in radlab-launcher/radlab.py [0:0]
def launcherperm(projid, currentusr):
# Hardcoded Project level required RAD Lab Launcher roles
launcherprojroles = ['roles/storage.admin', 'roles/serviceusage.serviceUsageConsumer']
# Hardcoded Org level required RAD Lab Launcher roles
launcherorgroles = ['roles/iam.organizationRoleViewer']
credentials = GoogleCredentials.get_application_default()
service0 = discovery.build('cloudresourcemanager', 'v3', credentials=credentials)
request0 = service0.projects().getIamPolicy(resource='projects/' + projid)
response0 = request0.execute()
projiam = True
for role in launcherprojroles:
rolefound = False
ownerrole = False
for y in range(len(response0['bindings'])):
# print("ROLE --->")
# print(response0['bindings'][y]['role'])
# print("MEMBERS --->")
# print(response0['bindings'][y]['members'])
# Check for Owner role on RAD Lab Management Project
if (response0['bindings'][y]['role'] == 'roles/owner' and 'user:' + currentusr in response0['bindings'][y]['members']):
rolefound = True
ownerrole = True
print("\n" + currentusr + " has roles/owner role for RAD Lab Management Project: " + projid)
break
# Check for Required roles on RAD Lab Management Project
elif (response0['bindings'][y]['role'] == role):
rolefound = True
if ('user:' + currentusr not in response0['bindings'][y]['members']):
projiam = False
sys.exit(
Fore.RED + "\nError Occured - RADLAB LAUNCHER PERMISSION ISSUE | " + role + " permission missing...\n(Review https://github.com/GoogleCloudPlatform/rad-lab/tree/main/radlab-launcher#iam-permissions-prerequisites for more details)\n" + Style.RESET_ALL)
else:
pass
if rolefound == False:
sys.exit(
Fore.RED + "\nError Occured - RADLAB LAUNCHER PERMISSION ISSUE | " + role + " permission missing...\n(Review https://github.com/GoogleCloudPlatform/rad-lab/tree/main/radlab-launcher#iam-permissions-prerequisites for more details)\n" + Style.RESET_ALL)
if (ownerrole == True):
break
if projiam == True:
print(Fore.GREEN + '\nRADLAB LAUNCHER - Project Permission check passed' + Style.RESET_ALL)
service1 = discovery.build('cloudresourcemanager', 'v3', credentials=credentials)
request1 = service1.projects().get(name='projects/' + projid)
response1 = request1.execute()
if 'parent' in response1.keys():
service2 = discovery.build('cloudresourcemanager', 'v3', credentials=credentials)
org = findorg(response1['parent'])
request2 = service2.organizations().getIamPolicy(resource=org)
response2 = request2.execute()
orgiam = True
for role in launcherorgroles:
rolefound = False
for x in range(len(response2['bindings'])):
# print("ROLE --->")
# print(response2['bindings'][x]['role'])
# print("MEMBERS --->")
# print(response2['bindings'][x]['members'])
if (role == response2['bindings'][x]['role']):
rolefound = True
if ('user:' + currentusr not in response2['bindings'][x]['members']):
orgiam = False
sys.exit(Fore.RED + "\nError Occured - RADLAB LAUNCHER PERMISSION ISSUE | " + role + " permission missing...\n(Review https://github.com/GoogleCloudPlatform/rad-lab/tree/main/radlab-launcher#iam-permissions-prerequisites for more details)\n" + Style.RESET_ALL)
else:
pass
if rolefound == False:
sys.exit(Fore.RED + "\nError Occured - RADLAB LAUNCHER PERMISSION ISSUE | " + role + " permission missing...\n(Review https://github.com/GoogleCloudPlatform/rad-lab/tree/main/radlab-launcher#iam-permissions-prerequisites for more details)\n" + Style.RESET_ALL)
if orgiam == True:
print(Fore.GREEN + '\nRADLAB LAUNCHER - Organization Permission check passed' + Style.RESET_ALL)
else:
print(Fore.YELLOW + '\nRADLAB LAUNCHER - Skipping Organization Permission check. No Organization associated with the project: ' + projid + Style.RESET_ALL)