From 89394fa61702e67c31033212c1c6dfd9b4b6ef5f Mon Sep 17 00:00:00 2001 From: dlpzx Date: Fri, 22 Nov 2024 10:52:18 +0100 Subject: [PATCH] Added permission check - is tenant to update SSM parameters API --- .../dataall/core/permissions/api/resolvers.py | 18 ++------------- .../services/tenant_policy_service.py | 22 +++++++++++++++++++ 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/backend/dataall/core/permissions/api/resolvers.py b/backend/dataall/core/permissions/api/resolvers.py index de35d596b..6cbceee12 100644 --- a/backend/dataall/core/permissions/api/resolvers.py +++ b/backend/dataall/core/permissions/api/resolvers.py @@ -1,11 +1,5 @@ import logging -import os - -from dataall.base.aws.sts import SessionHelper -from dataall.base.aws.parameter_store import ParameterStoreManager -from dataall.base.db.exceptions import RequiredParameter -from dataall.core.permissions.services.permission_service import PermissionService -from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService +from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService, TenantActionsService log = logging.getLogger(__name__) @@ -26,12 +20,4 @@ def list_tenant_groups(context, source, filter=None): def update_ssm_parameter(context, source, name: str = None, value: str = None): - current_account = SessionHelper.get_account() - region = os.getenv('AWS_REGION', 'eu-west-1') - response = ParameterStoreManager.update_parameter( - AwsAccountId=current_account, - region=region, - parameter_name=f'/dataall/{os.getenv("envname", "local")}/quicksightmonitoring/{name}', - parameter_value=value, - ) - return response + return TenantActionsService.update_monitoring_ssm_parameter(name, value) diff --git a/backend/dataall/core/permissions/services/tenant_policy_service.py b/backend/dataall/core/permissions/services/tenant_policy_service.py index b3b21316c..e1b62cefb 100644 --- a/backend/dataall/core/permissions/services/tenant_policy_service.py +++ b/backend/dataall/core/permissions/services/tenant_policy_service.py @@ -9,6 +9,8 @@ from dataall.core.permissions.services.permission_service import PermissionService from dataall.core.permissions.db.tenant.tenant_models import Tenant from dataall.base.services.service_provider_factory import ServiceProviderFactory +from dataall.base.aws.sts import SessionHelper +from dataall.base.aws.parameter_store import ParameterStoreManager import logging import os from functools import wraps @@ -121,6 +123,26 @@ def validate_permissions(session, tenant_name, g_permissions, group): return tenant_group_permissions +class TenantActionsService: + @staticmethod + def update_monitoring_ssm_parameter(name, value): + # raises UnauthorizedOperation exception, if there is no admin access + context = get_context() + TenantPolicyValidationService.validate_admin_access( + context.username, context.groups, 'UPDATE_SSM_PARAMETER_MONITORING' + ) + + current_account = SessionHelper.get_account() + region = os.getenv('AWS_REGION', 'eu-west-1') + response = ParameterStoreManager.update_parameter( + AwsAccountId=current_account, + region=region, + parameter_name=f'/dataall/{os.getenv("envname", "local")}/quicksightmonitoring/{name}', + parameter_value=value, + ) + return response + + class TenantPolicyService: TENANT_NAME = 'dataall'