From 87674a81c917249921746a238ba57bc8d661fbbd Mon Sep 17 00:00:00 2001 From: Ajmal Farzam <43941560+afarzam1@users.noreply.github.com> Date: Tue, 24 Mar 2020 07:06:10 +1100 Subject: [PATCH] add applyfolderauthorization.py & update README.md & EXAMPLES.md (#47) * Create getauditrecords.py * Update README.md * create listmodels.py * Update README.md to include listmodels.py * add support to list model projects and repositories * Update info in readme.md to reflect new name * add applyauthorizationrules.py and add instructions in README * update EXAMPLES.md with applyfolderauthorization.py sample command & sample input CSV * fix applyfolderauthorization example and remove extraneous quotes from EXAMPLES.md * made files executable * remove '=====' from list of tools in README.md --- EXAMPLES.md | 27 ++++++++- README.md | 1 + applyfolderauthorization.py | 117 ++++++++++++++++++++++++++++++++++++ getauditrecords.py | 0 listmodelobjects.py | 0 5 files changed, 144 insertions(+), 1 deletion(-) create mode 100755 applyfolderauthorization.py mode change 100644 => 100755 getauditrecords.py mode change 100644 => 100755 listmodelobjects.py diff --git a/EXAMPLES.md b/EXAMPLES.md index 3e2333a..79c8e1e 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -266,7 +266,7 @@ importpackages.py -d /tmp/mypackage -q # # none of the above conditions will prevent the processing of additional items in the csv -./creategroups.py" -f /tmp/newgroups.csv +./creategroups.py -f /tmp/newgroups.csv Format of csv file is four columns Column 1 group id @@ -279,3 +279,28 @@ group2,"Group 2","My Group 2" group3,"Group 3","My Group3",geladm group1,"Group 1","group 1" ``` + +**applyfolderauthorization.py** + +```bash +# create folder authorization rules using a csv file as input +# +# if the rule already exists it will not be added and the response (from the CLI command) is printed +# + +./applyfolderauthorization.py -f /tmp/folderauths.csv + +Format of input csv file is 6 columns +Column 1 is the full path to the folder +Column 2 is the principal type +Column 3 is the principal name +Column 4 is the access setting (grant or prohibit) +Column 5 is the permissions on the folder +Column 6 is the conveyed permissions on the folder's contents + +For example: +/gelcontent/GELCorp/Marketing/Reports,group,Marketing,grant,"read,add,remove","read,update,delete,add,remove" +/gelcontent/GELCorp/Marketing/Reports,user,Douglas,grant,"read,update,add,remove,delete,secure","read,update,add,remove,delete,secure" +/gelcontent/GELCorp/Marketing/Analyses,group,Marketing,grant,"read,add,remove","read,update,delete,add,remove" +/gelcontent/GELCorp/Marketing/Work in Progress,group,Marketing,grant,"read,update,add,remove,delete,secure","read,update,add,remove,delete,secure" +``` \ No newline at end of file diff --git a/README.md b/README.md index e400e48..bfb0146 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,7 @@ Additional tools provide more complex functionality by combining multiple calls * **listgroupsandmembers.py** list all groups and all their members * **getauditrecords.py** lists audit records from SAS Infrastructure Data Server in CSV or JSON format using REST calls. * **listmodelobjects.py** lists basic information about model content (models, projects and repositories). +* **applyfolderauthorization.py** apply authorization rules to folders in bulk from a source CSV file. Check back for additional tools and if you build a tool feel free to contribute it to the collection. diff --git a/applyfolderauthorization.py b/applyfolderauthorization.py new file mode 100755 index 0000000..ad2bf76 --- /dev/null +++ b/applyfolderauthorization.py @@ -0,0 +1,117 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# applyfolderauthorization.py +# +# +# Change History +# +# 17Mar20 Initial development +# +# Format of input csv file is 6 columns +# Column 1 is the full path to the folder +# Column 2 is the principal type +# Column 3 is the principal name +# Column 4 is the access setting (grant or prohibit) +# Column 5 is the permissions on the folder +# Column 6 is the conveyed permissions on the folder's contents +# +# For example: +# /gelcontent/gelcorp/marketing/reports,group,Marketing,grant,"read,add,remove","read,update,add,remove,delete,secure" +# +# Copyright 2020, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the License); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +import argparse +import csv +import os +import json +import subprocess +from sharedfunctions import callrestapi, getfolderid, file_accessible, printresult + +# CHANGE THIS VARIABLE IF YOUR CLI IS IN A DIFFERENT LOCATION +clidir='/opt/sas/viya/home/bin/' +#clidir='c:\\admincli\\' + + +# setup command-line arguements +parser = argparse.ArgumentParser(description="Apply bulk auths from a CSV file to folders and contents") +parser.add_argument("-f","--file", help="Full path to CSV file. Format of csv: 'folderpath,principaltype,principalid,grant_or_prohibit,perms_on_folder,perms_on_contents",required='True') +args = parser.parse_args() +file=args.file + +reqtype="post" + +check=file_accessible(file,'r') +constructed_bulk_rules_list=[] + +# file can be read +if check: +# print("file: "+file) + with open(file, 'rt') as f: + filecontents = csv.reader(f) + for row in filecontents: + folderpath=row[0] + principaltype=row[1] + principalname=row[2] + accesssetting=row[3] + folderpermissions=row[4] + conveyedpermissions=row[5] + +# print("Creating auth rules for "+folderpath) + + folderid=getfolderid(folderpath) + folderuri=folderid[0] + reqval='/folders/folders/'+folderuri + +# Construct JSON objects from auth rules defined in CSV. Two JSON objects are created for each row of CSV; one for perms on the folder object, one for conveyed perms on the object's contents. + value_dict_object={"description":"Created by applyfolderauthorizations.py", + "objectUri":reqval, + "permissions":folderpermissions.split(','), + "principalType":principaltype, + "principal":principalname, + "type":accesssetting + } + value_dict_container={"description":"Created by applyfolderauthorizations.py", + "containerUri":reqval, + "permissions":conveyedpermissions.split(','), + "principalType":principaltype, + "principal":principalname, + "type":accesssetting + } + + constructed_rule_dict_object={ + "op":"add", + "value":value_dict_object + } + constructed_rule_dict_container={ + "op":"add", + "value":value_dict_container + } + constructed_bulk_rules_list.append(constructed_rule_dict_object) + constructed_bulk_rules_list.append(constructed_rule_dict_container) + +else: + print("ERROR: cannot read "+file) + +print("Writing out bulk rule JSON file to bulk_rules_list.json") +# Construct JSON schema containing rules +bulk_rules_list_string=json.dumps(constructed_bulk_rules_list,indent=2) +with open("bulk_rules_list.json", "w") as text_file: + text_file.write(bulk_rules_list_string+'\n') + +# Execute sas-admin CLI to apply rules from JSON schema +command=clidir+'sas-admin authorization create-rules --file bulk_rules_list.json' +print("Executing command: "+command) +subprocess.call(command, shell=True) diff --git a/getauditrecords.py b/getauditrecords.py old mode 100644 new mode 100755 diff --git a/listmodelobjects.py b/listmodelobjects.py old mode 100644 new mode 100755