updated with custom yaml file for auth

Added 2 new function to check if the custom yaml file exists - /etc/confluent/authorize.yaml - and one to update the _allowbyrole and _deniedbyrole vars accordingly.
2024-11-22 17:43:14 +00:00 · 2023-02-21 15:13:17 +02:00 · 2023-02-21 15:13:17 +02:00 · 8940247164
commit 8940247164
parent 77ba0acee6
1 changed files with 42 additions and 0 deletions
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@ -115,6 +115,47 @@ class PromptsNeeded(Exception):
    def __init__(self, prompts):
        self.prompts = prompts

+ #add function to change _allowedbyrole and _deniedbyrole vars.
+ def add_roles(dictionary):
+    #function to parse the roles and the files. If there are modifications to be done to the roles, items will be added to dictionaries.
+    #If there are no moodifications done to one of the roles, it continues to the next
+    #Opening YAML file and reading the custom roles
+    with open("/etc/confluent/authorization.yaml","r") as stream:
+        loaded_file = yaml.safe_load(stream)
+        for outside_key,outside_value in loaded_file.items():
+            for inside_key,inside_value in outside_value.items():
+                try:
+                    #Trying to append the new list of permissions to existing lists (i.e. Operator : {"retrieve" : ['*' , 'new_added_file_permission']}) 
+                    dictionary[outside_key][inside_key] = (list(set(dictionary[outside_key][inside_key]+inside_value)))
+                except KeyError:
+                    #If there is no previous action, we create a new one (i.e. Operator : { "new_action" : ['new_added_file_permission'] })
+                    try:
+                        dictionary[outside_key][inside_key] = inside_value
+                    except KeyError:
+                        #If there is a new role to be added, we add it along with the rest of the info (i.e. NewRole : {"new_action" : ['new_added_file_permission]})
+                        dictionary[outside_key] = outside_value
+                
+    
+def check_for_yaml():
+    #impot yaml and op.path to check if the file exists and to safe_load the yaml file.
+    try:
+        import yaml
+    except:
+        return "Yaml not installed"
+    try:
+        from os.path import exists
+    except:
+        return "could not import os.path"
+    #checking if the file exists
+    if exists("/etc/confluent/authorization.yaml"):
+        add_roles(_allowedbyrole)
+        add_roles(_deniedbyrole)
+        return "Custom auth. file detected in /etc/confluent, updated roles accordingly"
+    else:
+        return "No custom auth. file. Continuing as normal"
+    
+
+        
 def _get_usertenant(name, tenant=False):
    """_get_usertenant

@ -165,6 +206,7 @@ def authorize(name, element, tenant=False, operation='create',
    # skipuserobj is a leftover from the now abandoned plan to use pam session
    # to do authorization and authentication.  Now confluent always does authorization
    # even if pam does authentication.
+    check_for_yaml()
    if operation not in ('create', 'start', 'update', 'retrieve', 'delete', None):
        return False
    user, tenant = _get_usertenant(name, tenant)