Skip to content

Commit

Permalink
Added permission check - is tenant to update SSM parameters API
Browse files Browse the repository at this point in the history
  • Loading branch information
@dlpzx
dlpzx committed Nov 22, 2024
1 parent 10f278c commit 89394fa
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 16 deletions.
18 changes: 2 additions & 16 deletions backend/dataall/core/permissions/api/resolvers.py
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,5 @@
import logging
import os

from dataall.base.aws.sts import SessionHelper
from dataall.base.aws.parameter_store import ParameterStoreManager
from dataall.base.db.exceptions import RequiredParameter
from dataall.core.permissions.services.permission_service import PermissionService
from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService
from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService, TenantActionsService

log = logging.getLogger(__name__)

Expand All @@ -26,12 +20,4 @@ def list_tenant_groups(context, source, filter=None):


def update_ssm_parameter(context, source, name: str = None, value: str = None):
current_account = SessionHelper.get_account()
region = os.getenv('AWS_REGION', 'eu-west-1')
response = ParameterStoreManager.update_parameter(
AwsAccountId=current_account,
region=region,
parameter_name=f'/dataall/{os.getenv("envname", "local")}/quicksightmonitoring/{name}',
parameter_value=value,
)
return response
return TenantActionsService.update_monitoring_ssm_parameter(name, value)
22 changes: 22 additions & 0 deletions backend/dataall/core/permissions/services/tenant_policy_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@
from dataall.core.permissions.services.permission_service import PermissionService
from dataall.core.permissions.db.tenant.tenant_models import Tenant
from dataall.base.services.service_provider_factory import ServiceProviderFactory
from dataall.base.aws.sts import SessionHelper
from dataall.base.aws.parameter_store import ParameterStoreManager
import logging
import os
from functools import wraps
Expand Down Expand Up @@ -121,6 +123,26 @@ def validate_permissions(session, tenant_name, g_permissions, group):
return tenant_group_permissions


class TenantActionsService:
@staticmethod
def update_monitoring_ssm_parameter(name, value):
# raises UnauthorizedOperation exception, if there is no admin access
context = get_context()
TenantPolicyValidationService.validate_admin_access(
context.username, context.groups, 'UPDATE_SSM_PARAMETER_MONITORING'
)

current_account = SessionHelper.get_account()
region = os.getenv('AWS_REGION', 'eu-west-1')
response = ParameterStoreManager.update_parameter(
AwsAccountId=current_account,
region=region,
parameter_name=f'/dataall/{os.getenv("envname", "local")}/quicksightmonitoring/{name}',
parameter_value=value,
)
return response


class TenantPolicyService:
TENANT_NAME = 'dataall'

Expand Down

0 comments on commit 89394fa

Please sign in to comment.