New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GCPIAMCorpRuleEvent plugin. #181
base: master
Are you sure you want to change the base?
Conversation
9ea3eab
to
4d6bcdb
Compare
4d6bcdb
to
5a041b9
Compare
Added `GCPIAMCorpRuleEvent` event plugin. This plugin evaluates an iam corporate policy and checks if any personal gmail account is present or not. Gmail accounts are personally created and controllable accounts. Organizations seldom have any control over them. Hence for each Google Cloud Platform project, an account configured in a project shouldn't be a Gmail account.
5a041b9
to
45786a9
Compare
Hi @jaibhageria Here is the output of GCP IAM_policy plugin.
For safety i have masked some values. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @sunnysharmagts
Thanks for opening this PR.
I have gone through the code and shared a few comments. I was not able to emulate this locally because I don't currently have a GCP account, hence I had asked for a sample out of IAM_policy plugin.
I would like to see the demo for this when you have time.
self._key_file_path)) | ||
yield record | ||
_log.info('Found %s #%d: %s; %s', gcp_record_type, i, | ||
raw_record, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there is no need to log the whole raw_record
. Just raw_record.get('name')
should be enough, as it was before.
raw_record, | |
raw_record.get('name'), |
personal_account = None | ||
for member in members: | ||
if 'user' in member: | ||
user = member.split('user:') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also share how a member
record looks like in the raw
bucket?
for member in members: | ||
if 'user' in member: | ||
user = member.split('user:') | ||
if user[1].endswith('gmail.com'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The user could be using any other mailing account as well, apart from gmail
. Should we add checks for that too and make this generalised? I may be wrong here so please correct me.
Added
GCPIAMCorpRuleEvent
event plugin. This plugin evaluates an iamcorporate policy and checks if any personal gmail account is present or not.
Gmail accounts are personally created and controllable accounts. Organizations
seldom have any control over them. Hence for each Google Cloud Platform
project, an account configured in a project shouldn't be a Gmail account.