Comments (4)
Hi @dlpzx , Thanks for taking a look at this issue. As a quick measure we have updated our docs.
For a long term solution, if we add the dataset admin role explicitly to the KMS policy ( like how it is done for created dataset where the KMS policy is created during the stack creation phase and then a SID "EnableDatasetIAMRoleKeyUsage" with permissions is added allowing dataset admin role to access KMS key ) then this should solve the problem.
As this cannot be done via CDK for imported KMS keys during the dataset_stack
creation phase ( https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kms/README.html#:~:text=alias/foo%22)-,Note,-that%20a%20call )
Another way would be to do the update by assuming the pivot Role and then adding a statement in KMS policy for dataset admin role to have access. This could be done during the post_deployment()
step mentioned in the cdk_cli_wrapper.py
file. Thus the dataset module will have a cli_wrapper.post_deployment implementation which will perform this after the dataset_stack creation is completed
Please let me knw your thoughts on this one
from dataall.
Hi @TejasRGitHub I understand the issue and it is not surprising for more strict KMS keys that remove the root
permissions. What do you think is the best course of action?
As a first quick measurement, we can update the docs; but, I think that for the long term, we should look for automatic ways of ensuring access.
For example we could add the statement upon import and re-check during shares. Similar to generate_enable_pivot_role_permissions_policy_statement
. What do you think?
from dataall.
Hi @TejasRGitHub I am picking up this issue, that as you pointed out, is trickier than it looks.
We should add an statement that grants permissions to the dataset_role
and I imagine other roles environment_team_roles
to the imported KMS key policy when the dataset is created. Because we do not control the IaC of the KMS key we need to perform these grants using SDK calls.
If we want to use the dataallPivotRole with SDK calls:
When we create/import a dataset 2 stacks get deployed: dataset and environment. The permission that grants access to this KMS key to the dataallPivotRole is added when the environment stack is updated. So what needs to happen:
- user triggers dataset import
- dataset stack and environment stacks triggered deployment
- in environment stack wait for completion of dataallPivotRole update
- update KMS policy with a custom resource/post_execution with dataallPivotRole
From a logical perspective, any action on the dataset KMS key should happen in the deployment of the dataset, not of the environment. But if we add a post_deployment
to the dataset stack we cannot ensure that the pivot role is updated. We could have it as part of the environment stack, but it is a bit weird that there is a KMS dataset action after the environment is updated.
I am thinking of avoiding using the dataallpivotRole completely and using some sort of custom resource with the CDK exec role. I need to do some research
Let me think about it, because I am not convinced by the solutions proposed yet
from dataall.
Hi @dlpzx , thanks a lot for taking a look at this issue. I was of the view that post_deployment
would start when the stacks are completely deployed. Thanks for clearing this out.
For now, we have found out an internal solution for mitigating this issue. Although, not needed rightnow we could certainly take a look at this in the future releases when we have a concrete solution. I think it will be helpful if data.all can work with super restrictive policies ( as the one mentioned in this GH issue ).
from dataall.
Related Issues (20)
- Better handling of "out of sync" Tables HOT 1
- Allow cross region shares with a feature flag
- Introduce Persistent Email Reminders for Producers of Datasets HOT 8
- Email notifications for share failures HOT 1
- Simplify Classification Config and Add more customizablity into it HOT 1
- More robust handling of exceptions inside share manager ECS task HOT 2
- Update documentation after v2.5 release for dataset related changes HOT 1
- UI: add spinner, when the group is deleted or invited to ENV
- Data.all allows 2 or more datasets with same s3 bucket HOT 2
- Create generic shares_base and s3_datasets_shares modules from current dataset_sharing HOT 1
- Automated Share Correction with Re-Apply Share ECS Task
- Give access to re-apply share button to consumers
- UI Inconsistency: Failure to Reflect Updated Table Location
- Unable to load consumption roles on request modal page for large number of consumption roles HOT 2
- Reject Reason should not be editable when the share is already approved
- No effect on session after setting cognito_user_session_timeout_inmins HOT 5
- Send alerts when share verifier ECS task fails
- ECS task fails and crashes when RDS queries return error HOT 2
- Bulk share re-apply UI for a dataset
- Investigate whether search lambda (search_handler.py ) can be combined with api_handler.py HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dataall.