped_session() as session: dataset = DatasetRepository.get_dataset_by_uri(session, uri) @@ -276,7 +276,7 @@ def get_dataset_statistics(dataset: Dataset): } @staticmethod - @has_resource_permission(CREDENTIALS_DATASET) + @ResourcePolicyService.has_resource_permission(CREDENTIALS_DATASET) def get_dataset_assume_role_url(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -307,7 +307,7 @@ def get_dataset_assume_role_url(uri): return url @staticmethod - @has_resource_permission(CRAWL_DATASET) + @ResourcePolicyService.has_resource_permission(CRAWL_DATASET) def start_crawler(uri: str, data: dict = None): engine = get_context().db_engine with engine.scoped_session() as session: @@ -349,7 +349,7 @@ def list_dataset_share_objects(dataset: Dataset, data: dict = None): return ShareObjectRepository.paginated_dataset_shares(session=session, uri=dataset.datasetUri, data=data) @staticmethod - @has_resource_permission(CREDENTIALS_DATASET) + @ResourcePolicyService.has_resource_permission(CREDENTIALS_DATASET) def generate_dataset_access_token(uri): with get_context().db_engine.scoped_session() as session: dataset = DatasetRepository.get_dataset_by_uri(session, uri) @@ -373,7 +373,7 @@ def get_dataset_stack(dataset: Dataset): ) @staticmethod - @has_resource_permission(DELETE_DATASET) + @ResourcePolicyService.has_resource_permission(DELETE_DATASET) def delete_dataset(uri: str, delete_from_aws: bool = False): context = get_context() with context.db_engine.scoped_session() as session: @@ -454,7 +454,7 @@ def _create_dataset_stack(session, dataset: Dataset) -> Stack: ) @staticmethod - @has_resource_permission(LIST_ENVIRONMENT_DATASETS) + @ResourcePolicyService.has_resource_permission(LIST_ENVIRONMENT_DATASETS) def list_datasets_created_in_environment(uri: str, data: dict): with get_context().db_engine.scoped_session() as session: return DatasetRepository.paginated_environment_datasets( @@ -563,8 +563,8 @@ def delete_dataset_term_links(session, dataset_uri): GlossaryRepository.delete_glossary_terms_links(session, dataset_uri, 'Dataset') @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(UPDATE_DATASET) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(UPDATE_DATASET) def verify_dataset_share_objects(uri: str, share_uris: list): with get_context().db_engine.scoped_session() as session: for share_uri in share_uris: diff --git a/backend/dataall/modules/datasets/services/dataset_table_service.py b/backend/dataall/modules/datasets/services/dataset_table_service.py index 0daeff854..55b329f86 100644 --- a/backend/dataall/modules/datasets/services/dataset_table_service.py +++ b/backend/dataall/modules/datasets/services/dataset_table_service.py @@ -2,9 +2,9 @@ from dataall.base.context import get_context from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.base.db.exceptions import ResourceShared from dataall.modules.dataset_sharing.db.share_object_repositories import ShareObjectRepository from dataall.modules.datasets.aws.athena_table_client import AthenaTableClient @@ -37,14 +37,14 @@ def _get_dataset_uri(session, table_uri): return table.datasetUri @staticmethod - @has_tenant_permission(MANAGE_DATASETS) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) def get_table(uri: str): with get_context().db_engine.scoped_session() as session: return DatasetTableRepository.get_dataset_table_by_uri(session, uri) @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(UPDATE_DATASET_TABLE, parent_resource=_get_dataset_uri) def update_table(uri: str, table_data: dict = None): with get_context().db_engine.scoped_session() as session: table = DatasetTableRepository.get_dataset_table_by_uri(session, uri) @@ -62,8 +62,8 @@ def update_table(uri: str, table_data: dict = None): return table @staticmethod - @has_tenant_permission(MANAGE_DATASETS) - @has_resource_permission(DELETE_DATASET_TABLE, parent_resource=_get_dataset_uri) + @TenantPolicyService.has_tenant_permission(MANAGE_DATASETS) + @ResourcePolicyService.has_resource_permission(DELETE_DATASET_TABLE, parent_resource=_get_dataset_uri) def delete_table(uri: str): with get_context().db_engine.scoped_session() as session: table = DatasetTableRepository.get_dataset_table_by_uri(session, uri) @@ -104,7 +104,7 @@ def preview(table_uri: str): return AthenaTableClient(env, table).get_table(dataset_uri=dataset.datasetUri) @staticmethod - @has_resource_permission(GET_DATASET_TABLE) + @ResourcePolicyService.has_resource_permission(GET_DATASET_TABLE) def get_glue_table_properties(uri: str): with get_context().db_engine.scoped_session() as session: table: DatasetTable = DatasetTableRepository.get_dataset_table_by_uri(session, uri) @@ -122,7 +122,7 @@ def list_shared_tables_by_env_dataset(dataset_uri: str, env_uri: str): ] @classmethod - @has_resource_permission(SYNC_DATASET) + @ResourcePolicyService.has_resource_permission(SYNC_DATASET) def sync_tables_for_dataset(cls, uri): context = get_context() with context.db_engine.scoped_session() as session: diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_service.py b/backend/dataall/modules/mlstudio/services/mlstudio_service.py index a443a0dbd..f1396e718 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_service.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_service.py @@ -11,8 +11,8 @@ from dataall.base.context import get_context from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.stack_repositories import Stack from dataall.base.db import exceptions @@ -99,8 +99,8 @@ class SagemakerStudioService: """ @staticmethod - @has_tenant_permission(MANAGE_SGMSTUDIO_USERS) - @has_resource_permission(CREATE_SGMSTUDIO_USER) + @TenantPolicyService.has_tenant_permission(MANAGE_SGMSTUDIO_USERS) + @ResourcePolicyService.has_resource_permission(CREATE_SGMSTUDIO_USER) @has_group_permission(CREATE_SGMSTUDIO_USER) def create_sagemaker_studio_user(*, uri: str, admin_group: str, request: SagemakerStudioCreationRequest): """ @@ -233,7 +233,7 @@ def list_sagemaker_studio_users(*, filter: dict) -> dict: ) @staticmethod - @has_resource_permission(GET_SGMSTUDIO_USER) + @ResourcePolicyService.has_resource_permission(GET_SGMSTUDIO_USER) def get_sagemaker_studio_user(*, uri: str): with _session() as session: return SagemakerStudioService._get_sagemaker_studio_user(session, uri) @@ -247,7 +247,7 @@ def get_sagemaker_studio_user_status(*, uri: str): return status @staticmethod - @has_resource_permission(SGMSTUDIO_USER_URL) + @ResourcePolicyService.has_resource_permission(SGMSTUDIO_USER_URL) def get_sagemaker_studio_user_presigned_url(*, uri: str): with _session() as session: user = SagemakerStudioService._get_sagemaker_studio_user(session, uri) @@ -260,7 +260,7 @@ def get_sagemaker_studio_user_applications(*, uri: str): return sagemaker_studio_client(user).get_sagemaker_studio_user_applications() @staticmethod - @has_resource_permission(DELETE_SGMSTUDIO_USER) + @ResourcePolicyService.has_resource_permission(DELETE_SGMSTUDIO_USER) def delete_sagemaker_studio_user(*, uri: str, delete_from_aws: bool): """Deletes SageMaker Studio user from the database and if delete_from_aws is True from AWS as well""" with _session() as session: diff --git a/backend/dataall/modules/notebooks/services/notebook_service.py b/backend/dataall/modules/notebooks/services/notebook_service.py index 5f0ce2db8..c950581e1 100644 --- a/backend/dataall/modules/notebooks/services/notebook_service.py +++ b/backend/dataall/modules/notebooks/services/notebook_service.py @@ -12,8 +12,8 @@ from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_resource_permission, has_tenant_permission from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.stacks.api import stack_helper from dataall.core.stacks.db.keyvaluetag_repositories import KeyValueTag from dataall.core.stacks.db.stack_repositories import Stack @@ -67,8 +67,8 @@ class NotebookService: _NOTEBOOK_RESOURCE_TYPE = 'notebook' @staticmethod - @has_tenant_permission(MANAGE_NOTEBOOKS) - @has_resource_permission(CREATE_NOTEBOOK) + @TenantPolicyService.has_tenant_permission(MANAGE_NOTEBOOKS) + @ResourcePolicyService.has_resource_permission(CREATE_NOTEBOOK) @has_group_permission(CREATE_NOTEBOOK) def create_notebook(*, uri: str, admin_group: str, request: NotebookCreationRequest) -> SagemakerNotebook: """ @@ -159,42 +159,42 @@ def list_user_notebooks(filter) -> dict: ) @staticmethod - @has_resource_permission(GET_NOTEBOOK) + @ResourcePolicyService.has_resource_permission(GET_NOTEBOOK) def get_notebook(*, uri) -> SagemakerNotebook: """Gets a notebook by uri""" with _session() as session: return NotebookService._get_notebook(session, uri) @staticmethod - @has_resource_permission(UPDATE_NOTEBOOK) + @ResourcePolicyService.has_resource_permission(UPDATE_NOTEBOOK) def start_notebook(*, uri): """Starts notebooks instance""" notebook = NotebookService.get_notebook(uri=uri) client(notebook).start_instance() @staticmethod - @has_resource_permission(UPDATE_NOTEBOOK) + @ResourcePolicyService.has_resource_permission(UPDATE_NOTEBOOK) def stop_notebook(*, uri: str) -> None: """Stop notebook instance""" notebook = NotebookService.get_notebook(uri=uri) client(notebook).stop_instance() @staticmethod - @has_resource_permission(GET_NOTEBOOK) + @ResourcePolicyService.has_resource_permission(GET_NOTEBOOK) def get_notebook_presigned_url(*, uri: str) -> str: """Creates and returns a presigned url for a notebook""" notebook = NotebookService.get_notebook(uri=uri) return client(notebook).presigned_url() @staticmethod - @has_resource_permission(GET_NOTEBOOK) + @ResourcePolicyService.has_resource_permission(GET_NOTEBOOK) def get_notebook_status(*, uri) -> str: """Retrieves notebook status""" notebook = NotebookService.get_notebook(uri=uri) return client(notebook).get_notebook_instance_status() @staticmethod - @has_resource_permission(DELETE_NOTEBOOK) + @ResourcePolicyService.has_resource_permission(DELETE_NOTEBOOK) def delete_notebook(*, uri: str, delete_from_aws: bool): """Deletes notebook from the database and if delete_from_aws is True from AWS as well""" with _session() as session: diff --git a/backend/dataall/modules/worksheets/services/worksheet_service.py b/backend/dataall/modules/worksheets/services/worksheet_service.py index 5b6b2bb1a..fe9410213 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_service.py +++ b/backend/dataall/modules/worksheets/services/worksheet_service.py @@ -2,9 +2,9 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.decorators.permission_checker import has_tenant_permission, has_resource_permission from dataall.base.db import exceptions from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.modules.worksheets.aws.athena_client import AthenaClient from dataall.modules.worksheets.db.worksheet_models import Worksheet from dataall.modules.worksheets.db.worksheet_repositories import WorksheetRepository @@ -32,7 +32,7 @@ def get_worksheet_by_uri(session, uri: str) -> Worksheet: return worksheet @staticmethod - @has_tenant_permission(MANAGE_WORKSHEETS) + @TenantPolicyService.has_tenant_permission(MANAGE_WORKSHEETS) def create_worksheet(session, username, uri, data=None) -> Worksheet: worksheet = Worksheet( owner=username, @@ -66,7 +66,7 @@ def create_worksheet(session, username, uri, data=None) -> Worksheet: return worksheet @staticmethod - @has_resource_permission(UPDATE_WORKSHEET) + @ResourcePolicyService.has_resource_permission(UPDATE_WORKSHEET) def update_worksheet(session, username, uri, data=None): worksheet = WorksheetService.get_worksheet_by_uri(session, uri) for field in data.keys(): @@ -85,13 +85,13 @@ def update_worksheet(session, username, uri, data=None): return worksheet @staticmethod - @has_resource_permission(GET_WORKSHEET) + @ResourcePolicyService.has_resource_permission(GET_WORKSHEET) def get_worksheet(session, uri): worksheet = WorksheetService.get_worksheet_by_uri(session, uri) return worksheet @staticmethod - @has_resource_permission(DELETE_WORKSHEET) + @ResourcePolicyService.has_resource_permission(DELETE_WORKSHEET) def delete_worksheet(session, uri) -> bool: worksheet = WorksheetService.get_worksheet_by_uri(session, uri) session.delete(worksheet) @@ -104,7 +104,7 @@ def delete_worksheet(session, uri) -> bool: return True @staticmethod - @has_resource_permission(RUN_ATHENA_QUERY) + @ResourcePolicyService.has_resource_permission(RUN_ATHENA_QUERY) def run_sql_query(session, uri, worksheetUri, sqlQuery): environment = EnvironmentService.get_environment_by_uri(session, uri) worksheet = WorksheetService.get_worksheet_by_uri(session, worksheetUri) diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index e8a7dd0ee..6b5713e11 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -8,7 +8,7 @@ from dataall.base.api import get_executable_schema from dataall.core.tasks.service_handlers import Worker -from dataall.core.permissions.constants import permissions +from dataall.core.permissions.constants.permissions import TENANT_ALL from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine, Base @@ -75,7 +75,7 @@ def request_context(headers, mock=False): TenantPolicyService.attach_group_tenant_policy( session=session, group=group, - permissions=permissions.TENANT_ALL, + permissions=TENANT_ALL, tenant_name=TenantPolicyService.TENANT_NAME, ) From 10e0bdf464454608e8fdafab442231c41a25fc2c Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Wed, 27 Mar 2024 16:30:13 +0000 Subject: [PATCH 07/11] ruff format --- backend/dataall/modules/dataset_sharing/api/resolvers.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backend/dataall/modules/dataset_sharing/api/resolvers.py b/backend/dataall/modules/dataset_sharing/api/resolvers.py index b76080941..4b438e7bb 100644 --- a/backend/dataall/modules/dataset_sharing/api/resolvers.py +++ b/backend/dataall/modules/dataset_sharing/api/resolvers.py @@ -255,7 +255,9 @@ def resolve_shared_database_name(context: Context, source): return None old_shared_db_name = (source.GlueDatabaseName + '_shared_' + source.shareUri)[:254] with context.engine.scoped_session() as session: - share = ShareObjectService.get_share_object_in_environment(uri=source.targetEnvironmentUri, shareUri=source.shareUri) + share = ShareObjectService.get_share_object_in_environment( + uri=source.targetEnvironmentUri, shareUri=source.shareUri + ) env = EnvironmentService.get_environment_by_uri(session, share.environmentUri) database = GlueClient( account_id=env.AwsAccountId, database=old_shared_db_name, region=env.region From 7d6746bf4f7aae1c296934a3930dea4c9dd11ea8 Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Wed, 27 Mar 2024 17:47:58 +0000 Subject: [PATCH 08/11] ruff format and missing imports --- backend/api_handler.py | 4 +- .../dataall/core/environment/api/resolvers.py | 22 +++--- .../services/environment_service.py | 76 ++++++++++--------- .../services/organization_service.py | 30 ++++---- .../core/permissions/constants/__init__.py | 0 .../core_permissions.py} | 0 .../services/permission_service.py | 2 +- .../services/tenant_policy_service.py | 2 +- .../stacks/db/target_type_repositories.py | 4 +- .../dataall/core/vpc/services/vpc_service.py | 18 ++--- .../services/glossaries_permissions.py | 2 +- .../services/dashboard_permissions.py | 2 +- .../services/dashboard_quicksight_service.py | 2 +- .../services/datapipelines_permissions.py | 2 +- .../services/share_object_service.py | 2 +- .../services/share_permissions.py | 2 +- .../datasets/services/dataset_permissions.py | 2 +- .../mlstudio/services/mlstudio_permissions.py | 2 +- .../services/notebook_permissions.py | 2 +- .../services/worksheet_permissions.py | 2 +- backend/local_graphql_server.py | 2 +- .../04d92886fabe_add_consumption_roles.py | 5 +- .../versions/e177eb044b31_init_tenant.py | 2 +- tests/conftest.py | 2 +- tests/core/environments/test_environment.py | 2 +- tests/core/permissions/test_permission.py | 9 ++- tests/core/permissions/test_tenant.py | 6 +- tests/modules/conftest.py | 2 +- 28 files changed, 106 insertions(+), 102 deletions(-) delete mode 100644 backend/dataall/core/permissions/constants/__init__.py rename backend/dataall/core/permissions/{constants/permissions.py => services/core_permissions.py} (100%) diff --git a/backend/api_handler.py b/backend/api_handler.py index 74696fe64..91ec463f9 100644 --- a/backend/api_handler.py +++ b/backend/api_handler.py @@ -18,7 +18,7 @@ from dataall.base.context import set_context, dispose_context, RequestContext from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine -from dataall.core.permissions.constants import permissions +from dataall.core.permissions.services.core_permissions import TENANT_ALL from dataall.base.loader import load_modules, ImportMode logger = logging.getLogger() @@ -148,7 +148,7 @@ def handler(event, context): TenantPolicyService.attach_group_tenant_policy( session=session, group=group, - permissions=permissions.TENANT_ALL, + permissions=TENANT_ALL, tenant_name=TenantPolicyService.TENANT_NAME, ) diff --git a/backend/dataall/core/environment/api/resolvers.py b/backend/dataall/core/environment/api/resolvers.py index 726d0a566..131d27afb 100644 --- a/backend/dataall/core/environment/api/resolvers.py +++ b/backend/dataall/core/environment/api/resolvers.py @@ -22,13 +22,13 @@ from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.vpc.services.vpc_service import VpcService from dataall.base.aws.ec2_client import EC2 -from dataall.core.permissions.constants import permissions from dataall.base.feature_toggle_checker import is_feature_enabled from dataall.base.utils.naming_convention import ( NamingConventionService, NamingConventionPattern, ) from dataall.core.organizations.api.resolvers import Context, exceptions, get_organization +from dataall.core.permissions.services import core_permissions log = logging.getLogger() @@ -92,7 +92,7 @@ def check_environment(context: Context, source, account_id, region, data): def create_environment(context: Context, source, input={}): if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups: raise exceptions.UnauthorizedOperation( - action=permissions.LINK_ENVIRONMENT, + action=core_permissions.LINK_ENVIRONMENT, message=f'User: {context.username} is not a member of the group {input["SamlGroupName"]}', ) @@ -122,7 +122,7 @@ def create_environment(context: Context, source, input={}): def update_environment(context: Context, source, environmentUri: str = None, input: dict = None): if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups: raise exceptions.UnauthorizedOperation( - action=permissions.LINK_ENVIRONMENT, + action=core_permissions.LINK_ENVIRONMENT, message=f'User: {context.username} is not part of the group {input["SamlGroupName"]}', ) @@ -447,7 +447,7 @@ def get_environment_assume_role_url( username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=permissions.CREDENTIALS_ENVIRONMENT, + permission_name=core_permissions.CREDENTIALS_ENVIRONMENT, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) url = SessionHelper.get_console_access_url( @@ -471,7 +471,7 @@ def generate_environment_access_token(context, source, environmentUri: str = Non username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=permissions.CREDENTIALS_ENVIRONMENT, + permission_name=core_permissions.CREDENTIALS_ENVIRONMENT, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) c = _get_environment_group_aws_session( @@ -519,7 +519,7 @@ def enable_subscriptions(context: Context, source, environmentUri: str = None, i username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS, + permission_name=core_permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) if input.get('producersTopicArn'): @@ -554,7 +554,7 @@ def disable_subscriptions(context: Context, source, environmentUri: str = None): username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS, + permission_name=core_permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) @@ -577,7 +577,7 @@ def get_pivot_role_template(context: Context, source, organizationUri=None): username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=permissions.GET_ORGANIZATION, + permission_name=core_permissions.GET_ORGANIZATION, ) pivot_role_bucket = Parameter().get_parameter( env=os.getenv('envname', 'local'), path='s3/resources_bucket_name' @@ -617,7 +617,7 @@ def get_cdk_exec_policy_template(context: Context, source, organizationUri=None) username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=permissions.GET_ORGANIZATION, + permission_name=core_permissions.GET_ORGANIZATION, ) cdk_exec_policy_bucket = Parameter().get_parameter( env=os.getenv('envname', 'local'), path='s3/resources_bucket_name' @@ -657,7 +657,7 @@ def get_external_id(context: Context, source, organizationUri=None): username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=permissions.GET_ORGANIZATION, + permission_name=core_permissions.GET_ORGANIZATION, ) external_id = SessionHelper.get_external_id_secret() if not external_id: @@ -675,7 +675,7 @@ def get_pivot_role_name(context: Context, source, organizationUri=None): username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=permissions.GET_ORGANIZATION, + permission_name=core_permissions.GET_ORGANIZATION, ) pivot_role_name = SessionHelper.get_delegation_role_name() if not pivot_role_name: diff --git a/backend/dataall/core/environment/services/environment_service.py b/backend/dataall/core/environment/services/environment_service.py index 2c06ccfd6..9d80af2b6 100644 --- a/backend/dataall/core/environment/services/environment_service.py +++ b/backend/dataall/core/environment/services/environment_service.py @@ -23,7 +23,6 @@ NamingConventionPattern, ) from dataall.base.db import exceptions -from dataall.core.permissions.constants import permissions from dataall.core.organizations.db.organization_repositories import OrganizationRepository from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup from dataall.core.environment.api.enums import EnvironmentPermission, EnvironmentType @@ -33,13 +32,16 @@ from dataall.core.stacks.db.enums import StackStatus from dataall.core.environment.services.managed_iam_policies import PolicyManager +from dataall.core.permissions.services import core_permissions + + log = logging.getLogger(__name__) class EnvironmentService: @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.LINK_ENVIRONMENT) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.LINK_ENVIRONMENT) def create_environment(session, uri, data=None): context = get_context() EnvironmentService._validate_creation_params(data, uri, session) @@ -110,7 +112,7 @@ def create_environment(session, uri, data=None): session=session, resource_uri=env.environmentUri, group=data['SamlGroupName'], - permissions=permissions.ENVIRONMENT_ALL, + permissions=core_permissions.ENVIRONMENT_ALL, resource_type=Environment.__name__, ) session.commit() @@ -165,8 +167,8 @@ def _validate_account_region(data, session): ) @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.UPDATE_ENVIRONMENT) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.UPDATE_ENVIRONMENT) def update_environment(session, uri, data=None): EnvironmentService._validate_resource_prefix(data) environment = EnvironmentService.get_environment_by_uri(session, uri) @@ -185,7 +187,7 @@ def update_environment(session, uri, data=None): session=session, resource_uri=environment.environmentUri, group=environment.SamlGroupName, - permissions=permissions.ENVIRONMENT_ALL, + permissions=core_permissions.ENVIRONMENT_ALL, resource_type=Environment.__name__, ) return environment @@ -202,8 +204,8 @@ def _update_env_parameters(session, env: Environment, data): EnvironmentParameterRepository(session).update_params(env_uri, new_params) @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.INVITE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.INVITE_ENVIRONMENT_GROUP) def invite_group(session, uri, data=None) -> (Environment, EnvironmentGroup): EnvironmentService.validate_invite_params(data) @@ -276,13 +278,13 @@ def validate_permissions(session, uri, g_permissions, group): g_permissions: coming from frontend = ENVIRONMENT_INVITATION_REQUEST """ - if permissions.INVITE_ENVIRONMENT_GROUP in g_permissions: - g_permissions.append(permissions.REMOVE_ENVIRONMENT_GROUP) + if core_permissions.INVITE_ENVIRONMENT_GROUP in g_permissions: + g_permissions.append(core_permissions.REMOVE_ENVIRONMENT_GROUP) - g_permissions.extend(permissions.ENVIRONMENT_INVITED_DEFAULT) + g_permissions.extend(core_permissions.ENVIRONMENT_INVITED_DEFAULT) g_permissions = list(set(g_permissions)) - if g_permissions not in permissions.ENVIRONMENT_INVITED: + if g_permissions not in core_permissions.ENVIRONMENT_INVITED: exceptions.PermissionUnauthorized(action='INVITE_TEAM', group_name=group, resource_uri=uri) env_group_permissions = [] @@ -296,8 +298,8 @@ def validate_permissions(session, uri, g_permissions, group): ) @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ENVIRONMENT_GROUP) def remove_group(session, uri, group): environment = EnvironmentService.get_environment_by_uri(session, uri) @@ -348,8 +350,8 @@ def remove_group(session, uri, group): return environment @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.UPDATE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.UPDATE_ENVIRONMENT_GROUP) def update_group_permissions(session, uri, data=None): EnvironmentService.validate_invite_params(data) @@ -382,7 +384,7 @@ def update_group_permissions(session, uri, data=None): return environment @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS) def list_group_permissions(session, uri, group_uri): # the permission checked return EnvironmentService.list_group_permissions_internal(session, uri, group_uri) @@ -401,7 +403,7 @@ def list_group_permissions_internal(session, uri, group_uri): @staticmethod def list_group_invitation_permissions(session, username, groups, uri, data=None, check_perm=None): group_invitation_permissions = [] - for p in permissions.ENVIRONMENT_INVITATION_REQUEST: + for p in core_permissions.ENVIRONMENT_INVITATION_REQUEST: group_invitation_permissions.append( PermissionRepository.find_permission_by_name( session=session, @@ -412,8 +414,8 @@ def list_group_invitation_permissions(session, username, groups, uri, data=None, return group_invitation_permissions @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.ADD_ENVIRONMENT_CONSUMPTION_ROLES) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.ADD_ENVIRONMENT_CONSUMPTION_ROLES) def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGroup): group: str = data['groupUri'] IAMRoleArn: str = data['IAMRoleArn'] @@ -451,14 +453,14 @@ def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGr session=session, group=group, resource_uri=consumption_role.consumptionRoleUri, - permissions=permissions.CONSUMPTION_ROLE_ALL, + permissions=core_permissions.CONSUMPTION_ROLE_ALL, resource_type=ConsumptionRole.__name__, ) return consumption_role @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) def remove_consumption_role(session, uri, env_uri): consumption_role = EnvironmentService.get_environment_consumption_role(session, uri, env_uri) environment = EnvironmentService.get_environment_by_uri(session, env_uri) @@ -491,8 +493,8 @@ def remove_consumption_role(session, uri, env_uri): return True @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) def update_consumption_role(session, uri, env_uri, input): if not input: raise exceptions.RequiredParameter('input') @@ -508,7 +510,7 @@ def update_consumption_role(session, uri, env_uri, input): resource_type=ConsumptionRole.__name__, old_group=consumption_role.groupUri, new_group=input['groupUri'], - new_permissions=permissions.CONSUMPTION_ROLE_ALL, + new_permissions=core_permissions.CONSUMPTION_ROLE_ALL, ) for key, value in input.items(): setattr(consumption_role, key, value) @@ -648,7 +650,7 @@ def query_user_environment_groups(session, groups, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) def paginated_user_environment_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_user_environment_groups(session, get_context().groups, uri, data), @@ -669,7 +671,7 @@ def query_all_environment_groups(session, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) def paginated_all_environment_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_all_environment_groups(session, uri, data), @@ -678,7 +680,7 @@ def paginated_all_environment_groups(session, uri, data=None) -> dict: ).to_dict() @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) def list_environment_groups(session, uri) -> [str]: return [ g.groupUri @@ -710,7 +712,7 @@ def query_environment_invited_groups(session, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) def paginated_environment_invited_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_environment_invited_groups(session, uri, data), @@ -747,7 +749,7 @@ def query_user_environment_consumption_roles(session, groups, uri, filter) -> Qu return query.order_by(ConsumptionRole.consumptionRoleUri) @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) def paginated_user_environment_consumption_roles(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_user_environment_consumption_roles(session, get_context().groups, uri, data), @@ -775,7 +777,7 @@ def query_all_environment_consumption_roles(session, uri, filter) -> Query: return query.order_by(ConsumptionRole.consumptionRoleUri) @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) def paginated_all_environment_consumption_roles(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_all_environment_consumption_roles(session, uri, data), @@ -819,7 +821,7 @@ def query_environment_networks(session, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.LIST_ENVIRONMENT_NETWORKS) + @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_NETWORKS) def paginated_environment_networks(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_environment_networks(session, uri, data), @@ -885,7 +887,7 @@ def get_environment_by_uri(session, uri) -> Environment: return EnvironmentRepository.get_environment_by_uri(session, uri) @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(core_permissions.GET_ENVIRONMENT) def find_environment_by_uri(session, uri) -> Environment: return EnvironmentService.get_environment_by_uri(session, uri) @@ -901,12 +903,12 @@ def list_all_active_environments(session) -> [Environment]: return environments @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(core_permissions.GET_ENVIRONMENT) def get_stack(session, uri, stack_uri) -> Stack: return session.query(Stack).get(stack_uri) @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.DELETE_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(core_permissions.DELETE_ENVIRONMENT) def delete_environment(session, uri, environment): env_groups = session.query(EnvironmentGroup).filter(EnvironmentGroup.environmentUri == uri).all() env_roles = session.query(ConsumptionRole).filter(ConsumptionRole.environmentUri == uri).all() diff --git a/backend/dataall/core/organizations/services/organization_service.py b/backend/dataall/core/organizations/services/organization_service.py index eea8863e3..7e8b45159 100644 --- a/backend/dataall/core/organizations/services/organization_service.py +++ b/backend/dataall/core/organizations/services/organization_service.py @@ -6,16 +6,16 @@ from dataall.core.organizations.services.organizations_enums import OrganisationUserRole from dataall.core.organizations.db.organization_models import OrganizationGroup from dataall.core.organizations.db import organization_models as models -from dataall.core.permissions.constants import permissions from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService +from dataall.core.permissions.services import core_permissions class OrganizationService: """Service that serves request related to organization""" @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) def create_organization(data): context = get_context() with context.db_engine.scoped_session() as session: @@ -50,7 +50,7 @@ def create_organization(data): ResourcePolicyService.attach_resource_policy( session=session, group=data['SamlGroupName'], - permissions=permissions.ORGANIZATION_ALL, + permissions=core_permissions.ORGANIZATION_ALL, resource_uri=org.organizationUri, resource_type=models.Organization.__name__, ) @@ -58,7 +58,7 @@ def create_organization(data): return org @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.UPDATE_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(core_permissions.UPDATE_ORGANIZATION) def update_organization(uri, data): context = get_context() with context.db_engine.scoped_session() as session: @@ -79,14 +79,14 @@ def update_organization(uri, data): ResourcePolicyService.attach_resource_policy( session=session, group=organization.SamlGroupName, - permissions=permissions.ORGANIZATION_ALL, + permissions=core_permissions.ORGANIZATION_ALL, resource_uri=organization.organizationUri, resource_type=models.Organization.__name__, ) return organization @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(core_permissions.GET_ORGANIZATION) def get_organization(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -102,7 +102,7 @@ def list_organizations(filter): ) @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(core_permissions.GET_ORGANIZATION) def list_organization_environments(filter, uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -138,8 +138,8 @@ def resolve_user_role(organization): return OrganisationUserRole.NoPermission.value @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) - @ResourcePolicyService.has_resource_permission(permissions.DELETE_ORGANIZATION) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(core_permissions.DELETE_ORGANIZATION) def archive_organization(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -161,8 +161,8 @@ def archive_organization(uri): return True @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) - @ResourcePolicyService.has_resource_permission(permissions.INVITE_ORGANIZATION_GROUP) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(core_permissions.INVITE_ORGANIZATION_GROUP) def invite_group(uri, data): context = get_context() with context.db_engine.scoped_session() as session: @@ -186,15 +186,15 @@ def invite_group(uri, data): session=session, group=group, resource_uri=organization.organizationUri, - permissions=permissions.ORGANIZATION_INVITED, + permissions=core_permissions.ORGANIZATION_INVITED, resource_type=models.Organization.__name__, ) return organization @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) - @ResourcePolicyService.has_resource_permission(permissions.REMOVE_ORGANIZATION_GROUP) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ORGANIZATION_GROUP) def remove_group(uri, group): context = get_context() with context.db_engine.scoped_session() as session: @@ -229,7 +229,7 @@ def remove_group(uri, group): return organization @staticmethod - @ResourcePolicyService.has_resource_permission(permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(core_permissions.GET_ORGANIZATION) def list_organization_groups(filter, uri): context = get_context() with context.db_engine.scoped_session() as session: diff --git a/backend/dataall/core/permissions/constants/__init__.py b/backend/dataall/core/permissions/constants/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/backend/dataall/core/permissions/constants/permissions.py b/backend/dataall/core/permissions/services/core_permissions.py similarity index 100% rename from backend/dataall/core/permissions/constants/permissions.py rename to backend/dataall/core/permissions/services/core_permissions.py diff --git a/backend/dataall/core/permissions/services/permission_service.py b/backend/dataall/core/permissions/services/permission_service.py index 80885c325..5d4ae1d41 100644 --- a/backend/dataall/core/permissions/services/permission_service.py +++ b/backend/dataall/core/permissions/services/permission_service.py @@ -2,7 +2,7 @@ from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import exceptions from dataall.core.permissions.db.permission.permission_models import Permission -from dataall.core.permissions.constants.permissions import RESOURCES_ALL_WITH_DESC, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.core_permissions import RESOURCES_ALL_WITH_DESC, TENANT_ALL_WITH_DESC import logging diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py index 62a1addee..795a2f30b 100644 --- a/backend/dataall/core/permissions/services/tenant_policy_service.py +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -1,5 +1,5 @@ from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository -from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.services.core_permissions import TENANT_ALL from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions diff --git a/backend/dataall/core/stacks/db/target_type_repositories.py b/backend/dataall/core/stacks/db/target_type_repositories.py index 0c05b1e0a..fedd0d38e 100644 --- a/backend/dataall/core/stacks/db/target_type_repositories.py +++ b/backend/dataall/core/stacks/db/target_type_repositories.py @@ -1,7 +1,7 @@ import logging from dataall.base.db import exceptions -from dataall.core.permissions.constants import permissions +from dataall.core.permissions.services.core_permissions import GET_ENVIRONMENT, UPDATE_ENVIRONMENT logger = logging.getLogger(__name__) @@ -38,4 +38,4 @@ def is_supported_target_type(target_type): ) -TargetType('environment', permissions.GET_ENVIRONMENT, permissions.UPDATE_ENVIRONMENT) +TargetType('environment', GET_ENVIRONMENT, UPDATE_ENVIRONMENT) diff --git a/backend/dataall/core/vpc/services/vpc_service.py b/backend/dataall/core/vpc/services/vpc_service.py index d28476617..70c737f2e 100644 --- a/backend/dataall/core/vpc/services/vpc_service.py +++ b/backend/dataall/core/vpc/services/vpc_service.py @@ -1,6 +1,5 @@ from dataall.base.context import get_context from dataall.base.db import exceptions -from dataall.core.permissions.constants import permissions from dataall.core.environment.env_permission_checker import has_group_permission from dataall.core.environment.db.environment_repositories import EnvironmentRepository from dataall.core.activity.db.activity_models import Activity @@ -8,6 +7,7 @@ from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.vpc.db.vpc_repositories import VpcRepository from dataall.core.vpc.db.vpc_models import Vpc +from dataall.core.permissions.services import core_permissions def _session(): @@ -16,9 +16,9 @@ def _session(): class VpcService: @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.CREATE_NETWORK) - @has_group_permission(permissions.CREATE_NETWORK) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.CREATE_NETWORK) + @has_group_permission(core_permissions.CREATE_NETWORK) def create_network(uri: str, admin_group: str, data: dict): with _session() as session: username = get_context().username @@ -26,7 +26,7 @@ def create_network(uri: str, admin_group: str, data: dict): if vpc: raise exceptions.ResourceAlreadyExists( - action=permissions.CREATE_NETWORK, + action=core_permissions.CREATE_NETWORK, message=f'Vpc {data["vpcId"]} is already associated to environment {uri}', ) @@ -59,7 +59,7 @@ def create_network(uri: str, admin_group: str, data: dict): ResourcePolicyService.attach_resource_policy( session=session, group=vpc.SamlGroupName, - permissions=permissions.NETWORK_ALL, + permissions=core_permissions.NETWORK_ALL, resource_uri=vpc.vpcUri, resource_type=Vpc.__name__, ) @@ -68,7 +68,7 @@ def create_network(uri: str, admin_group: str, data: dict): ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, - permissions=permissions.NETWORK_ALL, + permissions=core_permissions.NETWORK_ALL, resource_uri=vpc.vpcUri, resource_type=Vpc.__name__, ) @@ -76,8 +76,8 @@ def create_network(uri: str, admin_group: str, data: dict): return vpc @staticmethod - @TenantPolicyService.has_tenant_permission(permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(permissions.DELETE_NETWORK) + @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(core_permissions.DELETE_NETWORK) def delete_network(uri): with _session() as session: vpc = VpcRepository.get_vpc_by_uri(session=session, vpc_uri=uri) diff --git a/backend/dataall/modules/catalog/services/glossaries_permissions.py b/backend/dataall/modules/catalog/services/glossaries_permissions.py index acbfeae4a..4d0396145 100644 --- a/backend/dataall/modules/catalog/services/glossaries_permissions.py +++ b/backend/dataall/modules/catalog/services/glossaries_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( TENANT_ALL, TENANT_ALL_WITH_DESC, RESOURCES_ALL, diff --git a/backend/dataall/modules/dashboards/services/dashboard_permissions.py b/backend/dataall/modules/dashboards/services/dashboard_permissions.py index 13c8be70c..eeb21191f 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_permissions.py +++ b/backend/dataall/modules/dashboards/services/dashboard_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, diff --git a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py index d18d24e60..dc34b72ba 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py @@ -6,7 +6,7 @@ from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository from dataall.base.db.exceptions import UnauthorizedOperation, TenantUnauthorized, AWSResourceNotFound -from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.services.core_permissions import TENANT_ALL from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dashboards import DashboardRepository, Dashboard from dataall.modules.dashboards.aws.dashboard_quicksight_client import DashboardQuicksightClient diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py index 6be74d9ea..b24f46bb1 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py index da38bb99b..48219cde5 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py @@ -6,7 +6,7 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentGroup, ConsumptionRole from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.constants.permissions import GET_ENVIRONMENT +from dataall.core.permissions.services.core_permissions import GET_ENVIRONMENT from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils from dataall.base.aws.quicksight import QuicksightClient diff --git a/backend/dataall/modules/dataset_sharing/services/share_permissions.py b/backend/dataall/modules/dataset_sharing/services/share_permissions.py index 5321a9c8e..8d814feb3 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_permissions.py +++ b/backend/dataall/modules/dataset_sharing/services/share_permissions.py @@ -2,7 +2,7 @@ SHARE OBJECT """ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_INVITED_DEFAULT, diff --git a/backend/dataall/modules/datasets/services/dataset_permissions.py b/backend/dataall/modules/datasets/services/dataset_permissions.py index 136b8ebd3..b71340b64 100644 --- a/backend/dataall/modules/datasets/services/dataset_permissions.py +++ b/backend/dataall/modules/datasets/services/dataset_permissions.py @@ -1,6 +1,6 @@ from itertools import chain -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( TENANT_ALL, TENANT_ALL_WITH_DESC, RESOURCES_ALL, diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py index 9b1ffd5c6..406d5ab5a 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py @@ -17,7 +17,7 @@ """ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( ENVIRONMENT_ALL, ENVIRONMENT_INVITED, RESOURCES_ALL_WITH_DESC, diff --git a/backend/dataall/modules/notebooks/services/notebook_permissions.py b/backend/dataall/modules/notebooks/services/notebook_permissions.py index 4fa442459..efc7a688b 100644 --- a/backend/dataall/modules/notebooks/services/notebook_permissions.py +++ b/backend/dataall/modules/notebooks/services/notebook_permissions.py @@ -3,7 +3,7 @@ Contains permissions for sagemaker notebooks """ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( ENVIRONMENT_ALL, ENVIRONMENT_INVITED, RESOURCES_ALL_WITH_DESC, diff --git a/backend/dataall/modules/worksheets/services/worksheet_permissions.py b/backend/dataall/modules/worksheets/services/worksheet_permissions.py index 2620f7db1..7c7801c8a 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_permissions.py +++ b/backend/dataall/modules/worksheets/services/worksheet_permissions.py @@ -1,4 +1,4 @@ -from dataall.core.permissions.constants.permissions import ( +from dataall.core.permissions.services.core_permissions import ( TENANT_ALL, TENANT_ALL_WITH_DESC, RESOURCES_ALL, diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index 6b5713e11..b10c68ee7 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -8,7 +8,7 @@ from dataall.base.api import get_executable_schema from dataall.core.tasks.service_handlers import Worker -from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.services.core_permissions import TENANT_ALL from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine, Base diff --git a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py index e2efc9a27..a7573b135 100644 --- a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py +++ b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py @@ -14,14 +14,13 @@ from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import utils -from dataall.core.permissions.constants import permissions from datetime import datetime from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareObjectStatus +from dataall.core.permissions.services.core_permissions import CONSUMPTION_ENVIRONMENT_ROLE_ALL # revision identifiers, used by Alembic. revision = '04d92886fabe' @@ -132,7 +131,7 @@ def upgrade(): session=session, resource_uri=env.environmentUri, group=group.groupUri, - permissions=permissions.CONSUMPTION_ENVIRONMENT_ROLE_ALL, + permissions=CONSUMPTION_ENVIRONMENT_ROLE_ALL, resource_type=Environment.__name__, ) print('Consumer Role Permissions created successfully') diff --git a/backend/migrations/versions/e177eb044b31_init_tenant.py b/backend/migrations/versions/e177eb044b31_init_tenant.py index 9a38a0e65..f7e9ba0c6 100644 --- a/backend/migrations/versions/e177eb044b31_init_tenant.py +++ b/backend/migrations/versions/e177eb044b31_init_tenant.py @@ -12,7 +12,7 @@ from sqlalchemy import orm from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.services.core_permissions import TENANT_ALL revision = 'e177eb044b31' down_revision = '033c3d6c1849' diff --git a/tests/conftest.py b/tests/conftest.py index 310077947..9aa8a9d61 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -10,7 +10,7 @@ from dataall.core.groups.db.group_models import Group from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.constants.permissions import TENANT_ALL +from dataall.core.permissions.services.core_permissions import TENANT_ALL from tests.client import create_app, ClientWrapper load_modules(modes=ImportMode.all()) diff --git a/tests/core/environments/test_environment.py b/tests/core/environments/test_environment.py index f3bf1e144..c6287ff92 100644 --- a/tests/core/environments/test_environment.py +++ b/tests/core/environments/test_environment.py @@ -1,7 +1,7 @@ from dataall.core.environment.api.enums import EnvironmentPermission from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.constants.permissions import REMOVE_ENVIRONMENT_CONSUMPTION_ROLE +from dataall.core.permissions.services.core_permissions import REMOVE_ENVIRONMENT_CONSUMPTION_ROLE from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService diff --git a/tests/core/permissions/test_permission.py b/tests/core/permissions/test_permission.py index 45cb29061..16b1a7c24 100644 --- a/tests/core/permissions/test_permission.py +++ b/tests/core/permissions/test_permission.py @@ -1,11 +1,14 @@ import pytest -from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.db.permission.permission_models import PermissionType from dataall.core.permissions.services.permission_service import PermissionService -from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import exceptions -from dataall.core.permissions.constants.permissions import MANAGE_GROUPS, ENVIRONMENT_ALL, ORGANIZATION_ALL, TENANT_ALL +from dataall.core.permissions.services.core_permissions import ( + MANAGE_GROUPS, + ENVIRONMENT_ALL, + ORGANIZATION_ALL, + TENANT_ALL, +) from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService diff --git a/tests/core/permissions/test_tenant.py b/tests/core/permissions/test_tenant.py index fd5dc8b21..2ae709c1c 100644 --- a/tests/core/permissions/test_tenant.py +++ b/tests/core/permissions/test_tenant.py @@ -1,5 +1,5 @@ -from dataall.core.permissions.constants import permissions from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository +from dataall.core.permissions.services.core_permissions import MANAGE_GROUPS, MANAGE_ORGANIZATIONS def test_list_tenant_permissions(client, user, group, tenant): @@ -60,7 +60,7 @@ def test_update_permissions(client, user, group, tenant): username='alice', input=dict( groupUri=group.name, - permissions=[permissions.MANAGE_ORGANIZATIONS, permissions.MANAGE_GROUPS], + permissions=[MANAGE_ORGANIZATIONS, MANAGE_GROUPS], ), groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], ) @@ -92,7 +92,7 @@ def test_update_permissions(client, user, group, tenant): username='alice', input=dict( groupUri=group.name, - permissions=[permissions.MANAGE_ORGANIZATIONS, permissions.MANAGE_GROUPS], + permissions=[MANAGE_ORGANIZATIONS, MANAGE_GROUPS], ), groups=[group.name, TenantPolicyRepository.ADMIN_GROUP], ) diff --git a/tests/modules/conftest.py b/tests/modules/conftest.py index bc725d294..f2ae392bd 100644 --- a/tests/modules/conftest.py +++ b/tests/modules/conftest.py @@ -4,7 +4,7 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup, EnvironmentParameter from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.constants.permissions import ENVIRONMENT_ALL +from dataall.core.permissions.services.core_permissions import ENVIRONMENT_ALL from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.stacks.db.stack_models import KeyValueTag From 282bb0ceff5d216b5dab49b7c271fd0f84b39bcf Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Wed, 3 Apr 2024 13:37:07 +0100 Subject: [PATCH 09/11] get explicit import back --- backend/dataall/core/permissions/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/dataall/core/permissions/__init__.py b/backend/dataall/core/permissions/__init__.py index e69de29bb..9e9b57c06 100644 --- a/backend/dataall/core/permissions/__init__.py +++ b/backend/dataall/core/permissions/__init__.py @@ -0,0 +1 @@ +from dataall.core.permissions import api From 0b84dbc0b0e7e058b6cc915da2edf3ce9989dedc Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Thu, 4 Apr 2024 10:25:53 +0100 Subject: [PATCH 10/11] separate core_permissions.py into several files by theme --- backend/api_handler.py | 2 +- .../dataall/core/environment/api/resolvers.py | 29 ++++--- .../services/environment_service.py | 77 ++++++++++--------- .../services/organization_service.py | 39 ++++++---- .../core/permissions/services/__init__.py | 0 .../services/permission_service.py | 3 +- .../permissions_constants/__init__.py | 0 .../environment_permissions.py} | 64 +-------------- .../network_permissions.py | 9 +++ .../organization_permissions.py | 21 +++++ .../resources_permissions.py | 19 +++++ .../tenant_permissions.py | 24 ++++++ .../services/tenant_policy_service.py | 2 +- .../stacks/db/target_type_repositories.py | 5 +- .../dataall/core/vpc/services/vpc_service.py | 20 ++--- .../services/glossaries_permissions.py | 5 +- .../services/dashboard_permissions.py | 11 +-- .../services/dashboard_quicksight_service.py | 2 +- .../services/datapipelines_permissions.py | 12 +-- .../services/share_object_service.py | 2 +- .../services/share_permissions.py | 5 +- .../datasets/services/dataset_permissions.py | 14 ++-- .../mlstudio/services/mlstudio_permissions.py | 11 +-- .../services/notebook_permissions.py | 13 ++-- .../services/worksheet_permissions.py | 8 +- backend/local_graphql_server.py | 2 +- .../04d92886fabe_add_consumption_roles.py | 4 +- .../versions/e177eb044b31_init_tenant.py | 2 +- tests/conftest.py | 2 +- tests/core/environments/test_environment.py | 4 +- tests/core/permissions/test_permission.py | 9 +-- tests/core/permissions/test_tenant.py | 5 +- tests/modules/conftest.py | 2 +- 33 files changed, 237 insertions(+), 190 deletions(-) create mode 100644 backend/dataall/core/permissions/services/__init__.py create mode 100644 backend/dataall/core/permissions/services/permissions_constants/__init__.py rename backend/dataall/core/permissions/services/{core_permissions.py => permissions_constants/environment_permissions.py} (53%) create mode 100644 backend/dataall/core/permissions/services/permissions_constants/network_permissions.py create mode 100644 backend/dataall/core/permissions/services/permissions_constants/organization_permissions.py create mode 100644 backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py create mode 100644 backend/dataall/core/permissions/services/permissions_constants/tenant_permissions.py diff --git a/backend/api_handler.py b/backend/api_handler.py index 91ec463f9..8d801dbaf 100644 --- a/backend/api_handler.py +++ b/backend/api_handler.py @@ -18,7 +18,7 @@ from dataall.base.context import set_context, dispose_context, RequestContext from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine -from dataall.core.permissions.services.core_permissions import TENANT_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL from dataall.base.loader import load_modules, ImportMode logger = logging.getLogger() diff --git a/backend/dataall/core/environment/api/resolvers.py b/backend/dataall/core/environment/api/resolvers.py index 131d27afb..717375259 100644 --- a/backend/dataall/core/environment/api/resolvers.py +++ b/backend/dataall/core/environment/api/resolvers.py @@ -28,7 +28,14 @@ NamingConventionPattern, ) from dataall.core.organizations.api.resolvers import Context, exceptions, get_organization -from dataall.core.permissions.services import core_permissions +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + CREDENTIALS_ENVIRONMENT, + ENABLE_ENVIRONMENT_SUBSCRIPTIONS, +) +from dataall.core.permissions.services.permissions_constants.organization_permissions import ( + GET_ORGANIZATION, + LINK_ENVIRONMENT, +) log = logging.getLogger() @@ -92,7 +99,7 @@ def check_environment(context: Context, source, account_id, region, data): def create_environment(context: Context, source, input={}): if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups: raise exceptions.UnauthorizedOperation( - action=core_permissions.LINK_ENVIRONMENT, + action=LINK_ENVIRONMENT, message=f'User: {context.username} is not a member of the group {input["SamlGroupName"]}', ) @@ -122,7 +129,7 @@ def create_environment(context: Context, source, input={}): def update_environment(context: Context, source, environmentUri: str = None, input: dict = None): if input.get('SamlGroupName') and input.get('SamlGroupName') not in context.groups: raise exceptions.UnauthorizedOperation( - action=core_permissions.LINK_ENVIRONMENT, + action=LINK_ENVIRONMENT, message=f'User: {context.username} is not part of the group {input["SamlGroupName"]}', ) @@ -447,7 +454,7 @@ def get_environment_assume_role_url( username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=core_permissions.CREDENTIALS_ENVIRONMENT, + permission_name=CREDENTIALS_ENVIRONMENT, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) url = SessionHelper.get_console_access_url( @@ -471,7 +478,7 @@ def generate_environment_access_token(context, source, environmentUri: str = Non username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=core_permissions.CREDENTIALS_ENVIRONMENT, + permission_name=CREDENTIALS_ENVIRONMENT, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) c = _get_environment_group_aws_session( @@ -519,7 +526,7 @@ def enable_subscriptions(context: Context, source, environmentUri: str = None, i username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=core_permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS, + permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) if input.get('producersTopicArn'): @@ -554,7 +561,7 @@ def disable_subscriptions(context: Context, source, environmentUri: str = None): username=context.username, groups=context.groups, resource_uri=environmentUri, - permission_name=core_permissions.ENABLE_ENVIRONMENT_SUBSCRIPTIONS, + permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS, ) environment = EnvironmentService.get_environment_by_uri(session, environmentUri) @@ -577,7 +584,7 @@ def get_pivot_role_template(context: Context, source, organizationUri=None): username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=core_permissions.GET_ORGANIZATION, + permission_name=GET_ORGANIZATION, ) pivot_role_bucket = Parameter().get_parameter( env=os.getenv('envname', 'local'), path='s3/resources_bucket_name' @@ -617,7 +624,7 @@ def get_cdk_exec_policy_template(context: Context, source, organizationUri=None) username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=core_permissions.GET_ORGANIZATION, + permission_name=GET_ORGANIZATION, ) cdk_exec_policy_bucket = Parameter().get_parameter( env=os.getenv('envname', 'local'), path='s3/resources_bucket_name' @@ -657,7 +664,7 @@ def get_external_id(context: Context, source, organizationUri=None): username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=core_permissions.GET_ORGANIZATION, + permission_name=GET_ORGANIZATION, ) external_id = SessionHelper.get_external_id_secret() if not external_id: @@ -675,7 +682,7 @@ def get_pivot_role_name(context: Context, source, organizationUri=None): username=context.username, groups=context.groups, resource_uri=organizationUri, - permission_name=core_permissions.GET_ORGANIZATION, + permission_name=GET_ORGANIZATION, ) pivot_role_name = SessionHelper.get_delegation_role_name() if not pivot_role_name: diff --git a/backend/dataall/core/environment/services/environment_service.py b/backend/dataall/core/environment/services/environment_service.py index 9d80af2b6..e7f1bcf02 100644 --- a/backend/dataall/core/environment/services/environment_service.py +++ b/backend/dataall/core/environment/services/environment_service.py @@ -32,16 +32,17 @@ from dataall.core.stacks.db.enums import StackStatus from dataall.core.environment.services.managed_iam_policies import PolicyManager -from dataall.core.permissions.services import core_permissions - +from dataall.core.permissions.services.permissions_constants.organization_permissions import LINK_ENVIRONMENT +from dataall.core.permissions.services.permissions_constants import environment_permissions +from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_ENVIRONMENTS log = logging.getLogger(__name__) class EnvironmentService: @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.LINK_ENVIRONMENT) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT) def create_environment(session, uri, data=None): context = get_context() EnvironmentService._validate_creation_params(data, uri, session) @@ -112,7 +113,7 @@ def create_environment(session, uri, data=None): session=session, resource_uri=env.environmentUri, group=data['SamlGroupName'], - permissions=core_permissions.ENVIRONMENT_ALL, + permissions=environment_permissions.ENVIRONMENT_ALL, resource_type=Environment.__name__, ) session.commit() @@ -167,8 +168,8 @@ def _validate_account_region(data, session): ) @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.UPDATE_ENVIRONMENT) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.UPDATE_ENVIRONMENT) def update_environment(session, uri, data=None): EnvironmentService._validate_resource_prefix(data) environment = EnvironmentService.get_environment_by_uri(session, uri) @@ -187,7 +188,7 @@ def update_environment(session, uri, data=None): session=session, resource_uri=environment.environmentUri, group=environment.SamlGroupName, - permissions=core_permissions.ENVIRONMENT_ALL, + permissions=environment_permissions.ENVIRONMENT_ALL, resource_type=Environment.__name__, ) return environment @@ -204,8 +205,8 @@ def _update_env_parameters(session, env: Environment, data): EnvironmentParameterRepository(session).update_params(env_uri, new_params) @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.INVITE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.INVITE_ENVIRONMENT_GROUP) def invite_group(session, uri, data=None) -> (Environment, EnvironmentGroup): EnvironmentService.validate_invite_params(data) @@ -278,13 +279,13 @@ def validate_permissions(session, uri, g_permissions, group): g_permissions: coming from frontend = ENVIRONMENT_INVITATION_REQUEST """ - if core_permissions.INVITE_ENVIRONMENT_GROUP in g_permissions: - g_permissions.append(core_permissions.REMOVE_ENVIRONMENT_GROUP) + if environment_permissions.INVITE_ENVIRONMENT_GROUP in g_permissions: + g_permissions.append(environment_permissions.REMOVE_ENVIRONMENT_GROUP) - g_permissions.extend(core_permissions.ENVIRONMENT_INVITED_DEFAULT) + g_permissions.extend(environment_permissions.ENVIRONMENT_INVITED_DEFAULT) g_permissions = list(set(g_permissions)) - if g_permissions not in core_permissions.ENVIRONMENT_INVITED: + if g_permissions not in environment_permissions.ENVIRONMENT_INVITED: exceptions.PermissionUnauthorized(action='INVITE_TEAM', group_name=group, resource_uri=uri) env_group_permissions = [] @@ -298,8 +299,8 @@ def validate_permissions(session, uri, g_permissions, group): ) @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.REMOVE_ENVIRONMENT_GROUP) def remove_group(session, uri, group): environment = EnvironmentService.get_environment_by_uri(session, uri) @@ -350,8 +351,8 @@ def remove_group(session, uri, group): return environment @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.UPDATE_ENVIRONMENT_GROUP) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.UPDATE_ENVIRONMENT_GROUP) def update_group_permissions(session, uri, data=None): EnvironmentService.validate_invite_params(data) @@ -384,7 +385,7 @@ def update_group_permissions(session, uri, data=None): return environment @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS) def list_group_permissions(session, uri, group_uri): # the permission checked return EnvironmentService.list_group_permissions_internal(session, uri, group_uri) @@ -403,7 +404,7 @@ def list_group_permissions_internal(session, uri, group_uri): @staticmethod def list_group_invitation_permissions(session, username, groups, uri, data=None, check_perm=None): group_invitation_permissions = [] - for p in core_permissions.ENVIRONMENT_INVITATION_REQUEST: + for p in environment_permissions.ENVIRONMENT_INVITATION_REQUEST: group_invitation_permissions.append( PermissionRepository.find_permission_by_name( session=session, @@ -414,8 +415,8 @@ def list_group_invitation_permissions(session, username, groups, uri, data=None, return group_invitation_permissions @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.ADD_ENVIRONMENT_CONSUMPTION_ROLES) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.ADD_ENVIRONMENT_CONSUMPTION_ROLES) def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGroup): group: str = data['groupUri'] IAMRoleArn: str = data['IAMRoleArn'] @@ -453,14 +454,14 @@ def add_consumption_role(session, uri, data=None) -> (Environment, EnvironmentGr session=session, group=group, resource_uri=consumption_role.consumptionRoleUri, - permissions=core_permissions.CONSUMPTION_ROLE_ALL, + permissions=environment_permissions.CONSUMPTION_ROLE_ALL, resource_type=ConsumptionRole.__name__, ) return consumption_role @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) def remove_consumption_role(session, uri, env_uri): consumption_role = EnvironmentService.get_environment_consumption_role(session, uri, env_uri) environment = EnvironmentService.get_environment_by_uri(session, env_uri) @@ -493,8 +494,8 @@ def remove_consumption_role(session, uri, env_uri): return True @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(environment_permissions.REMOVE_ENVIRONMENT_CONSUMPTION_ROLE) def update_consumption_role(session, uri, env_uri, input): if not input: raise exceptions.RequiredParameter('input') @@ -510,7 +511,7 @@ def update_consumption_role(session, uri, env_uri, input): resource_type=ConsumptionRole.__name__, old_group=consumption_role.groupUri, new_group=input['groupUri'], - new_permissions=core_permissions.CONSUMPTION_ROLE_ALL, + new_permissions=environment_permissions.CONSUMPTION_ROLE_ALL, ) for key, value in input.items(): setattr(consumption_role, key, value) @@ -650,7 +651,7 @@ def query_user_environment_groups(session, groups, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUPS) def paginated_user_environment_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_user_environment_groups(session, get_context().groups, uri, data), @@ -671,7 +672,7 @@ def query_all_environment_groups(session, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUPS) def paginated_all_environment_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_all_environment_groups(session, uri, data), @@ -680,7 +681,7 @@ def paginated_all_environment_groups(session, uri, data=None) -> dict: ).to_dict() @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUPS) def list_environment_groups(session, uri) -> [str]: return [ g.groupUri @@ -712,7 +713,7 @@ def query_environment_invited_groups(session, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_GROUPS) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUPS) def paginated_environment_invited_groups(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_environment_invited_groups(session, uri, data), @@ -749,7 +750,7 @@ def query_user_environment_consumption_roles(session, groups, uri, filter) -> Qu return query.order_by(ConsumptionRole.consumptionRoleUri) @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) def paginated_user_environment_consumption_roles(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_user_environment_consumption_roles(session, get_context().groups, uri, data), @@ -777,7 +778,7 @@ def query_all_environment_consumption_roles(session, uri, filter) -> Query: return query.order_by(ConsumptionRole.consumptionRoleUri) @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_CONSUMPTION_ROLES) def paginated_all_environment_consumption_roles(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_all_environment_consumption_roles(session, uri, data), @@ -821,7 +822,7 @@ def query_environment_networks(session, uri, filter) -> Query: return query @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.LIST_ENVIRONMENT_NETWORKS) + @ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_NETWORKS) def paginated_environment_networks(session, uri, data=None) -> dict: return paginate( query=EnvironmentService.query_environment_networks(session, uri, data), @@ -887,7 +888,7 @@ def get_environment_by_uri(session, uri) -> Environment: return EnvironmentRepository.get_environment_by_uri(session, uri) @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(environment_permissions.GET_ENVIRONMENT) def find_environment_by_uri(session, uri) -> Environment: return EnvironmentService.get_environment_by_uri(session, uri) @@ -903,12 +904,12 @@ def list_all_active_environments(session) -> [Environment]: return environments @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.GET_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(environment_permissions.GET_ENVIRONMENT) def get_stack(session, uri, stack_uri) -> Stack: return session.query(Stack).get(stack_uri) @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.DELETE_ENVIRONMENT) + @ResourcePolicyService.has_resource_permission(environment_permissions.DELETE_ENVIRONMENT) def delete_environment(session, uri, environment): env_groups = session.query(EnvironmentGroup).filter(EnvironmentGroup.environmentUri == uri).all() env_roles = session.query(ConsumptionRole).filter(ConsumptionRole.environmentUri == uri).all() diff --git a/backend/dataall/core/organizations/services/organization_service.py b/backend/dataall/core/organizations/services/organization_service.py index 7e8b45159..15790283f 100644 --- a/backend/dataall/core/organizations/services/organization_service.py +++ b/backend/dataall/core/organizations/services/organization_service.py @@ -8,14 +8,23 @@ from dataall.core.organizations.db import organization_models as models from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.services import core_permissions +from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_ORGANIZATIONS +from dataall.core.permissions.services.permissions_constants.organization_permissions import ( + ORGANIZATION_ALL, + ORGANIZATION_INVITED, + UPDATE_ORGANIZATION, + GET_ORGANIZATION, + INVITE_ORGANIZATION_GROUP, + REMOVE_ORGANIZATION_GROUP, + DELETE_ORGANIZATION, +) class OrganizationService: """Service that serves request related to organization""" @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) + @TenantPolicyService.has_tenant_permission(MANAGE_ORGANIZATIONS) def create_organization(data): context = get_context() with context.db_engine.scoped_session() as session: @@ -50,7 +59,7 @@ def create_organization(data): ResourcePolicyService.attach_resource_policy( session=session, group=data['SamlGroupName'], - permissions=core_permissions.ORGANIZATION_ALL, + permissions=ORGANIZATION_ALL, resource_uri=org.organizationUri, resource_type=models.Organization.__name__, ) @@ -58,7 +67,7 @@ def create_organization(data): return org @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.UPDATE_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(UPDATE_ORGANIZATION) def update_organization(uri, data): context = get_context() with context.db_engine.scoped_session() as session: @@ -79,14 +88,14 @@ def update_organization(uri, data): ResourcePolicyService.attach_resource_policy( session=session, group=organization.SamlGroupName, - permissions=core_permissions.ORGANIZATION_ALL, + permissions=ORGANIZATION_ALL, resource_uri=organization.organizationUri, resource_type=models.Organization.__name__, ) return organization @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(GET_ORGANIZATION) def get_organization(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -102,7 +111,7 @@ def list_organizations(filter): ) @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(GET_ORGANIZATION) def list_organization_environments(filter, uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -138,8 +147,8 @@ def resolve_user_role(organization): return OrganisationUserRole.NoPermission.value @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) - @ResourcePolicyService.has_resource_permission(core_permissions.DELETE_ORGANIZATION) + @TenantPolicyService.has_tenant_permission(MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(DELETE_ORGANIZATION) def archive_organization(uri): context = get_context() with context.db_engine.scoped_session() as session: @@ -161,8 +170,8 @@ def archive_organization(uri): return True @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) - @ResourcePolicyService.has_resource_permission(core_permissions.INVITE_ORGANIZATION_GROUP) + @TenantPolicyService.has_tenant_permission(MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(INVITE_ORGANIZATION_GROUP) def invite_group(uri, data): context = get_context() with context.db_engine.scoped_session() as session: @@ -186,15 +195,15 @@ def invite_group(uri, data): session=session, group=group, resource_uri=organization.organizationUri, - permissions=core_permissions.ORGANIZATION_INVITED, + permissions=ORGANIZATION_INVITED, resource_type=models.Organization.__name__, ) return organization @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ORGANIZATIONS) - @ResourcePolicyService.has_resource_permission(core_permissions.REMOVE_ORGANIZATION_GROUP) + @TenantPolicyService.has_tenant_permission(MANAGE_ORGANIZATIONS) + @ResourcePolicyService.has_resource_permission(REMOVE_ORGANIZATION_GROUP) def remove_group(uri, group): context = get_context() with context.db_engine.scoped_session() as session: @@ -229,7 +238,7 @@ def remove_group(uri, group): return organization @staticmethod - @ResourcePolicyService.has_resource_permission(core_permissions.GET_ORGANIZATION) + @ResourcePolicyService.has_resource_permission(GET_ORGANIZATION) def list_organization_groups(filter, uri): context = get_context() with context.db_engine.scoped_session() as session: diff --git a/backend/dataall/core/permissions/services/__init__.py b/backend/dataall/core/permissions/services/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/services/permission_service.py b/backend/dataall/core/permissions/services/permission_service.py index 5d4ae1d41..787b5b5b7 100644 --- a/backend/dataall/core/permissions/services/permission_service.py +++ b/backend/dataall/core/permissions/services/permission_service.py @@ -2,7 +2,8 @@ from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import exceptions from dataall.core.permissions.db.permission.permission_models import Permission -from dataall.core.permissions.services.core_permissions import RESOURCES_ALL_WITH_DESC, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.permissions_constants.resources_permissions import RESOURCES_ALL_WITH_DESC +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL_WITH_DESC import logging diff --git a/backend/dataall/core/permissions/services/permissions_constants/__init__.py b/backend/dataall/core/permissions/services/permissions_constants/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/backend/dataall/core/permissions/services/core_permissions.py b/backend/dataall/core/permissions/services/permissions_constants/environment_permissions.py similarity index 53% rename from backend/dataall/core/permissions/services/core_permissions.py rename to backend/dataall/core/permissions/services/permissions_constants/environment_permissions.py index 3dec891c6..81ca0201b 100644 --- a/backend/dataall/core/permissions/services/core_permissions.py +++ b/backend/dataall/core/permissions/services/permissions_constants/environment_permissions.py @@ -1,36 +1,7 @@ -""" -ORGANIZATION PERMISSIONS -""" - -CREATE_ORGANIZATION = 'CREATE_ORGANIZATION' -UPDATE_ORGANIZATION = 'UPDATE_ORGANIZATION' -DELETE_ORGANIZATION = 'DELETE_ORGANIZATION' -GET_ORGANIZATION = 'GET_ORGANIZATION' -LINK_ENVIRONMENT = 'LINK_ENVIRONMENT' -INVITE_ORGANIZATION_GROUP = 'INVITE_ORGANIZATION_GROUP' -REMOVE_ORGANIZATION_GROUP = 'REMOVE_ORGANIZATION_GROUP' -ORGANIZATION_ALL = [ - CREATE_ORGANIZATION, - UPDATE_ORGANIZATION, - DELETE_ORGANIZATION, - LINK_ENVIRONMENT, - GET_ORGANIZATION, - INVITE_ORGANIZATION_GROUP, - REMOVE_ORGANIZATION_GROUP, -] -ORGANIZATION_INVITED = [LINK_ENVIRONMENT, GET_ORGANIZATION] - -""" -TENANT PERMISSIONS -""" -MANAGE_GROUPS = 'MANAGE_GROUPS' -MANAGE_ENVIRONMENT = 'MANAGE_ENVIRONMENT' -MANAGE_ENVIRONMENTS = 'MANAGE_ENVIRONMENTS' -MANAGE_ORGANIZATIONS = 'MANAGE_ORGANIZATIONS' - """ ENVIRONMENT """ + UPDATE_ENVIRONMENT = 'UPDATE_ENVIRONMENT' GET_ENVIRONMENT = 'GET_ENVIRONMENT' DELETE_ENVIRONMENT = 'DELETE_ENVIRONMENT' @@ -88,36 +59,3 @@ REMOVE_ENVIRONMENT_CONSUMPTION_ROLE = 'REMOVE_ENVIRONMENT_CONSUMPTION_ROLE' CONSUMPTION_ENVIRONMENT_ROLE_ALL = [LIST_ENVIRONMENT_CONSUMPTION_ROLES, ADD_ENVIRONMENT_CONSUMPTION_ROLES] CONSUMPTION_ROLE_ALL = [REMOVE_ENVIRONMENT_CONSUMPTION_ROLE] - -""" -TENANT ALL -""" - -TENANT_ALL = [ - MANAGE_GROUPS, - MANAGE_ENVIRONMENTS, - MANAGE_ORGANIZATIONS, -] - -TENANT_ALL_WITH_DESC = {k: k for k in TENANT_ALL} -TENANT_ALL_WITH_DESC[MANAGE_ENVIRONMENTS] = 'Manage environments' -TENANT_ALL_WITH_DESC[MANAGE_GROUPS] = 'Manage teams' -TENANT_ALL_WITH_DESC[MANAGE_ORGANIZATIONS] = 'Manage organizations' - -""" -NETWORKS -""" -GET_NETWORK = 'GET_NETWORK' -UPDATE_NETWORK = 'UPDATE_NETWORK' -DELETE_NETWORK = 'DELETE_NETWORK' -NETWORK_ALL = [GET_NETWORK, UPDATE_NETWORK, DELETE_NETWORK] - -""" -RESOURCES_ALL -""" -RESOURCES_ALL = ORGANIZATION_ALL + ENVIRONMENT_ALL + CONSUMPTION_ROLE_ALL + NETWORK_ALL - -RESOURCES_ALL_WITH_DESC = {k: k for k in RESOURCES_ALL} -RESOURCES_ALL_WITH_DESC[INVITE_ENVIRONMENT_GROUP] = 'Invite other teams to this environment' -RESOURCES_ALL_WITH_DESC[ADD_ENVIRONMENT_CONSUMPTION_ROLES] = 'Add IAM consumption roles to this environment' -RESOURCES_ALL_WITH_DESC[CREATE_NETWORK] = 'Create networks on this environment' diff --git a/backend/dataall/core/permissions/services/permissions_constants/network_permissions.py b/backend/dataall/core/permissions/services/permissions_constants/network_permissions.py new file mode 100644 index 000000000..1e5dda98f --- /dev/null +++ b/backend/dataall/core/permissions/services/permissions_constants/network_permissions.py @@ -0,0 +1,9 @@ +""" +NETWORKS +""" + +GET_NETWORK = 'GET_NETWORK' +UPDATE_NETWORK = 'UPDATE_NETWORK' +DELETE_NETWORK = 'DELETE_NETWORK' + +NETWORK_ALL = [GET_NETWORK, UPDATE_NETWORK, DELETE_NETWORK] diff --git a/backend/dataall/core/permissions/services/permissions_constants/organization_permissions.py b/backend/dataall/core/permissions/services/permissions_constants/organization_permissions.py new file mode 100644 index 000000000..6800fdfc7 --- /dev/null +++ b/backend/dataall/core/permissions/services/permissions_constants/organization_permissions.py @@ -0,0 +1,21 @@ +""" +ORGANIZATION PERMISSIONS +""" + +CREATE_ORGANIZATION = 'CREATE_ORGANIZATION' +UPDATE_ORGANIZATION = 'UPDATE_ORGANIZATION' +DELETE_ORGANIZATION = 'DELETE_ORGANIZATION' +GET_ORGANIZATION = 'GET_ORGANIZATION' +LINK_ENVIRONMENT = 'LINK_ENVIRONMENT' +INVITE_ORGANIZATION_GROUP = 'INVITE_ORGANIZATION_GROUP' +REMOVE_ORGANIZATION_GROUP = 'REMOVE_ORGANIZATION_GROUP' +ORGANIZATION_ALL = [ + CREATE_ORGANIZATION, + UPDATE_ORGANIZATION, + DELETE_ORGANIZATION, + LINK_ENVIRONMENT, + GET_ORGANIZATION, + INVITE_ORGANIZATION_GROUP, + REMOVE_ORGANIZATION_GROUP, +] +ORGANIZATION_INVITED = [LINK_ENVIRONMENT, GET_ORGANIZATION] diff --git a/backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py b/backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py new file mode 100644 index 000000000..b7b9be4f8 --- /dev/null +++ b/backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py @@ -0,0 +1,19 @@ +from dataall.core.permissions.services.permissions_constants.organization_permissions import ORGANIZATION_ALL +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + CREATE_NETWORK, + ENVIRONMENT_ALL, + CONSUMPTION_ROLE_ALL, + INVITE_ENVIRONMENT_GROUP, + ADD_ENVIRONMENT_CONSUMPTION_ROLES, +) +from dataall.core.permissions.services.permissions_constants.network_permissions import NETWORK_ALL + +""" +RESOURCES_ALL +""" +RESOURCES_ALL = ORGANIZATION_ALL + ENVIRONMENT_ALL + CONSUMPTION_ROLE_ALL + NETWORK_ALL + +RESOURCES_ALL_WITH_DESC = {k: k for k in RESOURCES_ALL} +RESOURCES_ALL_WITH_DESC[INVITE_ENVIRONMENT_GROUP] = 'Invite other teams to this environment' +RESOURCES_ALL_WITH_DESC[ADD_ENVIRONMENT_CONSUMPTION_ROLES] = 'Add IAM consumption roles to this environment' +RESOURCES_ALL_WITH_DESC[CREATE_NETWORK] = 'Create networks on this environment' diff --git a/backend/dataall/core/permissions/services/permissions_constants/tenant_permissions.py b/backend/dataall/core/permissions/services/permissions_constants/tenant_permissions.py new file mode 100644 index 000000000..d9fc371a0 --- /dev/null +++ b/backend/dataall/core/permissions/services/permissions_constants/tenant_permissions.py @@ -0,0 +1,24 @@ +""" +TENANT PERMISSIONS +""" + +MANAGE_GROUPS = 'MANAGE_GROUPS' +MANAGE_ENVIRONMENT = 'MANAGE_ENVIRONMENT' +MANAGE_ENVIRONMENTS = 'MANAGE_ENVIRONMENTS' +MANAGE_ORGANIZATIONS = 'MANAGE_ORGANIZATIONS' + + +""" +TENANT ALL +""" + +TENANT_ALL = [ + MANAGE_GROUPS, + MANAGE_ENVIRONMENTS, + MANAGE_ORGANIZATIONS, +] + +TENANT_ALL_WITH_DESC = {k: k for k in TENANT_ALL} +TENANT_ALL_WITH_DESC[MANAGE_ENVIRONMENTS] = 'Manage environments' +TENANT_ALL_WITH_DESC[MANAGE_GROUPS] = 'Manage teams' +TENANT_ALL_WITH_DESC[MANAGE_ORGANIZATIONS] = 'Manage organizations' diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py index 795a2f30b..98ee633ec 100644 --- a/backend/dataall/core/permissions/services/tenant_policy_service.py +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -1,5 +1,5 @@ from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository -from dataall.core.permissions.services.core_permissions import TENANT_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions diff --git a/backend/dataall/core/stacks/db/target_type_repositories.py b/backend/dataall/core/stacks/db/target_type_repositories.py index fedd0d38e..cc4e754ee 100644 --- a/backend/dataall/core/stacks/db/target_type_repositories.py +++ b/backend/dataall/core/stacks/db/target_type_repositories.py @@ -1,7 +1,10 @@ import logging from dataall.base.db import exceptions -from dataall.core.permissions.services.core_permissions import GET_ENVIRONMENT, UPDATE_ENVIRONMENT +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + GET_ENVIRONMENT, + UPDATE_ENVIRONMENT, +) logger = logging.getLogger(__name__) diff --git a/backend/dataall/core/vpc/services/vpc_service.py b/backend/dataall/core/vpc/services/vpc_service.py index 70c737f2e..4206f0eaa 100644 --- a/backend/dataall/core/vpc/services/vpc_service.py +++ b/backend/dataall/core/vpc/services/vpc_service.py @@ -7,7 +7,9 @@ from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.vpc.db.vpc_repositories import VpcRepository from dataall.core.vpc.db.vpc_models import Vpc -from dataall.core.permissions.services import core_permissions +from dataall.core.permissions.services.permissions_constants.network_permissions import NETWORK_ALL, DELETE_NETWORK +from dataall.core.permissions.services.permissions_constants.environment_permissions import CREATE_NETWORK +from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_ENVIRONMENTS def _session(): @@ -16,9 +18,9 @@ def _session(): class VpcService: @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.CREATE_NETWORK) - @has_group_permission(core_permissions.CREATE_NETWORK) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(CREATE_NETWORK) + @has_group_permission(CREATE_NETWORK) def create_network(uri: str, admin_group: str, data: dict): with _session() as session: username = get_context().username @@ -26,7 +28,7 @@ def create_network(uri: str, admin_group: str, data: dict): if vpc: raise exceptions.ResourceAlreadyExists( - action=core_permissions.CREATE_NETWORK, + action=CREATE_NETWORK, message=f'Vpc {data["vpcId"]} is already associated to environment {uri}', ) @@ -59,7 +61,7 @@ def create_network(uri: str, admin_group: str, data: dict): ResourcePolicyService.attach_resource_policy( session=session, group=vpc.SamlGroupName, - permissions=core_permissions.NETWORK_ALL, + permissions=NETWORK_ALL, resource_uri=vpc.vpcUri, resource_type=Vpc.__name__, ) @@ -68,7 +70,7 @@ def create_network(uri: str, admin_group: str, data: dict): ResourcePolicyService.attach_resource_policy( session=session, group=environment.SamlGroupName, - permissions=core_permissions.NETWORK_ALL, + permissions=NETWORK_ALL, resource_uri=vpc.vpcUri, resource_type=Vpc.__name__, ) @@ -76,8 +78,8 @@ def create_network(uri: str, admin_group: str, data: dict): return vpc @staticmethod - @TenantPolicyService.has_tenant_permission(core_permissions.MANAGE_ENVIRONMENTS) - @ResourcePolicyService.has_resource_permission(core_permissions.DELETE_NETWORK) + @TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS) + @ResourcePolicyService.has_resource_permission(DELETE_NETWORK) def delete_network(uri): with _session() as session: vpc = VpcRepository.get_vpc_by_uri(session=session, vpc_uri=uri) diff --git a/backend/dataall/modules/catalog/services/glossaries_permissions.py b/backend/dataall/modules/catalog/services/glossaries_permissions.py index 4d0396145..85a90875c 100644 --- a/backend/dataall/modules/catalog/services/glossaries_permissions.py +++ b/backend/dataall/modules/catalog/services/glossaries_permissions.py @@ -1,9 +1,8 @@ -from dataall.core.permissions.services.core_permissions import ( - TENANT_ALL, - TENANT_ALL_WITH_DESC, +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC MANAGE_GLOSSARIES = 'MANAGE_GLOSSARIES' diff --git a/backend/dataall/modules/dashboards/services/dashboard_permissions.py b/backend/dataall/modules/dashboards/services/dashboard_permissions.py index eeb21191f..ddd36d08a 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_permissions.py +++ b/backend/dataall/modules/dashboards/services/dashboard_permissions.py @@ -1,11 +1,12 @@ -from dataall.core.permissions.services.core_permissions import ( +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( + RESOURCES_ALL_WITH_DESC, + RESOURCES_ALL, +) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, - TENANT_ALL, - TENANT_ALL_WITH_DESC, - RESOURCES_ALL, - RESOURCES_ALL_WITH_DESC, ) """ diff --git a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py index dc34b72ba..c24315824 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py @@ -6,7 +6,7 @@ from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository from dataall.base.db.exceptions import UnauthorizedOperation, TenantUnauthorized, AWSResourceNotFound -from dataall.core.permissions.services.core_permissions import TENANT_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dashboards import DashboardRepository, Dashboard from dataall.modules.dashboards.aws.dashboard_quicksight_client import DashboardQuicksightClient diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py index b24f46bb1..c8f31e108 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py @@ -1,13 +1,15 @@ -from dataall.core.permissions.services.core_permissions import ( +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( + RESOURCES_ALL, + RESOURCES_ALL_WITH_DESC, +) + +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, - TENANT_ALL, - TENANT_ALL_WITH_DESC, - RESOURCES_ALL, - RESOURCES_ALL_WITH_DESC, ) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC """ DATAPIPELINE PERMISSIONS FOR ENVIRONMENT diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py index 48219cde5..29d76d0a3 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py @@ -6,7 +6,7 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentGroup, ConsumptionRole from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.services.core_permissions import GET_ENVIRONMENT +from dataall.core.permissions.services.permissions_constants.environment_permissions import GET_ENVIRONMENT from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils from dataall.base.aws.quicksight import QuicksightClient diff --git a/backend/dataall/modules/dataset_sharing/services/share_permissions.py b/backend/dataall/modules/dataset_sharing/services/share_permissions.py index 8d814feb3..d2e3b33c3 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_permissions.py +++ b/backend/dataall/modules/dataset_sharing/services/share_permissions.py @@ -2,11 +2,14 @@ SHARE OBJECT """ -from dataall.core.permissions.services.core_permissions import ( +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_INVITED_DEFAULT, ENVIRONMENT_ALL, +) + +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) diff --git a/backend/dataall/modules/datasets/services/dataset_permissions.py b/backend/dataall/modules/datasets/services/dataset_permissions.py index b71340b64..f93a345b7 100644 --- a/backend/dataall/modules/datasets/services/dataset_permissions.py +++ b/backend/dataall/modules/datasets/services/dataset_permissions.py @@ -1,15 +1,16 @@ from itertools import chain -from dataall.core.permissions.services.core_permissions import ( - TENANT_ALL, - TENANT_ALL_WITH_DESC, - RESOURCES_ALL, - RESOURCES_ALL_WITH_DESC, +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_INVITED_DEFAULT, ENVIRONMENT_ALL, ) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( + RESOURCES_ALL, + RESOURCES_ALL_WITH_DESC, +) from dataall.modules.datasets_base.services.permissions import DATASET_TABLE_READ MANAGE_DATASETS = 'MANAGE_DATASETS' @@ -31,7 +32,6 @@ CREDENTIALS_DATASET, ] - UPDATE_DATASET = 'UPDATE_DATASET' SYNC_DATASET = 'SYNC_DATASET' CRAWL_DATASET = 'CRAWL_DATASET' @@ -63,7 +63,6 @@ DATASET_ALL = list(set(DATASET_WRITE + DATASET_READ)) RESOURCES_ALL.extend(DATASET_ALL) - RESOURCES_ALL.extend(DATASET_TABLE_READ) """ @@ -85,7 +84,6 @@ RESOURCES_ALL.append(CREATE_DATASET) RESOURCES_ALL.append(LIST_ENVIRONMENT_DATASETS) - for perm in chain(DATASET_ALL, DATASET_TABLE_READ): RESOURCES_ALL_WITH_DESC[perm] = perm diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py index 406d5ab5a..66fd4c12b 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py @@ -17,14 +17,15 @@ """ -from dataall.core.permissions.services.core_permissions import ( - ENVIRONMENT_ALL, - ENVIRONMENT_INVITED, +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( RESOURCES_ALL_WITH_DESC, RESOURCES_ALL, +) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + ENVIRONMENT_ALL, + ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, - TENANT_ALL, - TENANT_ALL_WITH_DESC, ) # Definition of TENANT_PERMISSIONS for SageMaker ML Studio diff --git a/backend/dataall/modules/notebooks/services/notebook_permissions.py b/backend/dataall/modules/notebooks/services/notebook_permissions.py index efc7a688b..af7783991 100644 --- a/backend/dataall/modules/notebooks/services/notebook_permissions.py +++ b/backend/dataall/modules/notebooks/services/notebook_permissions.py @@ -3,16 +3,19 @@ Contains permissions for sagemaker notebooks """ -from dataall.core.permissions.services.core_permissions import ( - ENVIRONMENT_ALL, - ENVIRONMENT_INVITED, +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( RESOURCES_ALL_WITH_DESC, RESOURCES_ALL, +) + +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, - TENANT_ALL, - TENANT_ALL_WITH_DESC, + ENVIRONMENT_ALL, ) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC + GET_NOTEBOOK = 'GET_NOTEBOOK' UPDATE_NOTEBOOK = 'UPDATE_NOTEBOOK' DELETE_NOTEBOOK = 'DELETE_NOTEBOOK' diff --git a/backend/dataall/modules/worksheets/services/worksheet_permissions.py b/backend/dataall/modules/worksheets/services/worksheet_permissions.py index 7c7801c8a..3bf70d1fa 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_permissions.py +++ b/backend/dataall/modules/worksheets/services/worksheet_permissions.py @@ -1,13 +1,15 @@ -from dataall.core.permissions.services.core_permissions import ( - TENANT_ALL, - TENANT_ALL_WITH_DESC, +from dataall.core.permissions.services.permissions_constants.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, +) +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, ) +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC + MANAGE_WORKSHEETS = 'MANAGE_WORKSHEETS' TENANT_ALL.append(MANAGE_WORKSHEETS) diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index b10c68ee7..1d688e524 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -8,7 +8,7 @@ from dataall.base.api import get_executable_schema from dataall.core.tasks.service_handlers import Worker -from dataall.core.permissions.services.core_permissions import TENANT_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine, Base diff --git a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py index a7573b135..c8d4bc9ac 100644 --- a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py +++ b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py @@ -20,7 +20,9 @@ from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareObjectStatus -from dataall.core.permissions.services.core_permissions import CONSUMPTION_ENVIRONMENT_ROLE_ALL +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + CONSUMPTION_ENVIRONMENT_ROLE_ALL, +) # revision identifiers, used by Alembic. revision = '04d92886fabe' diff --git a/backend/migrations/versions/e177eb044b31_init_tenant.py b/backend/migrations/versions/e177eb044b31_init_tenant.py index f7e9ba0c6..2193d5ae7 100644 --- a/backend/migrations/versions/e177eb044b31_init_tenant.py +++ b/backend/migrations/versions/e177eb044b31_init_tenant.py @@ -12,7 +12,7 @@ from sqlalchemy import orm from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.services.core_permissions import TENANT_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL revision = 'e177eb044b31' down_revision = '033c3d6c1849' diff --git a/tests/conftest.py b/tests/conftest.py index 9aa8a9d61..5e55d78e5 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -10,7 +10,7 @@ from dataall.core.groups.db.group_models import Group from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.services.core_permissions import TENANT_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL from tests.client import create_app, ClientWrapper load_modules(modes=ImportMode.all()) diff --git a/tests/core/environments/test_environment.py b/tests/core/environments/test_environment.py index c6287ff92..eb5305d2e 100644 --- a/tests/core/environments/test_environment.py +++ b/tests/core/environments/test_environment.py @@ -1,7 +1,9 @@ from dataall.core.environment.api.enums import EnvironmentPermission from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.services.core_permissions import REMOVE_ENVIRONMENT_CONSUMPTION_ROLE +from dataall.core.permissions.services.permissions_constants.environment_permissions import ( + REMOVE_ENVIRONMENT_CONSUMPTION_ROLE, +) from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService diff --git a/tests/core/permissions/test_permission.py b/tests/core/permissions/test_permission.py index 16b1a7c24..95b51f5f4 100644 --- a/tests/core/permissions/test_permission.py +++ b/tests/core/permissions/test_permission.py @@ -3,12 +3,9 @@ from dataall.core.permissions.db.permission.permission_models import PermissionType from dataall.core.permissions.services.permission_service import PermissionService from dataall.base.db import exceptions -from dataall.core.permissions.services.core_permissions import ( - MANAGE_GROUPS, - ENVIRONMENT_ALL, - ORGANIZATION_ALL, - TENANT_ALL, -) +from dataall.core.permissions.services.permissions_constants.environment_permissions import ENVIRONMENT_ALL +from dataall.core.permissions.services.permissions_constants.organization_permissions import ORGANIZATION_ALL +from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_GROUPS, TENANT_ALL from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService diff --git a/tests/core/permissions/test_tenant.py b/tests/core/permissions/test_tenant.py index 2ae709c1c..eb420a2eb 100644 --- a/tests/core/permissions/test_tenant.py +++ b/tests/core/permissions/test_tenant.py @@ -1,5 +1,8 @@ from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository -from dataall.core.permissions.services.core_permissions import MANAGE_GROUPS, MANAGE_ORGANIZATIONS +from dataall.core.permissions.services.permissions_constants.tenant_permissions import ( + MANAGE_GROUPS, + MANAGE_ORGANIZATIONS, +) def test_list_tenant_permissions(client, user, group, tenant): diff --git a/tests/modules/conftest.py b/tests/modules/conftest.py index f2ae392bd..b1d909e53 100644 --- a/tests/modules/conftest.py +++ b/tests/modules/conftest.py @@ -4,7 +4,7 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup, EnvironmentParameter from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.services.core_permissions import ENVIRONMENT_ALL +from dataall.core.permissions.services.permissions_constants.environment_permissions import ENVIRONMENT_ALL from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.stacks.db.stack_models import KeyValueTag From 03c1dadfb69da63b0f7e1855201e7d2744620312 Mon Sep 17 00:00:00 2001 From: Sofia Sazonova Date: Thu, 4 Apr 2024 14:01:52 +0100 Subject: [PATCH 11/11] remove additional permissions folder --- backend/api_handler.py | 2 +- backend/dataall/core/environment/api/resolvers.py | 4 ++-- .../core/environment/services/environment_service.py | 6 +++--- .../core/organizations/services/organization_service.py | 4 ++-- .../{permissions_constants => }/environment_permissions.py | 0 .../{permissions_constants => }/network_permissions.py | 0 .../{permissions_constants => }/organization_permissions.py | 0 .../dataall/core/permissions/services/permission_service.py | 4 ++-- .../permissions/services/permissions_constants/__init__.py | 0 .../{permissions_constants => }/resources_permissions.py | 6 +++--- .../{permissions_constants => }/tenant_permissions.py | 0 .../core/permissions/services/tenant_policy_service.py | 2 +- backend/dataall/core/stacks/db/target_type_repositories.py | 2 +- backend/dataall/core/vpc/services/vpc_service.py | 6 +++--- .../modules/catalog/services/glossaries_permissions.py | 4 ++-- .../modules/dashboards/services/dashboard_permissions.py | 6 +++--- .../dashboards/services/dashboard_quicksight_service.py | 2 +- .../datapipelines/services/datapipelines_permissions.py | 6 +++--- .../dataset_sharing/services/share_object_service.py | 2 +- .../modules/dataset_sharing/services/share_permissions.py | 4 ++-- .../modules/datasets/services/dataset_permissions.py | 6 +++--- .../modules/mlstudio/services/mlstudio_permissions.py | 6 +++--- .../modules/notebooks/services/notebook_permissions.py | 6 +++--- .../modules/worksheets/services/worksheet_permissions.py | 6 +++--- backend/local_graphql_server.py | 2 +- .../versions/04d92886fabe_add_consumption_roles.py | 2 +- backend/migrations/versions/e177eb044b31_init_tenant.py | 2 +- tests/conftest.py | 2 +- tests/core/environments/test_environment.py | 2 +- tests/core/permissions/test_permission.py | 6 +++--- tests/core/permissions/test_tenant.py | 2 +- tests/modules/conftest.py | 2 +- 32 files changed, 52 insertions(+), 52 deletions(-) rename backend/dataall/core/permissions/services/{permissions_constants => }/environment_permissions.py (100%) rename backend/dataall/core/permissions/services/{permissions_constants => }/network_permissions.py (100%) rename backend/dataall/core/permissions/services/{permissions_constants => }/organization_permissions.py (100%) delete mode 100644 backend/dataall/core/permissions/services/permissions_constants/__init__.py rename backend/dataall/core/permissions/services/{permissions_constants => }/resources_permissions.py (65%) rename backend/dataall/core/permissions/services/{permissions_constants => }/tenant_permissions.py (100%) diff --git a/backend/api_handler.py b/backend/api_handler.py index 8d801dbaf..9889e1bcf 100644 --- a/backend/api_handler.py +++ b/backend/api_handler.py @@ -18,7 +18,7 @@ from dataall.base.context import set_context, dispose_context, RequestContext from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL from dataall.base.loader import load_modules, ImportMode logger = logging.getLogger() diff --git a/backend/dataall/core/environment/api/resolvers.py b/backend/dataall/core/environment/api/resolvers.py index 717375259..478b259be 100644 --- a/backend/dataall/core/environment/api/resolvers.py +++ b/backend/dataall/core/environment/api/resolvers.py @@ -28,11 +28,11 @@ NamingConventionPattern, ) from dataall.core.organizations.api.resolvers import Context, exceptions, get_organization -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( CREDENTIALS_ENVIRONMENT, ENABLE_ENVIRONMENT_SUBSCRIPTIONS, ) -from dataall.core.permissions.services.permissions_constants.organization_permissions import ( +from dataall.core.permissions.services.organization_permissions import ( GET_ORGANIZATION, LINK_ENVIRONMENT, ) diff --git a/backend/dataall/core/environment/services/environment_service.py b/backend/dataall/core/environment/services/environment_service.py index e7f1bcf02..01fbc8d33 100644 --- a/backend/dataall/core/environment/services/environment_service.py +++ b/backend/dataall/core/environment/services/environment_service.py @@ -32,9 +32,9 @@ from dataall.core.stacks.db.enums import StackStatus from dataall.core.environment.services.managed_iam_policies import PolicyManager -from dataall.core.permissions.services.permissions_constants.organization_permissions import LINK_ENVIRONMENT -from dataall.core.permissions.services.permissions_constants import environment_permissions -from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_ENVIRONMENTS +from dataall.core.permissions.services.organization_permissions import LINK_ENVIRONMENT +from dataall.core.permissions.services import environment_permissions +from dataall.core.permissions.services.tenant_permissions import MANAGE_ENVIRONMENTS log = logging.getLogger(__name__) diff --git a/backend/dataall/core/organizations/services/organization_service.py b/backend/dataall/core/organizations/services/organization_service.py index 15790283f..5bcdddfa0 100644 --- a/backend/dataall/core/organizations/services/organization_service.py +++ b/backend/dataall/core/organizations/services/organization_service.py @@ -8,8 +8,8 @@ from dataall.core.organizations.db import organization_models as models from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_ORGANIZATIONS -from dataall.core.permissions.services.permissions_constants.organization_permissions import ( +from dataall.core.permissions.services.tenant_permissions import MANAGE_ORGANIZATIONS +from dataall.core.permissions.services.organization_permissions import ( ORGANIZATION_ALL, ORGANIZATION_INVITED, UPDATE_ORGANIZATION, diff --git a/backend/dataall/core/permissions/services/permissions_constants/environment_permissions.py b/backend/dataall/core/permissions/services/environment_permissions.py similarity index 100% rename from backend/dataall/core/permissions/services/permissions_constants/environment_permissions.py rename to backend/dataall/core/permissions/services/environment_permissions.py diff --git a/backend/dataall/core/permissions/services/permissions_constants/network_permissions.py b/backend/dataall/core/permissions/services/network_permissions.py similarity index 100% rename from backend/dataall/core/permissions/services/permissions_constants/network_permissions.py rename to backend/dataall/core/permissions/services/network_permissions.py diff --git a/backend/dataall/core/permissions/services/permissions_constants/organization_permissions.py b/backend/dataall/core/permissions/services/organization_permissions.py similarity index 100% rename from backend/dataall/core/permissions/services/permissions_constants/organization_permissions.py rename to backend/dataall/core/permissions/services/organization_permissions.py diff --git a/backend/dataall/core/permissions/services/permission_service.py b/backend/dataall/core/permissions/services/permission_service.py index 787b5b5b7..918ca3599 100644 --- a/backend/dataall/core/permissions/services/permission_service.py +++ b/backend/dataall/core/permissions/services/permission_service.py @@ -2,8 +2,8 @@ from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.base.db import exceptions from dataall.core.permissions.db.permission.permission_models import Permission -from dataall.core.permissions.services.permissions_constants.resources_permissions import RESOURCES_ALL_WITH_DESC -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.resources_permissions import RESOURCES_ALL_WITH_DESC +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL_WITH_DESC import logging diff --git a/backend/dataall/core/permissions/services/permissions_constants/__init__.py b/backend/dataall/core/permissions/services/permissions_constants/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py b/backend/dataall/core/permissions/services/resources_permissions.py similarity index 65% rename from backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py rename to backend/dataall/core/permissions/services/resources_permissions.py index b7b9be4f8..73969ba2c 100644 --- a/backend/dataall/core/permissions/services/permissions_constants/resources_permissions.py +++ b/backend/dataall/core/permissions/services/resources_permissions.py @@ -1,12 +1,12 @@ -from dataall.core.permissions.services.permissions_constants.organization_permissions import ORGANIZATION_ALL -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.organization_permissions import ORGANIZATION_ALL +from dataall.core.permissions.services.environment_permissions import ( CREATE_NETWORK, ENVIRONMENT_ALL, CONSUMPTION_ROLE_ALL, INVITE_ENVIRONMENT_GROUP, ADD_ENVIRONMENT_CONSUMPTION_ROLES, ) -from dataall.core.permissions.services.permissions_constants.network_permissions import NETWORK_ALL +from dataall.core.permissions.services.network_permissions import NETWORK_ALL """ RESOURCES_ALL diff --git a/backend/dataall/core/permissions/services/permissions_constants/tenant_permissions.py b/backend/dataall/core/permissions/services/tenant_permissions.py similarity index 100% rename from backend/dataall/core/permissions/services/permissions_constants/tenant_permissions.py rename to backend/dataall/core/permissions/services/tenant_permissions.py diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py index 98ee633ec..71823b3fa 100644 --- a/backend/dataall/core/permissions/services/tenant_policy_service.py +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -1,5 +1,5 @@ from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL from dataall.core.permissions.db.permission.permission_repositories import PermissionRepository from dataall.core.permissions.api.enums import PermissionType from dataall.base.db import exceptions diff --git a/backend/dataall/core/stacks/db/target_type_repositories.py b/backend/dataall/core/stacks/db/target_type_repositories.py index cc4e754ee..c175ed307 100644 --- a/backend/dataall/core/stacks/db/target_type_repositories.py +++ b/backend/dataall/core/stacks/db/target_type_repositories.py @@ -1,7 +1,7 @@ import logging from dataall.base.db import exceptions -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( GET_ENVIRONMENT, UPDATE_ENVIRONMENT, ) diff --git a/backend/dataall/core/vpc/services/vpc_service.py b/backend/dataall/core/vpc/services/vpc_service.py index 4206f0eaa..b664b0670 100644 --- a/backend/dataall/core/vpc/services/vpc_service.py +++ b/backend/dataall/core/vpc/services/vpc_service.py @@ -7,9 +7,9 @@ from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.core.vpc.db.vpc_repositories import VpcRepository from dataall.core.vpc.db.vpc_models import Vpc -from dataall.core.permissions.services.permissions_constants.network_permissions import NETWORK_ALL, DELETE_NETWORK -from dataall.core.permissions.services.permissions_constants.environment_permissions import CREATE_NETWORK -from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_ENVIRONMENTS +from dataall.core.permissions.services.network_permissions import NETWORK_ALL, DELETE_NETWORK +from dataall.core.permissions.services.environment_permissions import CREATE_NETWORK +from dataall.core.permissions.services.tenant_permissions import MANAGE_ENVIRONMENTS def _session(): diff --git a/backend/dataall/modules/catalog/services/glossaries_permissions.py b/backend/dataall/modules/catalog/services/glossaries_permissions.py index 85a90875c..949317605 100644 --- a/backend/dataall/modules/catalog/services/glossaries_permissions.py +++ b/backend/dataall/modules/catalog/services/glossaries_permissions.py @@ -1,8 +1,8 @@ -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC MANAGE_GLOSSARIES = 'MANAGE_GLOSSARIES' diff --git a/backend/dataall/modules/dashboards/services/dashboard_permissions.py b/backend/dataall/modules/dashboards/services/dashboard_permissions.py index ddd36d08a..b1cf51f9a 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_permissions.py +++ b/backend/dataall/modules/dashboards/services/dashboard_permissions.py @@ -1,9 +1,9 @@ -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL_WITH_DESC, RESOURCES_ALL, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, diff --git a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py index c24315824..42db731ab 100644 --- a/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py +++ b/backend/dataall/modules/dashboards/services/dashboard_quicksight_service.py @@ -6,7 +6,7 @@ from dataall.core.environment.services.environment_service import EnvironmentService from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository from dataall.base.db.exceptions import UnauthorizedOperation, TenantUnauthorized, AWSResourceNotFound -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dashboards import DashboardRepository, Dashboard from dataall.modules.dashboards.aws.dashboard_quicksight_client import DashboardQuicksightClient diff --git a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py index c8f31e108..b7b0ea25f 100644 --- a/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py +++ b/backend/dataall/modules/datapipelines/services/datapipelines_permissions.py @@ -1,15 +1,15 @@ -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC """ DATAPIPELINE PERMISSIONS FOR ENVIRONMENT diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py index 29d76d0a3..bbd00526b 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py +++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py @@ -6,7 +6,7 @@ from dataall.core.activity.db.activity_models import Activity from dataall.core.environment.db.environment_models import EnvironmentGroup, ConsumptionRole from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.services.permissions_constants.environment_permissions import GET_ENVIRONMENT +from dataall.core.permissions.services.environment_permissions import GET_ENVIRONMENT from dataall.core.tasks.db.task_models import Task from dataall.base.db import utils from dataall.base.aws.quicksight import QuicksightClient diff --git a/backend/dataall/modules/dataset_sharing/services/share_permissions.py b/backend/dataall/modules/dataset_sharing/services/share_permissions.py index d2e3b33c3..e2238b68d 100644 --- a/backend/dataall/modules/dataset_sharing/services/share_permissions.py +++ b/backend/dataall/modules/dataset_sharing/services/share_permissions.py @@ -2,14 +2,14 @@ SHARE OBJECT """ -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_INVITED_DEFAULT, ENVIRONMENT_ALL, ) -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) diff --git a/backend/dataall/modules/datasets/services/dataset_permissions.py b/backend/dataall/modules/datasets/services/dataset_permissions.py index f93a345b7..a87db4e5b 100644 --- a/backend/dataall/modules/datasets/services/dataset_permissions.py +++ b/backend/dataall/modules/datasets/services/dataset_permissions.py @@ -1,13 +1,13 @@ from itertools import chain -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_INVITED_DEFAULT, ENVIRONMENT_ALL, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) diff --git a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py index 66fd4c12b..a90271cfe 100644 --- a/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py +++ b/backend/dataall/modules/mlstudio/services/mlstudio_permissions.py @@ -17,12 +17,12 @@ """ -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL_WITH_DESC, RESOURCES_ALL, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_ALL, ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, diff --git a/backend/dataall/modules/notebooks/services/notebook_permissions.py b/backend/dataall/modules/notebooks/services/notebook_permissions.py index af7783991..d8659991b 100644 --- a/backend/dataall/modules/notebooks/services/notebook_permissions.py +++ b/backend/dataall/modules/notebooks/services/notebook_permissions.py @@ -3,18 +3,18 @@ Contains permissions for sagemaker notebooks """ -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL_WITH_DESC, RESOURCES_ALL, ) -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC GET_NOTEBOOK = 'GET_NOTEBOOK' UPDATE_NOTEBOOK = 'UPDATE_NOTEBOOK' diff --git a/backend/dataall/modules/worksheets/services/worksheet_permissions.py b/backend/dataall/modules/worksheets/services/worksheet_permissions.py index 3bf70d1fa..0f494567d 100644 --- a/backend/dataall/modules/worksheets/services/worksheet_permissions.py +++ b/backend/dataall/modules/worksheets/services/worksheet_permissions.py @@ -1,14 +1,14 @@ -from dataall.core.permissions.services.permissions_constants.resources_permissions import ( +from dataall.core.permissions.services.resources_permissions import ( RESOURCES_ALL, RESOURCES_ALL_WITH_DESC, ) -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( ENVIRONMENT_INVITED, ENVIRONMENT_INVITATION_REQUEST, ENVIRONMENT_ALL, ) -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC MANAGE_WORKSHEETS = 'MANAGE_WORKSHEETS' diff --git a/backend/local_graphql_server.py b/backend/local_graphql_server.py index 1d688e524..b92e86ca9 100644 --- a/backend/local_graphql_server.py +++ b/backend/local_graphql_server.py @@ -8,7 +8,7 @@ from dataall.base.api import get_executable_schema from dataall.core.tasks.service_handlers import Worker -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService from dataall.base.db import get_engine, Base diff --git a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py index c8d4bc9ac..b64b52a61 100644 --- a/backend/migrations/versions/04d92886fabe_add_consumption_roles.py +++ b/backend/migrations/versions/04d92886fabe_add_consumption_roles.py @@ -20,7 +20,7 @@ from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.modules.dataset_sharing.services.dataset_sharing_enums import ShareObjectStatus -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( CONSUMPTION_ENVIRONMENT_ROLE_ALL, ) diff --git a/backend/migrations/versions/e177eb044b31_init_tenant.py b/backend/migrations/versions/e177eb044b31_init_tenant.py index 2193d5ae7..ce68cff21 100644 --- a/backend/migrations/versions/e177eb044b31_init_tenant.py +++ b/backend/migrations/versions/e177eb044b31_init_tenant.py @@ -12,7 +12,7 @@ from sqlalchemy import orm from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL revision = 'e177eb044b31' down_revision = '033c3d6c1849' diff --git a/tests/conftest.py b/tests/conftest.py index 5e55d78e5..d5c107888 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -10,7 +10,7 @@ from dataall.core.groups.db.group_models import Group from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService -from dataall.core.permissions.services.permissions_constants.tenant_permissions import TENANT_ALL +from dataall.core.permissions.services.tenant_permissions import TENANT_ALL from tests.client import create_app, ClientWrapper load_modules(modes=ImportMode.all()) diff --git a/tests/core/environments/test_environment.py b/tests/core/environments/test_environment.py index eb5305d2e..a286772fc 100644 --- a/tests/core/environments/test_environment.py +++ b/tests/core/environments/test_environment.py @@ -1,7 +1,7 @@ from dataall.core.environment.api.enums import EnvironmentPermission from dataall.core.environment.db.environment_models import Environment from dataall.core.environment.services.environment_service import EnvironmentService -from dataall.core.permissions.services.permissions_constants.environment_permissions import ( +from dataall.core.permissions.services.environment_permissions import ( REMOVE_ENVIRONMENT_CONSUMPTION_ROLE, ) from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService diff --git a/tests/core/permissions/test_permission.py b/tests/core/permissions/test_permission.py index 95b51f5f4..daa354ffc 100644 --- a/tests/core/permissions/test_permission.py +++ b/tests/core/permissions/test_permission.py @@ -3,9 +3,9 @@ from dataall.core.permissions.db.permission.permission_models import PermissionType from dataall.core.permissions.services.permission_service import PermissionService from dataall.base.db import exceptions -from dataall.core.permissions.services.permissions_constants.environment_permissions import ENVIRONMENT_ALL -from dataall.core.permissions.services.permissions_constants.organization_permissions import ORGANIZATION_ALL -from dataall.core.permissions.services.permissions_constants.tenant_permissions import MANAGE_GROUPS, TENANT_ALL +from dataall.core.permissions.services.environment_permissions import ENVIRONMENT_ALL +from dataall.core.permissions.services.organization_permissions import ORGANIZATION_ALL +from dataall.core.permissions.services.tenant_permissions import MANAGE_GROUPS, TENANT_ALL from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService diff --git a/tests/core/permissions/test_tenant.py b/tests/core/permissions/test_tenant.py index eb420a2eb..58a74c615 100644 --- a/tests/core/permissions/test_tenant.py +++ b/tests/core/permissions/test_tenant.py @@ -1,5 +1,5 @@ from dataall.core.permissions.db.tenant.tenant_policy_repositories import TenantPolicyRepository -from dataall.core.permissions.services.permissions_constants.tenant_permissions import ( +from dataall.core.permissions.services.tenant_permissions import ( MANAGE_GROUPS, MANAGE_ORGANIZATIONS, ) diff --git a/tests/modules/conftest.py b/tests/modules/conftest.py index b1d909e53..23c3a3bf7 100644 --- a/tests/modules/conftest.py +++ b/tests/modules/conftest.py @@ -4,7 +4,7 @@ from dataall.core.environment.db.environment_models import Environment, EnvironmentGroup, EnvironmentParameter from dataall.core.organizations.db.organization_models import Organization -from dataall.core.permissions.services.permissions_constants.environment_permissions import ENVIRONMENT_ALL +from dataall.core.permissions.services.environment_permissions import ENVIRONMENT_ALL from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService from dataall.core.stacks.db.stack_repositories import Stack from dataall.core.stacks.db.stack_models import KeyValueTag