Scanner for the IAM rules engine.
IamPolicyScanner
(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]¶Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner
Scanner for IAM data.
SCANNER_OUTPUT_CSV_FMT
= 'scanner_output_iam.{}.csv'¶_abc_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache
= <_weakrefset.WeakSet object>¶_abc_negative_cache_version
= 214¶_abc_registry
= <_weakrefset.WeakSet object>¶_find_violations
(policies)[source]¶Find violations in the policies.
Parameters: | policies (list) – list of (parent resource, iam_policy resource, policy bindings) tuples to find violations in. |
---|---|
Returns: | A list of all violations |
Return type: | list |
_flatten_violations
(violations)[source]¶Flatten RuleViolations into a dict for each RuleViolation member.
Parameters: | violations (list) – The RuleViolations to flatten. |
---|---|
Yields: | dict – Iterator of RuleViolations as a dict per member. |
_output_results
(all_violations)[source]¶Output results.
Parameters: | all_violations (list) – A list of violations. |
---|
_add_bucket_ancestor_bindings
(policy_data)[source]¶Add bucket relevant IAM policy bindings from ancestors.
Resources can inherit policy bindings from ancestors in the resource manager tree. For example: a GCS bucket inherits a ‘objectViewer’ role from a project or folder (up in the tree).
So far the IAM rules engine only checks the set of bindings directly attached to a resource (direct bindings set (DBS)). We need to add relevant bindings inherited from ancestors to DBS so that these are also checked for violations.
If we find one more than one binding with the same role name, we need to merge the members.
NOTA BENE: this function only handles buckets and bindings relevant to these at present (but can and should be expanded to handle projects and folders going forward).
Parameters: | policy_data (list) – list of (parent resource, iam_policy resource, policy bindings) tuples to find violations in. |
---|