Scanner for the IAM rules engine.
IamPolicyScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)¶
Scanner for IAM data.
_abc_cache= <_weakrefset.WeakSet object>¶
_abc_negative_cache= <_weakrefset.WeakSet object>¶
_abc_registry= <_weakrefset.WeakSet object>¶
Find violations in the policies.
|Parameters:||policies (list) – list of (parent resource, iam_policy resource, policy bindings) tuples to find violations in.|
|Returns:||A list of all violations|
Flatten RuleViolations into a dict for each RuleViolation member.
|Parameters:||violations (list) – The RuleViolations to flatten.|
|Yields:||dict – Iterator of RuleViolations as a dict per member.|
|Parameters:||all_violations (list) – A list of violations.|
Retrieves the data for scanner.
|Returns:||List of (gcp_type, forseti_data_model_resource) tuples. dict: A dict of resource counts.|
Runs the data collection.
Add bucket relevant IAM policy bindings from ancestors.
Resources can inherit policy bindings from ancestors in the resource manager tree. For example: a GCS bucket inherits a ‘objectViewer’ role from a project or folder (up in the tree).
So far the IAM rules engine only checks the set of bindings directly attached to a resource (direct bindings set (DBS)). We need to add relevant bindings inherited from ancestors to DBS so that these are also checked for violations.
If we find one more than one binding with the same role name, we need to merge the members.
NOTA BENE: this function only handles buckets and bindings relevant to these at present (but can and should be expanded to handle projects and folders going forward).
|Parameters:||policy_data (list) – list of (parent resource, iam_policy resource, policy bindings) tuples to find violations in.|