Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(neptune): introduce cluster grant method for granular actions #21926

Merged
merged 7 commits into from
Sep 9, 2022
Merged

feat(neptune): introduce cluster grant method for granular actions #21926

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6fddb0c
feat(neptune): introduce cluster grant method for granular actions
humanzz Sep 6, 2022
f492c1a
update granting error message
humanzz Sep 7, 2022
e854462
Merge remote-tracking branch 'origin/main' into neptune-cluster-grant
humanzz Sep 8, 2022
ea14e7e
use grant in integ tests
humanzz Sep 8, 2022
58479b0
update grant error message and README
humanzz Sep 9, 2022
3d369be
update grant error message
humanzz Sep 9, 2022
13b2b8f
Merge remote-tracking branch 'origin/main' into neptune-cluster-grant
humanzz Sep 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-neptune/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,9 @@ const cluster = new neptune.DatabaseCluster(this, 'Cluster', {
iamAuthentication: true, // Optional - will be automatically set if you call grantConnect().
});
const role = new iam.Role(this, 'DBRole', { assumedBy: new iam.AccountPrincipal(this.account) });
cluster.grantConnect(role); // Grant the role connection access to the DB.
// Use one of the following statements to grant the role the necessary permissions
cluster.grantConnect(role); // Grant the role neptune-db:* access to the DB
cluster.grant(role, 'neptune-db:ReadDataViaQuery', 'neptune-db:WriteDataViaQuery'); // Grant the role the specified actions to the DB
```

## Customizing parameters
Expand Down
19 changes: 16 additions & 3 deletions packages/@aws-cdk/aws-neptune/lib/cluster.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,15 @@ export interface IDatabaseCluster extends IResource, ec2.IConnectable {
*/
readonly clusterReadEndpoint: Endpoint;

/**
* Grant the given identity the specified actions
* @param grantee the identity to be granted the actions
* @param actions the data-access actions
*
* @see https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html
*/
grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;

/**
* Grant the given identity connection access to the database.
*/
Expand Down Expand Up @@ -360,15 +369,15 @@ export abstract class DatabaseClusterBase extends Resource implements IDatabaseC

protected abstract enableIamAuthentication?: boolean;

public grantConnect(grantee: iam.IGrantable): iam.Grant {
public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
if (this.enableIamAuthentication === false) {
throw new Error('Cannot grant connect when IAM authentication is disabled');
throw new Error('Cannot grant actions as IAM authentication is not enabled');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
throw new Error('Cannot grant actions as IAM authentication is not enabled');
throw new Error('Cannot grant permissions when IAM authentication is not enabled');

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick question here, the README says:

const cluster = new neptune.DatabaseCluster(this, 'Cluster', {
  vpc,
  instanceType: neptune.InstanceType.R5_LARGE,
  iamAuthentication: true, // Optional - will be automatically set if you call grantConnect().
});

It seems that this sort of contradicts that. Can you add a clarifying line that explicitly setting this to false and trying to grant permissions will throw an error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tbh, I found the existing implementation of grantConnect and its side effect of possibly enabling iam auth, and how enabling iamAuth is handled a bit surprising!

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-neptune/lib/cluster.ts#L368

In terms of the error message, now that I look at it, I think the older version that uses "disabled" actually makes more sense and is more consistent with the implemented behaviour which

  1. Defaults to disabled (I think a cloudformation default rather than a cdk default)
  2. Requires one to explicitly disable iam auth if they don't want it and want grant methods to throw such exceptions

I get that grant enabling iam auth might be a convenience, but it's a bit twisted IMHO!

So, for this PR, how about

  1. change the error message to Cannot grant permissions when IAM authentication is disabled
  2. update the README to say // Optional - will be automatically set if you call grant() or grantConnect()

}

this.enableIamAuthentication = true;
return iam.Grant.addToPrincipal({
grantee,
actions: ['neptune-db:*'],
actions,
resourceArns: [
[
'arn',
Expand All @@ -381,6 +390,10 @@ export abstract class DatabaseClusterBase extends Resource implements IDatabaseC
],
});
}

public grantConnect(grantee: iam.IGrantable): iam.Grant {
return this.grant(grantee, 'neptune-db:*');
}
}

/**
Expand Down
80 changes: 77 additions & 3 deletions packages/@aws-cdk/aws-neptune/test/cluster.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,7 +473,7 @@ describe('DatabaseCluster', () => {
});
});

test('createGrant - creates IAM policy and enables IAM auth', () => {
test('grantConnect - enables IAM auth and grants neptune-db:* to the grantee', () => {
// GIVEN
const stack = testStack();
const vpc = new ec2.Vpc(stack, 'VPC');
Expand Down Expand Up @@ -528,7 +528,7 @@ describe('DatabaseCluster', () => {
});
});

test('createGrant - throws if IAM auth disabled', () => {
test('grantConnect - throws if IAM auth disabled', () => {
// GIVEN
const stack = testStack();
const vpc = new ec2.Vpc(stack, 'VPC');
Expand All @@ -544,7 +544,81 @@ describe('DatabaseCluster', () => {
});

// THEN
expect(() => { cluster.grantConnect(role); }).toThrow(/Cannot grant connect when IAM authentication is disabled/);
expect(() => { cluster.grantConnect(role); }).toThrow(/Cannot grant actions as IAM authentication is not enabled/);
});

test('grant - enables IAM auth and grants specified actions to the grantee', () => {
// GIVEN
const stack = testStack();
const vpc = new ec2.Vpc(stack, 'VPC');

// WHEN
const cluster = new DatabaseCluster(stack, 'Cluster', {
vpc,
instanceType: InstanceType.R5_LARGE,
});
const role = new iam.Role(stack, 'DBRole', {
assumedBy: new iam.AccountPrincipal(stack.account),
});
cluster.grant(role, 'neptune-db:ReadDataViaQuery', 'neptune-db:WriteDataViaQuery');

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Neptune::DBCluster', {
IamAuthEnabled: true,
});
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [{
Effect: 'Allow',
Action: ['neptune-db:ReadDataViaQuery', 'neptune-db:WriteDataViaQuery'],
Resource: {
'Fn::Join': [
'', [
'arn:', {
Ref: 'AWS::Partition',
},
':neptune-db:',
{
Ref: 'AWS::Region',
},
':',
{
Ref: 'AWS::AccountId',
},
':',
{
'Fn::GetAtt': [
'ClusterEB0386A7',
'ClusterResourceId',
],
},
'/*',
],
],
},
}],
Version: '2012-10-17',
},
});
});

test('grant - throws if IAM auth disabled', () => {
// GIVEN
const stack = testStack();
const vpc = new ec2.Vpc(stack, 'VPC');

// WHEN
const cluster = new DatabaseCluster(stack, 'Cluster', {
vpc,
instanceType: InstanceType.R5_LARGE,
iamAuthentication: false,
});
const role = new iam.Role(stack, 'DBRole', {
assumedBy: new iam.AccountPrincipal(stack.account),
});

// THEN
expect(() => { cluster.grant(role, 'neptune-db:ReadDataViaQuery', 'neptune-db:WriteDataViaQuery'); }).toThrow(/Cannot grant actions as IAM authentication is not enabled/);
});

test('autoMinorVersionUpgrade is enabled when configured', () => {
Expand Down