cloud-pipeline icon indicating copy to clipboard operation
cloud-pipeline copied to clipboard

Published 20 hours ago verified publisher icon epam

Credentials for storage access for users outside the Platform

Open NShaforostov opened this issue 3 years ago • 1 comments
trafficstars

Background

In some cases, it might be necessary for admins to give access to the storages created and existing in Cloud Pipeline for outside user that has not any access to Platform, but such users might need to read/write data directly to storage via some services - e.g. to AWS S3 bucket via AWS CLI. We should add the ability for admins to generate credentials for such users on specific storages. Also, admin should have the ability to view that credentials previously set for the user, edit them or revoke.

Approach

Add a new system preference, e.g. storage.outside.access.credentials. This preference shall have JSON format and contain the following info:

  • Cloud Provider name - Cloud Provider, for which storages the access credentials can be requested
  • Cloud Region name - Cloud Region of the Provider
  • template - template (Markdown format) of the credentials info view corresponding to that Cloud Provider and Region

Possible example of such preference:

[
   "AWS": [
      {
       "cloudRegion": "eu-east1",
       "credentialsTemplate": "**Token:** {token}"
      },
      {
       "cloudRegion": "eu-west2",
       "credentialsTemplate": "**Token:** {token}<br/>**Key:** {private_key}"
      },
      ...
   ],
   "GCP": [
      {
       "cloudRegion": "us-east1",
       "credentialsTemplate": "**Public key:** {public_key}<br/>**Private key:** {private_key}"
      }
   ],
   ...
]

Add a new control to the User management, in the User details pop-up - e.g.: image

Note: this control shall be visible only if the system preference described above has at least one item (Cloud Provider + template)

By click this control, a new pop shall appear, e.g.: image It shall contain:

  • Cloud Region dropdown list. Multi-select shall not be allowed. By default, first item from the list shall be selected. List of the Regions for that dropdown shall be defined by the content of the system preference described above
  • Generate credentials button - to get credentials for the selected storage(s). Disabled if no storages are selected
  • OK button - to close the pop-up

Here, admin firstly select the Cloud Region - for which storages credentials should be generated. After the Region is selected, admin shall click the Generate credentials button. Then, credentials shall be generated for the selected Region and shown, e.g.: image New sections shall appear:

  • Credentials - section that includes:
    • credentials info that are filled in according to the template from the system preference described above
    • Revoke button - to revoke credentials for the selected region
  • Permissions - section to specify for which storages generated credentials shall be applied

Note: the Generate credentials button shall be renamed to Regenerate credentials. By click this button, credentials for the selected Region shall be regenerated

After, admin shall specify for which storages shall be applied generated credentials. For that, admin shall click the field near Add storage label. The dropdown with storages list shall appear. Admin should specify storage name(s) into the corresponding field. Storages shall be suggested only according to the selected Cloud parameters. Multi-select shall not be allowed (admin shall add storages separately one by one). Once at least one storage is specified, in the Permissions section selected storage row shall appear: image image

For each added storage, admin shall have the ability:

  • to set/unset READ permission
  • to set/unset WRITE permission
  • to remove a storage from the list

Example: image

At the end, admin can copy appeared credentials for the selected Region and storages and sent them to the specific outside user. Note: with only generated credentials but without configured read/write permissions to the storage, user shall not have the access to that storage and vice versa too.

Other options

If admin opens this form for a user, for whom any credentials have been generated early - these credentials shall be shown in the pop-up. In this case, admin shall have the ability:

  • to add other storages and configure permissions to them using existing (previously generated) credentials
  • to "regenerate" existing credentials
  • to revoke credentials that were generated for the current user and Region

NShaforostov avatar Apr 28 '22 18:04 NShaforostov

Just drop peace of information regarding necessary permissions for such feature (AWS):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteAccessKey",
                "iam:UpdateUser",
                "iam:GetAccessKeyLastUsed",
                "iam:AttachUserPolicy",
                "iam:DeleteUserPolicy",
                "iam:UpdateAccessKey",
                "iam:DeleteUser",
                "iam:ListUserPolicies",
                "iam:CreateUser",
                "iam:CreateAccessKey",
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:GetUser",
                "iam:ListAccessKeys"
            ],
            // here we can actually put some user name prefix to have permissions to manage only specifically named users
            "Resource": "arn:aws:iam::xxxx:user/*"
        }
    ]
}

SilinPavel avatar May 04 '22 16:05 SilinPavel