in gcpdiag/runbook/dataproc/spark_job_failures.py [0:0]
def execute(self):
"""Verify permissions ."""
sa_email = op.get(flags.SERVICE_ACCOUNT)
project = crm.get_project(op.get(flags.PROJECT_ID))
op.info(('Service Account:{}').format(sa_email))
if sa_email:
sa_exists = iam.is_service_account_existing(email=sa_email,
billing_project_id=op.get(
flags.PROJECT_ID))
sa_exists_cross_project = iam.is_service_account_existing(
email=sa_email, billing_project_id=op.get(flags.CROSS_PROJECT_ID))
else:
sa_exists = False
sa_exists_cross_project = False
if sa_exists:
op.info(
'VM Service Account associated with Dataproc cluster was found in the'
' same project')
op.info('Checking permissions.')
# Check for Service Account permissions
sa_permission_check = iam_gs.IamPolicyCheck()
sa_permission_check.project = op.get(flags.PROJECT_ID)
sa_permission_check.principal = (
f'serviceAccount:{op.get(flags.SERVICE_ACCOUNT)}')
sa_permission_check.require_all = True
sa_permission_check.roles = ['roles/dataproc.worker']
self.add_child(child=sa_permission_check)
elif sa_exists_cross_project:
op.info('VM Service Account associated with Dataproc cluster was found in'
' cross project')
# Check if constraint is enforced
op.info('Checking constraints on service account project.')
orgpolicy_constraint_check = crm_gs.OrgPolicyCheck()
orgpolicy_constraint_check.project = op.get(flags.CROSS_PROJECT_ID)
orgpolicy_constraint_check.constraint = (
'constraints/iam.disableCrossProjectServiceAccountUsage')
orgpolicy_constraint_check.is_enforced = False
self.add_child(orgpolicy_constraint_check)
# Check Service Account roles
op.info('Checking roles in service account project.')
sa_permission_check = iam_gs.IamPolicyCheck()
sa_permission_check.project = op.get(flags.CROSS_PROJECT_ID)
sa_permission_check.principal = (
f'serviceAccount:{op.get(flags.SERVICE_ACCOUNT)}')
sa_permission_check.require_all = True
sa_permission_check.roles = [
'roles/iam.serviceAccountUser',
'roles/dataproc.worker',
]
self.add_child(child=sa_permission_check)
# Check Service Agent Service Account roles
op.info('Checking service agent service account roles on service account'
' project.')
# project = crm.get_project(op.get(flags.PROJECT_ID))
service_agent_sa = (
f'service-{project.number}@dataproc-accounts.iam.gserviceaccount.com')
service_agent_permission_check = iam_gs.IamPolicyCheck()
service_agent_permission_check.project = op.get(flags.CROSS_PROJECT_ID)
service_agent_permission_check.principal = (
f'serviceAccount:{service_agent_sa}')
service_agent_permission_check.require_all = True
service_agent_permission_check.roles = [
'roles/iam.serviceAccountUser',
'roles/iam.serviceAccountTokenCreator',
]
self.add_child(child=service_agent_permission_check)
# Check Compute Agent Service Account
op.info('Checking compute agent service account roles on service account'
' project.')
compute_agent_sa = (
f'service-{project.number}@compute-system.iam.gserviceaccount.com')
compute_agent_permission_check = iam_gs.IamPolicyCheck()
compute_agent_permission_check.project = op.get(flags.CROSS_PROJECT_ID)
compute_agent_permission_check.principal = (
f'serviceAccount:{compute_agent_sa}')
compute_agent_permission_check.require_all = True
compute_agent_permission_check.roles = [
'roles/iam.serviceAccountTokenCreator'
]
self.add_child(child=compute_agent_permission_check)
else:
op.add_failed(project,
reason=op.prep_msg(op.FAILURE_REASON,
service_account=op.get(
flags.SERVICE_ACCOUNT),
project_id=op.get(flags.PROJECT_ID)),
remediation=op.prep_msg(op.FAILURE_REMEDIATION))