strongdm.client
1# Copyright 2020 StrongDM Inc 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14# 15 16# Code generated by protogen. DO NOT EDIT. 17 18import base64 19import collections 20import copy 21import datetime 22import functools 23import grpc 24import hashlib 25import hmac 26import random 27import re 28import time 29from . import errors 30from . import plumbing 31from . import svc 32 33from cryptography.hazmat.primitives.asymmetric import rsa, padding 34from cryptography.hazmat.primitives import serialization, hashes 35 36# These defaults are taken from AWS. Customization of these values 37# is a future step in the API. 38DEFAULT_BASE_RETRY_DELAY = 1 # 1 second 39DEFAULT_MAX_RETRY_DELAY = 120 # 120 seconds 40DEFAULT_RETRY_FACTOR = 1.6 41DEFAULT_RETRY_JITTER = 0.2 42API_VERSION = '2025-04-14' 43USER_AGENT = 'strongdm-sdk-python/16.23.0' 44 45method_regexp = re.compile(r'\W+') 46 47 48class _ClientCallDetails( 49 collections.namedtuple( 50 "_ClientCallDetails", 51 ("method", "timeout", "metadata", "credentials")), 52 grpc.ClientCallDetails, 53): 54 """ _ClientCallDetails is used to override some of the attributes of the client_call_details in the interceptors""" 55 pass 56 57 58class _EncryptionInterceptor(grpc.UnaryUnaryClientInterceptor): 59 """ _EncryptionInterceptor is used to add transparent encryption/decryption support for managed secrets""" 60 def __init__(self, client): 61 self.client = client 62 self.public_key_cache = {} 63 64 def intercept_unary_unary(self, continuation, client_call_details, 65 request): 66 method = method_regexp.sub("_", client_call_details.method.lower()) 67 callback = getattr(self, method, None) 68 if callback is not None: 69 return callback(continuation, client_call_details, request) 70 return continuation(client_call_details, request) 71 72 @functools.cached_property 73 def private_key(self): 74 return rsa.generate_private_key( 75 public_exponent=65537, 76 key_size=4096, 77 ) 78 79 def _encrypt_secret(self, method, continuation, client_call_details, 80 request): 81 secret = request.managed_secret 82 if len(secret.value) != 0: 83 if secret.secret_engine_id not in self.public_key_cache: 84 try: 85 # fetch secret engine details to fill up self.public_key_cache 86 # if it fails the call to create/update will fail as well 87 self.client.secret_engines.get(secret.secret_engine_id) 88 except errors.RPCError: 89 pass 90 key = self.public_key_cache.get(secret.secret_engine_id) 91 if key is not None: 92 encrypted = key.encrypt( 93 secret.value, 94 padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), 95 algorithm=hashes.SHA256(), 96 label=None)) 97 secret.value = encrypted 98 client_call_details = _ClientCallDetails( 99 method=client_call_details.method, 100 timeout=client_call_details.timeout, 101 metadata=self.client.get_metadata(method, request), 102 credentials=client_call_details.credentials) 103 return continuation(client_call_details, request) 104 105 def _v1_managedsecrets_create(self, continuation, client_call_details, 106 request): 107 return self._encrypt_secret("ManagedSecrets.Create", continuation, 108 client_call_details, request) 109 110 def _v1_managedsecrets_update(self, continuation, client_call_details, 111 request): 112 return self._encrypt_secret("ManagedSecrets.Update", continuation, 113 client_call_details, request) 114 115 def _v1_managedsecrets_retrieve(self, continuation, client_call_details, 116 request): 117 if len(request.public_key) != 0: 118 return continuation(client_call_details, request) 119 120 privKey = self.private_key 121 request.public_key = privKey.public_key().public_bytes( 122 serialization.Encoding.PEM, 123 serialization.PublicFormat.SubjectPublicKeyInfo) 124 client_call_details = _ClientCallDetails( 125 method=client_call_details.method, 126 timeout=client_call_details.timeout, 127 metadata=self.client.get_metadata("ManagedSecrets.Retrieve", 128 request), 129 credentials=client_call_details.credentials) 130 resp = continuation(client_call_details, request) 131 if resp.code() != grpc.StatusCode.OK: 132 return resp 133 result = resp.result() 134 plaintext = privKey.decrypt( 135 result.managed_secret.value, 136 padding.OAEP( 137 mgf=padding.MGF1(algorithm=hashes.SHA256()), 138 algorithm=hashes.SHA256(), 139 label=None, 140 )) 141 result.managed_secret.value = plaintext 142 return resp 143 144 def _v1_secretengines_get(self, continuation, client_call_details, 145 request): 146 response = continuation(client_call_details, request) 147 if response.code() != grpc.StatusCode.OK: 148 return response 149 result = response.result() 150 engine = plumbing.convert_secret_engine_to_porcelain( 151 result.secret_engine) 152 engineKey = serialization.load_pem_public_key(engine.public_key) 153 self.public_key_cache[engine.id] = engineKey 154 return response 155 156 def _v1_secretengines_list(self, continuation, client_call_details, 157 request): 158 response = continuation(client_call_details, request) 159 if response.code() != grpc.StatusCode.OK: 160 return response 161 result = response.result() 162 for plumbing_engine in result.secret_engines: 163 engine = plumbing.convert_secret_engine_to_porcelain( 164 plumbing_engine) 165 engineKey = serialization.load_pem_public_key(engine.public_key) 166 self.public_key_cache[engine.id] = engineKey 167 return response 168 169 170class Client: 171 '''Client interacts with the strongDM API.''' 172 def __init__(self, 173 api_access_key, 174 api_secret, 175 host='app.strongdm.com:443', 176 insecure=False, 177 retry_rate_limit_errors=True, 178 page_limit=0): 179 ''' 180 Create a new Client. 181 182 - api_access_key: the access key to authenticate with strongDM 183 - api_secret: the secret key to authenticate with strongDM 184 ''' 185 self.api_access_key = api_access_key.strip() 186 self.api_secret = base64.b64decode(api_secret.strip()) 187 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 188 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 189 self.retry_factor = DEFAULT_RETRY_FACTOR 190 self.retry_jitter = DEFAULT_RETRY_JITTER 191 self.retry_rate_limit_errors = retry_rate_limit_errors 192 self.snapshot_datetime = None 193 self.page_limit = page_limit 194 195 try: 196 if insecure: 197 channel = grpc.insecure_channel(host) 198 else: 199 creds = grpc.ssl_channel_credentials() 200 channel = grpc.secure_channel(host, creds) 201 except Exception as e: 202 raise plumbing.convert_error_to_porcelain(e) from e 203 channel = grpc.intercept_channel(channel, _EncryptionInterceptor(self)) 204 self.channel = channel 205 self.access_requests = svc.AccessRequests(channel, self) 206 ''' 207 AccessRequests are requests for access to a resource that may match a Workflow. 208 209 See `strongdm.svc.AccessRequests`. 210 ''' 211 self.access_request_events_history = svc.AccessRequestEventsHistory( 212 channel, self) 213 ''' 214 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 215 216 See `strongdm.svc.AccessRequestEventsHistory`. 217 ''' 218 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 219 ''' 220 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 221 222 See `strongdm.svc.AccessRequestsHistory`. 223 ''' 224 self.account_attachments = svc.AccountAttachments(channel, self) 225 ''' 226 AccountAttachments assign an account to a role. 227 228 See `strongdm.svc.AccountAttachments`. 229 ''' 230 self.account_attachments_history = svc.AccountAttachmentsHistory( 231 channel, self) 232 ''' 233 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 234 235 See `strongdm.svc.AccountAttachmentsHistory`. 236 ''' 237 self.account_grants = svc.AccountGrants(channel, self) 238 ''' 239 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 240 241 See `strongdm.svc.AccountGrants`. 242 ''' 243 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 244 ''' 245 AccountGrantsHistory records all changes to the state of an AccountGrant. 246 247 See `strongdm.svc.AccountGrantsHistory`. 248 ''' 249 self.account_permissions = svc.AccountPermissions(channel, self) 250 ''' 251 AccountPermissions records the granular permissions accounts have, allowing them to execute 252 relevant commands via StrongDM's APIs. 253 254 See `strongdm.svc.AccountPermissions`. 255 ''' 256 self.account_resources = svc.AccountResources(channel, self) 257 ''' 258 AccountResources enumerates the resources to which accounts have access. 259 The AccountResources service is read-only. 260 261 See `strongdm.svc.AccountResources`. 262 ''' 263 self.account_resources_history = svc.AccountResourcesHistory( 264 channel, self) 265 ''' 266 AccountResourcesHistory records all changes to the state of a AccountResource. 267 268 See `strongdm.svc.AccountResourcesHistory`. 269 ''' 270 self.accounts = svc.Accounts(channel, self) 271 ''' 272 Accounts are users that have access to strongDM. There are two types of accounts: 273 1. **Users:** humans who are authenticated through username and password or SSO. 274 2. **Service Accounts:** machines that are authenticated using a service token. 275 3. **Tokens** are access keys with permissions that can be used for authentication. 276 277 See `strongdm.svc.Accounts`. 278 ''' 279 self.accounts_groups = svc.AccountsGroups(channel, self) 280 ''' 281 An AccountGroup links an account and a group. 282 283 See `strongdm.svc.AccountsGroups`. 284 ''' 285 self.accounts_groups_history = svc.AccountsGroupsHistory(channel, self) 286 ''' 287 AccountsGroupsHistory records all changes to the state of an AccountGroup. 288 289 See `strongdm.svc.AccountsGroupsHistory`. 290 ''' 291 self.accounts_history = svc.AccountsHistory(channel, self) 292 ''' 293 AccountsHistory records all changes to the state of an Account. 294 295 See `strongdm.svc.AccountsHistory`. 296 ''' 297 self.activities = svc.Activities(channel, self) 298 ''' 299 An Activity is a record of an action taken against a strongDM deployment, e.g. 300 a user creation, resource deletion, sso configuration change, etc. The Activities 301 service is read-only. 302 303 See `strongdm.svc.Activities`. 304 ''' 305 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 306 channel, self) 307 ''' 308 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 309 310 See `strongdm.svc.ApprovalWorkflowApprovers`. 311 ''' 312 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 313 channel, self) 314 ''' 315 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 316 317 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 318 ''' 319 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 320 ''' 321 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 322 323 See `strongdm.svc.ApprovalWorkflowSteps`. 324 ''' 325 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 326 channel, self) 327 ''' 328 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 329 330 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 331 ''' 332 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 333 ''' 334 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 335 approvers and be approved or denied. 336 337 See `strongdm.svc.ApprovalWorkflows`. 338 ''' 339 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 340 channel, self) 341 ''' 342 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 343 344 See `strongdm.svc.ApprovalWorkflowsHistory`. 345 ''' 346 self.control_panel = svc.ControlPanel(channel, self) 347 ''' 348 ControlPanel contains all administrative controls. 349 350 See `strongdm.svc.ControlPanel`. 351 ''' 352 self.discovery_connectors = svc.DiscoveryConnectors(channel, self) 353 ''' 354 A Discovery Connector is a configuration object for performing Resource 355 Scans in remote systems such as AWS, GCP, Azure, and other systems. 356 357 See `strongdm.svc.DiscoveryConnectors`. 358 ''' 359 self.granted_account_entitlements = svc.GrantedAccountEntitlements( 360 channel, self) 361 ''' 362 GrantedAccountEntitlements enumerates the resources to which an account has been granted access. 363 The GrantedAccountEntitlements service is read-only. 364 365 See `strongdm.svc.GrantedAccountEntitlements`. 366 ''' 367 self.granted_resource_entitlements = svc.GrantedResourceEntitlements( 368 channel, self) 369 ''' 370 GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. 371 The GrantedResourceEntitlements service is read-only. 372 373 See `strongdm.svc.GrantedResourceEntitlements`. 374 ''' 375 self.granted_role_entitlements = svc.GrantedRoleEntitlements( 376 channel, self) 377 ''' 378 GrantedRoleEntitlements enumerates the resources to which a role grants access. 379 The GrantedRoleEntitlements service is read-only. 380 381 See `strongdm.svc.GrantedRoleEntitlements`. 382 ''' 383 self.roles = svc.Roles(channel, self) 384 ''' 385 A Role has a list of access rules which determine which Resources the members 386 of the Role have access to. An Account can be a member of multiple Roles via 387 AccountAttachments. 388 389 See `strongdm.svc.Roles`. 390 ''' 391 self.groups = svc.Groups(channel, self) 392 ''' 393 A Group is a set of principals. 394 395 See `strongdm.svc.Groups`. 396 ''' 397 self.groups_history = svc.GroupsHistory(channel, self) 398 ''' 399 GroupsHistory records all changes to the state of a Group. 400 401 See `strongdm.svc.GroupsHistory`. 402 ''' 403 self.groups_roles = svc.GroupsRoles(channel, self) 404 ''' 405 A GroupRole is an assignment of a Group to a Role. 406 407 See `strongdm.svc.GroupsRoles`. 408 ''' 409 self.groups_roles_history = svc.GroupsRolesHistory(channel, self) 410 ''' 411 GroupsRolesHistory records all changes to the state of a GroupRole. 412 413 See `strongdm.svc.GroupsRolesHistory`. 414 ''' 415 self.health_checks = svc.HealthChecks(channel, self) 416 ''' 417 HealthChecks lists the last healthcheck between each node and resource. 418 Note the unconventional capitalization here is to prevent having a collision with GRPC 419 420 See `strongdm.svc.HealthChecks`. 421 ''' 422 self.identity_aliases = svc.IdentityAliases(channel, self) 423 ''' 424 IdentityAliases assign an alias to an account within an IdentitySet. 425 The alias is used as the username when connecting to a identity supported resource. 426 427 See `strongdm.svc.IdentityAliases`. 428 ''' 429 self.identity_aliases_history = svc.IdentityAliasesHistory( 430 channel, self) 431 ''' 432 IdentityAliasesHistory records all changes to the state of a IdentityAlias. 433 434 See `strongdm.svc.IdentityAliasesHistory`. 435 ''' 436 self.identity_sets = svc.IdentitySets(channel, self) 437 ''' 438 A IdentitySet is a named grouping of Identity Aliases for Accounts. 439 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 440 441 See `strongdm.svc.IdentitySets`. 442 ''' 443 self.identity_sets_history = svc.IdentitySetsHistory(channel, self) 444 ''' 445 IdentitySetsHistory records all changes to the state of a IdentitySet. 446 447 See `strongdm.svc.IdentitySetsHistory`. 448 ''' 449 self.managed_secrets = svc.ManagedSecrets(channel, self) 450 ''' 451 ManagedSecret is a private vertical for creating, reading, updating, 452 deleting, listing and rotating the managed secrets in the secrets engines as 453 an authenticated user. 454 455 See `strongdm.svc.ManagedSecrets`. 456 ''' 457 self.nodes = svc.Nodes(channel, self) 458 ''' 459 Nodes make up the StrongDM network, and allow your users to connect securely to your resources. 460 There are three types of nodes: 461 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall 462 2. **Gateway:** a relay that also listens for connections from StrongDM clients 463 3. **Proxy Cluster:** a cluster of workers that together mediate access from clients to resources 464 465 See `strongdm.svc.Nodes`. 466 ''' 467 self.nodes_history = svc.NodesHistory(channel, self) 468 ''' 469 NodesHistory records all changes to the state of a Node. 470 471 See `strongdm.svc.NodesHistory`. 472 ''' 473 self.organization_history = svc.OrganizationHistory(channel, self) 474 ''' 475 OrganizationHistory records all changes to the state of an Organization. 476 477 See `strongdm.svc.OrganizationHistory`. 478 ''' 479 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 480 ''' 481 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 482 483 See `strongdm.svc.PeeringGroupNodes`. 484 ''' 485 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 486 ''' 487 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 488 489 See `strongdm.svc.PeeringGroupPeers`. 490 ''' 491 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 492 ''' 493 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 494 495 See `strongdm.svc.PeeringGroupResources`. 496 ''' 497 self.peering_groups = svc.PeeringGroups(channel, self) 498 ''' 499 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 500 501 See `strongdm.svc.PeeringGroups`. 502 ''' 503 self.policies = svc.Policies(channel, self) 504 ''' 505 Policies are the collection of one or more statements that enforce fine-grained access 506 control for the users of an organization. 507 508 See `strongdm.svc.Policies`. 509 ''' 510 self.policies_history = svc.PoliciesHistory(channel, self) 511 ''' 512 PoliciesHistory records all changes to the state of a Policy. 513 514 See `strongdm.svc.PoliciesHistory`. 515 ''' 516 self.proxy_cluster_keys = svc.ProxyClusterKeys(channel, self) 517 ''' 518 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 519 The proxies within a cluster share the same key. One cluster can have 520 multiple keys in order to facilitate key rotation. 521 522 See `strongdm.svc.ProxyClusterKeys`. 523 ''' 524 self.queries = svc.Queries(channel, self) 525 ''' 526 A Query is a record of a single client request to a resource, such as a SQL query. 527 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 528 The Queries service is read-only. 529 530 See `strongdm.svc.Queries`. 531 ''' 532 self.remote_identities = svc.RemoteIdentities(channel, self) 533 ''' 534 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 535 536 See `strongdm.svc.RemoteIdentities`. 537 ''' 538 self.remote_identities_history = svc.RemoteIdentitiesHistory( 539 channel, self) 540 ''' 541 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 542 543 See `strongdm.svc.RemoteIdentitiesHistory`. 544 ''' 545 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 546 ''' 547 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 548 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 549 550 See `strongdm.svc.RemoteIdentityGroups`. 551 ''' 552 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 553 channel, self) 554 ''' 555 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 556 557 See `strongdm.svc.RemoteIdentityGroupsHistory`. 558 ''' 559 self.replays = svc.Replays(channel, self) 560 ''' 561 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 562 (otherwise referred to as a query). The Replays service is read-only. 563 564 See `strongdm.svc.Replays`. 565 ''' 566 self.requestable_account_entitlements = svc.RequestableAccountEntitlements( 567 channel, self) 568 ''' 569 RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. 570 The RequestableAccountEntitlements service is read-only. 571 572 See `strongdm.svc.RequestableAccountEntitlements`. 573 ''' 574 self.requestable_resource_entitlements = svc.RequestableResourceEntitlements( 575 channel, self) 576 ''' 577 RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. 578 The RequestableResourceEntitlements service is read-only. 579 580 See `strongdm.svc.RequestableResourceEntitlements`. 581 ''' 582 self.requestable_role_entitlements = svc.RequestableRoleEntitlements( 583 channel, self) 584 ''' 585 RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. 586 The RequestableRoleEntitlements service is read-only. 587 588 See `strongdm.svc.RequestableRoleEntitlements`. 589 ''' 590 self.resources = svc.Resources(channel, self) 591 ''' 592 Resources are databases, servers, clusters, websites, or clouds that strongDM 593 delegates access to. 594 595 See `strongdm.svc.Resources`. 596 ''' 597 self.resources_history = svc.ResourcesHistory(channel, self) 598 ''' 599 ResourcesHistory records all changes to the state of a Resource. 600 601 See `strongdm.svc.ResourcesHistory`. 602 ''' 603 self.role_resources = svc.RoleResources(channel, self) 604 ''' 605 RoleResources enumerates the resources to which roles have access. 606 The RoleResources service is read-only. 607 608 See `strongdm.svc.RoleResources`. 609 ''' 610 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 611 ''' 612 RoleResourcesHistory records all changes to the state of a RoleResource. 613 614 See `strongdm.svc.RoleResourcesHistory`. 615 ''' 616 self.roles_history = svc.RolesHistory(channel, self) 617 ''' 618 RolesHistory records all changes to the state of a Role. 619 620 See `strongdm.svc.RolesHistory`. 621 ''' 622 self.secret_stores = svc.SecretStores(channel, self) 623 ''' 624 SecretStores are servers where resource secrets (passwords, keys) are stored. 625 626 See `strongdm.svc.SecretStores`. 627 ''' 628 self.secret_engines = svc.SecretEngines(channel, self) 629 ''' 630 631 632 See `strongdm.svc.SecretEngines`. 633 ''' 634 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 635 ''' 636 SecretStoreHealths exposes health states for secret stores. 637 638 See `strongdm.svc.SecretStoreHealths`. 639 ''' 640 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 641 ''' 642 SecretStoresHistory records all changes to the state of a SecretStore. 643 644 See `strongdm.svc.SecretStoresHistory`. 645 ''' 646 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 647 ''' 648 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 649 650 See `strongdm.svc.WorkflowApprovers`. 651 ''' 652 self.workflow_approvers_history = svc.WorkflowApproversHistory( 653 channel, self) 654 ''' 655 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 656 657 See `strongdm.svc.WorkflowApproversHistory`. 658 ''' 659 self.workflow_roles = svc.WorkflowRoles(channel, self) 660 ''' 661 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 662 to request access to a resource via the workflow. 663 664 See `strongdm.svc.WorkflowRoles`. 665 ''' 666 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 667 ''' 668 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 669 670 See `strongdm.svc.WorkflowRolesHistory`. 671 ''' 672 self.workflows = svc.Workflows(channel, self) 673 ''' 674 Workflows are the collection of rules that define the resources to which access can be requested, 675 the users that can request that access, and the mechanism for approving those requests which can either 676 be automatic approval or a set of users authorized to approve the requests. 677 678 See `strongdm.svc.Workflows`. 679 ''' 680 self.workflows_history = svc.WorkflowsHistory(channel, self) 681 ''' 682 WorkflowsHistory provides records of all changes to the state of a Workflow. 683 684 See `strongdm.svc.WorkflowsHistory`. 685 ''' 686 687 def close(self): 688 '''Closes this Client and releases all resources held by it. 689 690 Closing the Client will immediately terminate all RPCs active with the 691 Client and it is not valid to invoke new RPCs with the Client. 692 693 This method is idempotent. 694 ''' 695 self.channel.close() 696 697 def get_metadata(self, method_name, req): 698 return [ 699 ('x-sdm-authentication', self.api_access_key), 700 ('x-sdm-signature', self.sign(method_name, 701 req.SerializeToString())), 702 ('x-sdm-api-version', API_VERSION), 703 ('x-sdm-user-agent', USER_AGENT), 704 ] 705 706 def sign(self, method_name, request_bytes): 707 def hmac_digest(key, msg_byte_string): 708 return hmac.new(key, msg=msg_byte_string, 709 digestmod=hashlib.sha256).digest() 710 711 current_utc_date = datetime.datetime.now( 712 datetime.timezone.utc).strftime('%Y-%m-%d') 713 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 714 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 715 716 hash = hashlib.sha256() 717 718 hash.update(method_name.encode()) 719 hash.update(b'\n') 720 hash.update(request_bytes) 721 722 return base64.b64encode(hmac_digest(signing_key, hash.digest())) 723 724 def exponentialBackoff(self, retries, deadline=None): 725 def applyDeadline(delay, deadline): 726 if deadline is None: 727 return delay 728 remaining = deadline - time.time() 729 if remaining < 0: 730 return 0 731 return min(delay, remaining) 732 733 if retries == 0: 734 return applyDeadline(self.base_retry_delay, deadline) 735 736 backoff, max_delay = self.base_retry_delay, self.max_retry_delay 737 while backoff < max_delay and retries > 0: 738 backoff *= self.retry_factor 739 retries -= 1 740 741 if backoff > max_delay: 742 backoff = max_delay 743 744 # Randomize backoff delays so that if a cluster of requests start at 745 # the same time, they won't operate in lockstep. 746 backoff *= 1 + self.retry_jitter * (random.random() * 2 - 1) 747 if backoff < 0: 748 return 0 749 750 return applyDeadline(backoff, deadline) 751 752 def shouldRetry(self, retries, err, deadline=None): 753 # Check if we've passed the deadline 754 if deadline is not None and time.time() >= deadline: 755 return False 756 757 if not isinstance(err, grpc.RpcError): 758 return False 759 760 if self.retry_rate_limit_errors and err.code( 761 ) == grpc.StatusCode.RESOURCE_EXHAUSTED: 762 return True 763 764 return retries <= 3 and (err.code() == grpc.StatusCode.INTERNAL 765 or err.code() == grpc.StatusCode.UNAVAILABLE) 766 767 def snapshot_at(self, snapshot_datetime): 768 ''' 769 Constructs a read-only client that will provide historical data from the provided timestamp. 770 771 See `SnapshotClient`. 772 ''' 773 client = copy.copy(self) 774 client.snapshot_datetime = snapshot_datetime 775 client.access_requests = svc.AccessRequests(client.channel, client) 776 client.account_attachments = svc.AccountAttachments( 777 client.channel, client) 778 client.account_grants = svc.AccountGrants(client.channel, client) 779 client.account_permissions = svc.AccountPermissions( 780 client.channel, client) 781 client.account_resources = svc.AccountResources(client.channel, client) 782 client.accounts = svc.Accounts(client.channel, client) 783 client.accounts_groups = svc.AccountsGroups(client.channel, client) 784 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 785 client.channel, client) 786 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 787 client.channel, client) 788 client.approval_workflows = svc.ApprovalWorkflows( 789 client.channel, client) 790 client.discovery_connectors = svc.DiscoveryConnectors( 791 client.channel, client) 792 client.granted_account_entitlements = svc.GrantedAccountEntitlements( 793 client.channel, client) 794 client.granted_resource_entitlements = svc.GrantedResourceEntitlements( 795 client.channel, client) 796 client.granted_role_entitlements = svc.GrantedRoleEntitlements( 797 client.channel, client) 798 client.roles = svc.Roles(client.channel, client) 799 client.groups = svc.Groups(client.channel, client) 800 client.groups_roles = svc.GroupsRoles(client.channel, client) 801 client.identity_aliases = svc.IdentityAliases(client.channel, client) 802 client.identity_sets = svc.IdentitySets(client.channel, client) 803 client.nodes = svc.Nodes(client.channel, client) 804 client.policies = svc.Policies(client.channel, client) 805 client.proxy_cluster_keys = svc.ProxyClusterKeys( 806 client.channel, client) 807 client.remote_identities = svc.RemoteIdentities(client.channel, client) 808 client.remote_identity_groups = svc.RemoteIdentityGroups( 809 client.channel, client) 810 client.requestable_account_entitlements = svc.RequestableAccountEntitlements( 811 client.channel, client) 812 client.requestable_resource_entitlements = svc.RequestableResourceEntitlements( 813 client.channel, client) 814 client.requestable_role_entitlements = svc.RequestableRoleEntitlements( 815 client.channel, client) 816 client.resources = svc.Resources(client.channel, client) 817 client.role_resources = svc.RoleResources(client.channel, client) 818 client.secret_stores = svc.SecretStores(client.channel, client) 819 client.workflow_approvers = svc.WorkflowApprovers( 820 client.channel, client) 821 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 822 client.workflows = svc.Workflows(client.channel, client) 823 return SnapshotClient(client) 824 825 826class SnapshotClient: 827 '''SnapshotClient exposes methods to query historical records at a provided timestamp.''' 828 def __init__(self, client): 829 self.access_requests = svc.SnapshotAccessRequests( 830 client.access_requests) 831 ''' 832 AccessRequests are requests for access to a resource that may match a Workflow. 833 834 See `strongdm.svc.SnapshotAccessRequests`. 835 ''' 836 self.account_attachments = svc.SnapshotAccountAttachments( 837 client.account_attachments) 838 ''' 839 AccountAttachments assign an account to a role. 840 841 See `strongdm.svc.SnapshotAccountAttachments`. 842 ''' 843 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 844 ''' 845 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 846 847 See `strongdm.svc.SnapshotAccountGrants`. 848 ''' 849 self.account_permissions = svc.SnapshotAccountPermissions( 850 client.account_permissions) 851 ''' 852 AccountPermissions records the granular permissions accounts have, allowing them to execute 853 relevant commands via StrongDM's APIs. 854 855 See `strongdm.svc.SnapshotAccountPermissions`. 856 ''' 857 self.account_resources = svc.SnapshotAccountResources( 858 client.account_resources) 859 ''' 860 AccountResources enumerates the resources to which accounts have access. 861 The AccountResources service is read-only. 862 863 See `strongdm.svc.SnapshotAccountResources`. 864 ''' 865 self.accounts = svc.SnapshotAccounts(client.accounts) 866 ''' 867 Accounts are users that have access to strongDM. There are two types of accounts: 868 1. **Users:** humans who are authenticated through username and password or SSO. 869 2. **Service Accounts:** machines that are authenticated using a service token. 870 3. **Tokens** are access keys with permissions that can be used for authentication. 871 872 See `strongdm.svc.SnapshotAccounts`. 873 ''' 874 self.accounts_groups = svc.SnapshotAccountsGroups( 875 client.accounts_groups) 876 ''' 877 An AccountGroup links an account and a group. 878 879 See `strongdm.svc.SnapshotAccountsGroups`. 880 ''' 881 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 882 client.approval_workflow_approvers) 883 ''' 884 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 885 886 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 887 ''' 888 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 889 client.approval_workflow_steps) 890 ''' 891 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 892 893 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 894 ''' 895 self.approval_workflows = svc.SnapshotApprovalWorkflows( 896 client.approval_workflows) 897 ''' 898 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 899 approvers and be approved or denied. 900 901 See `strongdm.svc.SnapshotApprovalWorkflows`. 902 ''' 903 self.discovery_connectors = svc.SnapshotDiscoveryConnectors( 904 client.discovery_connectors) 905 ''' 906 A Discovery Connector is a configuration object for performing Resource 907 Scans in remote systems such as AWS, GCP, Azure, and other systems. 908 909 See `strongdm.svc.SnapshotDiscoveryConnectors`. 910 ''' 911 self.granted_account_entitlements = svc.SnapshotGrantedAccountEntitlements( 912 client.granted_account_entitlements) 913 ''' 914 GrantedAccountEntitlements enumerates the resources to which an account has been granted access. 915 The GrantedAccountEntitlements service is read-only. 916 917 See `strongdm.svc.SnapshotGrantedAccountEntitlements`. 918 ''' 919 self.granted_resource_entitlements = svc.SnapshotGrantedResourceEntitlements( 920 client.granted_resource_entitlements) 921 ''' 922 GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. 923 The GrantedResourceEntitlements service is read-only. 924 925 See `strongdm.svc.SnapshotGrantedResourceEntitlements`. 926 ''' 927 self.granted_role_entitlements = svc.SnapshotGrantedRoleEntitlements( 928 client.granted_role_entitlements) 929 ''' 930 GrantedRoleEntitlements enumerates the resources to which a role grants access. 931 The GrantedRoleEntitlements service is read-only. 932 933 See `strongdm.svc.SnapshotGrantedRoleEntitlements`. 934 ''' 935 self.roles = svc.SnapshotRoles(client.roles) 936 ''' 937 A Role has a list of access rules which determine which Resources the members 938 of the Role have access to. An Account can be a member of multiple Roles via 939 AccountAttachments. 940 941 See `strongdm.svc.SnapshotRoles`. 942 ''' 943 self.groups = svc.SnapshotGroups(client.groups) 944 ''' 945 A Group is a set of principals. 946 947 See `strongdm.svc.SnapshotGroups`. 948 ''' 949 self.groups_roles = svc.SnapshotGroupsRoles(client.groups_roles) 950 ''' 951 A GroupRole is an assignment of a Group to a Role. 952 953 See `strongdm.svc.SnapshotGroupsRoles`. 954 ''' 955 self.identity_aliases = svc.SnapshotIdentityAliases( 956 client.identity_aliases) 957 ''' 958 IdentityAliases assign an alias to an account within an IdentitySet. 959 The alias is used as the username when connecting to a identity supported resource. 960 961 See `strongdm.svc.SnapshotIdentityAliases`. 962 ''' 963 self.identity_sets = svc.SnapshotIdentitySets(client.identity_sets) 964 ''' 965 A IdentitySet is a named grouping of Identity Aliases for Accounts. 966 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 967 968 See `strongdm.svc.SnapshotIdentitySets`. 969 ''' 970 self.nodes = svc.SnapshotNodes(client.nodes) 971 ''' 972 Nodes make up the StrongDM network, and allow your users to connect securely to your resources. 973 There are three types of nodes: 974 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall 975 2. **Gateway:** a relay that also listens for connections from StrongDM clients 976 3. **Proxy Cluster:** a cluster of workers that together mediate access from clients to resources 977 978 See `strongdm.svc.SnapshotNodes`. 979 ''' 980 self.policies = svc.SnapshotPolicies(client.policies) 981 ''' 982 Policies are the collection of one or more statements that enforce fine-grained access 983 control for the users of an organization. 984 985 See `strongdm.svc.SnapshotPolicies`. 986 ''' 987 self.proxy_cluster_keys = svc.SnapshotProxyClusterKeys( 988 client.proxy_cluster_keys) 989 ''' 990 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 991 The proxies within a cluster share the same key. One cluster can have 992 multiple keys in order to facilitate key rotation. 993 994 See `strongdm.svc.SnapshotProxyClusterKeys`. 995 ''' 996 self.remote_identities = svc.SnapshotRemoteIdentities( 997 client.remote_identities) 998 ''' 999 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 1000 1001 See `strongdm.svc.SnapshotRemoteIdentities`. 1002 ''' 1003 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 1004 client.remote_identity_groups) 1005 ''' 1006 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 1007 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 1008 1009 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 1010 ''' 1011 self.requestable_account_entitlements = svc.SnapshotRequestableAccountEntitlements( 1012 client.requestable_account_entitlements) 1013 ''' 1014 RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. 1015 The RequestableAccountEntitlements service is read-only. 1016 1017 See `strongdm.svc.SnapshotRequestableAccountEntitlements`. 1018 ''' 1019 self.requestable_resource_entitlements = svc.SnapshotRequestableResourceEntitlements( 1020 client.requestable_resource_entitlements) 1021 ''' 1022 RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. 1023 The RequestableResourceEntitlements service is read-only. 1024 1025 See `strongdm.svc.SnapshotRequestableResourceEntitlements`. 1026 ''' 1027 self.requestable_role_entitlements = svc.SnapshotRequestableRoleEntitlements( 1028 client.requestable_role_entitlements) 1029 ''' 1030 RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. 1031 The RequestableRoleEntitlements service is read-only. 1032 1033 See `strongdm.svc.SnapshotRequestableRoleEntitlements`. 1034 ''' 1035 self.resources = svc.SnapshotResources(client.resources) 1036 ''' 1037 Resources are databases, servers, clusters, websites, or clouds that strongDM 1038 delegates access to. 1039 1040 See `strongdm.svc.SnapshotResources`. 1041 ''' 1042 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 1043 ''' 1044 RoleResources enumerates the resources to which roles have access. 1045 The RoleResources service is read-only. 1046 1047 See `strongdm.svc.SnapshotRoleResources`. 1048 ''' 1049 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 1050 ''' 1051 SecretStores are servers where resource secrets (passwords, keys) are stored. 1052 1053 See `strongdm.svc.SnapshotSecretStores`. 1054 ''' 1055 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 1056 client.workflow_approvers) 1057 ''' 1058 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 1059 1060 See `strongdm.svc.SnapshotWorkflowApprovers`. 1061 ''' 1062 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 1063 ''' 1064 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 1065 to request access to a resource via the workflow. 1066 1067 See `strongdm.svc.SnapshotWorkflowRoles`. 1068 ''' 1069 self.workflows = svc.SnapshotWorkflows(client.workflows) 1070 ''' 1071 Workflows are the collection of rules that define the resources to which access can be requested, 1072 the users that can request that access, and the mechanism for approving those requests which can either 1073 be automatic approval or a set of users authorized to approve the requests. 1074 1075 See `strongdm.svc.SnapshotWorkflows`. 1076 '''
class
Client:
171class Client: 172 '''Client interacts with the strongDM API.''' 173 def __init__(self, 174 api_access_key, 175 api_secret, 176 host='app.strongdm.com:443', 177 insecure=False, 178 retry_rate_limit_errors=True, 179 page_limit=0): 180 ''' 181 Create a new Client. 182 183 - api_access_key: the access key to authenticate with strongDM 184 - api_secret: the secret key to authenticate with strongDM 185 ''' 186 self.api_access_key = api_access_key.strip() 187 self.api_secret = base64.b64decode(api_secret.strip()) 188 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 189 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 190 self.retry_factor = DEFAULT_RETRY_FACTOR 191 self.retry_jitter = DEFAULT_RETRY_JITTER 192 self.retry_rate_limit_errors = retry_rate_limit_errors 193 self.snapshot_datetime = None 194 self.page_limit = page_limit 195 196 try: 197 if insecure: 198 channel = grpc.insecure_channel(host) 199 else: 200 creds = grpc.ssl_channel_credentials() 201 channel = grpc.secure_channel(host, creds) 202 except Exception as e: 203 raise plumbing.convert_error_to_porcelain(e) from e 204 channel = grpc.intercept_channel(channel, _EncryptionInterceptor(self)) 205 self.channel = channel 206 self.access_requests = svc.AccessRequests(channel, self) 207 ''' 208 AccessRequests are requests for access to a resource that may match a Workflow. 209 210 See `strongdm.svc.AccessRequests`. 211 ''' 212 self.access_request_events_history = svc.AccessRequestEventsHistory( 213 channel, self) 214 ''' 215 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 216 217 See `strongdm.svc.AccessRequestEventsHistory`. 218 ''' 219 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 220 ''' 221 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 222 223 See `strongdm.svc.AccessRequestsHistory`. 224 ''' 225 self.account_attachments = svc.AccountAttachments(channel, self) 226 ''' 227 AccountAttachments assign an account to a role. 228 229 See `strongdm.svc.AccountAttachments`. 230 ''' 231 self.account_attachments_history = svc.AccountAttachmentsHistory( 232 channel, self) 233 ''' 234 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 235 236 See `strongdm.svc.AccountAttachmentsHistory`. 237 ''' 238 self.account_grants = svc.AccountGrants(channel, self) 239 ''' 240 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 241 242 See `strongdm.svc.AccountGrants`. 243 ''' 244 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 245 ''' 246 AccountGrantsHistory records all changes to the state of an AccountGrant. 247 248 See `strongdm.svc.AccountGrantsHistory`. 249 ''' 250 self.account_permissions = svc.AccountPermissions(channel, self) 251 ''' 252 AccountPermissions records the granular permissions accounts have, allowing them to execute 253 relevant commands via StrongDM's APIs. 254 255 See `strongdm.svc.AccountPermissions`. 256 ''' 257 self.account_resources = svc.AccountResources(channel, self) 258 ''' 259 AccountResources enumerates the resources to which accounts have access. 260 The AccountResources service is read-only. 261 262 See `strongdm.svc.AccountResources`. 263 ''' 264 self.account_resources_history = svc.AccountResourcesHistory( 265 channel, self) 266 ''' 267 AccountResourcesHistory records all changes to the state of a AccountResource. 268 269 See `strongdm.svc.AccountResourcesHistory`. 270 ''' 271 self.accounts = svc.Accounts(channel, self) 272 ''' 273 Accounts are users that have access to strongDM. There are two types of accounts: 274 1. **Users:** humans who are authenticated through username and password or SSO. 275 2. **Service Accounts:** machines that are authenticated using a service token. 276 3. **Tokens** are access keys with permissions that can be used for authentication. 277 278 See `strongdm.svc.Accounts`. 279 ''' 280 self.accounts_groups = svc.AccountsGroups(channel, self) 281 ''' 282 An AccountGroup links an account and a group. 283 284 See `strongdm.svc.AccountsGroups`. 285 ''' 286 self.accounts_groups_history = svc.AccountsGroupsHistory(channel, self) 287 ''' 288 AccountsGroupsHistory records all changes to the state of an AccountGroup. 289 290 See `strongdm.svc.AccountsGroupsHistory`. 291 ''' 292 self.accounts_history = svc.AccountsHistory(channel, self) 293 ''' 294 AccountsHistory records all changes to the state of an Account. 295 296 See `strongdm.svc.AccountsHistory`. 297 ''' 298 self.activities = svc.Activities(channel, self) 299 ''' 300 An Activity is a record of an action taken against a strongDM deployment, e.g. 301 a user creation, resource deletion, sso configuration change, etc. The Activities 302 service is read-only. 303 304 See `strongdm.svc.Activities`. 305 ''' 306 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 307 channel, self) 308 ''' 309 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 310 311 See `strongdm.svc.ApprovalWorkflowApprovers`. 312 ''' 313 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 314 channel, self) 315 ''' 316 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 317 318 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 319 ''' 320 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 321 ''' 322 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 323 324 See `strongdm.svc.ApprovalWorkflowSteps`. 325 ''' 326 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 327 channel, self) 328 ''' 329 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 330 331 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 332 ''' 333 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 334 ''' 335 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 336 approvers and be approved or denied. 337 338 See `strongdm.svc.ApprovalWorkflows`. 339 ''' 340 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 341 channel, self) 342 ''' 343 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 344 345 See `strongdm.svc.ApprovalWorkflowsHistory`. 346 ''' 347 self.control_panel = svc.ControlPanel(channel, self) 348 ''' 349 ControlPanel contains all administrative controls. 350 351 See `strongdm.svc.ControlPanel`. 352 ''' 353 self.discovery_connectors = svc.DiscoveryConnectors(channel, self) 354 ''' 355 A Discovery Connector is a configuration object for performing Resource 356 Scans in remote systems such as AWS, GCP, Azure, and other systems. 357 358 See `strongdm.svc.DiscoveryConnectors`. 359 ''' 360 self.granted_account_entitlements = svc.GrantedAccountEntitlements( 361 channel, self) 362 ''' 363 GrantedAccountEntitlements enumerates the resources to which an account has been granted access. 364 The GrantedAccountEntitlements service is read-only. 365 366 See `strongdm.svc.GrantedAccountEntitlements`. 367 ''' 368 self.granted_resource_entitlements = svc.GrantedResourceEntitlements( 369 channel, self) 370 ''' 371 GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. 372 The GrantedResourceEntitlements service is read-only. 373 374 See `strongdm.svc.GrantedResourceEntitlements`. 375 ''' 376 self.granted_role_entitlements = svc.GrantedRoleEntitlements( 377 channel, self) 378 ''' 379 GrantedRoleEntitlements enumerates the resources to which a role grants access. 380 The GrantedRoleEntitlements service is read-only. 381 382 See `strongdm.svc.GrantedRoleEntitlements`. 383 ''' 384 self.roles = svc.Roles(channel, self) 385 ''' 386 A Role has a list of access rules which determine which Resources the members 387 of the Role have access to. An Account can be a member of multiple Roles via 388 AccountAttachments. 389 390 See `strongdm.svc.Roles`. 391 ''' 392 self.groups = svc.Groups(channel, self) 393 ''' 394 A Group is a set of principals. 395 396 See `strongdm.svc.Groups`. 397 ''' 398 self.groups_history = svc.GroupsHistory(channel, self) 399 ''' 400 GroupsHistory records all changes to the state of a Group. 401 402 See `strongdm.svc.GroupsHistory`. 403 ''' 404 self.groups_roles = svc.GroupsRoles(channel, self) 405 ''' 406 A GroupRole is an assignment of a Group to a Role. 407 408 See `strongdm.svc.GroupsRoles`. 409 ''' 410 self.groups_roles_history = svc.GroupsRolesHistory(channel, self) 411 ''' 412 GroupsRolesHistory records all changes to the state of a GroupRole. 413 414 See `strongdm.svc.GroupsRolesHistory`. 415 ''' 416 self.health_checks = svc.HealthChecks(channel, self) 417 ''' 418 HealthChecks lists the last healthcheck between each node and resource. 419 Note the unconventional capitalization here is to prevent having a collision with GRPC 420 421 See `strongdm.svc.HealthChecks`. 422 ''' 423 self.identity_aliases = svc.IdentityAliases(channel, self) 424 ''' 425 IdentityAliases assign an alias to an account within an IdentitySet. 426 The alias is used as the username when connecting to a identity supported resource. 427 428 See `strongdm.svc.IdentityAliases`. 429 ''' 430 self.identity_aliases_history = svc.IdentityAliasesHistory( 431 channel, self) 432 ''' 433 IdentityAliasesHistory records all changes to the state of a IdentityAlias. 434 435 See `strongdm.svc.IdentityAliasesHistory`. 436 ''' 437 self.identity_sets = svc.IdentitySets(channel, self) 438 ''' 439 A IdentitySet is a named grouping of Identity Aliases for Accounts. 440 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 441 442 See `strongdm.svc.IdentitySets`. 443 ''' 444 self.identity_sets_history = svc.IdentitySetsHistory(channel, self) 445 ''' 446 IdentitySetsHistory records all changes to the state of a IdentitySet. 447 448 See `strongdm.svc.IdentitySetsHistory`. 449 ''' 450 self.managed_secrets = svc.ManagedSecrets(channel, self) 451 ''' 452 ManagedSecret is a private vertical for creating, reading, updating, 453 deleting, listing and rotating the managed secrets in the secrets engines as 454 an authenticated user. 455 456 See `strongdm.svc.ManagedSecrets`. 457 ''' 458 self.nodes = svc.Nodes(channel, self) 459 ''' 460 Nodes make up the StrongDM network, and allow your users to connect securely to your resources. 461 There are three types of nodes: 462 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall 463 2. **Gateway:** a relay that also listens for connections from StrongDM clients 464 3. **Proxy Cluster:** a cluster of workers that together mediate access from clients to resources 465 466 See `strongdm.svc.Nodes`. 467 ''' 468 self.nodes_history = svc.NodesHistory(channel, self) 469 ''' 470 NodesHistory records all changes to the state of a Node. 471 472 See `strongdm.svc.NodesHistory`. 473 ''' 474 self.organization_history = svc.OrganizationHistory(channel, self) 475 ''' 476 OrganizationHistory records all changes to the state of an Organization. 477 478 See `strongdm.svc.OrganizationHistory`. 479 ''' 480 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 481 ''' 482 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 483 484 See `strongdm.svc.PeeringGroupNodes`. 485 ''' 486 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 487 ''' 488 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 489 490 See `strongdm.svc.PeeringGroupPeers`. 491 ''' 492 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 493 ''' 494 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 495 496 See `strongdm.svc.PeeringGroupResources`. 497 ''' 498 self.peering_groups = svc.PeeringGroups(channel, self) 499 ''' 500 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 501 502 See `strongdm.svc.PeeringGroups`. 503 ''' 504 self.policies = svc.Policies(channel, self) 505 ''' 506 Policies are the collection of one or more statements that enforce fine-grained access 507 control for the users of an organization. 508 509 See `strongdm.svc.Policies`. 510 ''' 511 self.policies_history = svc.PoliciesHistory(channel, self) 512 ''' 513 PoliciesHistory records all changes to the state of a Policy. 514 515 See `strongdm.svc.PoliciesHistory`. 516 ''' 517 self.proxy_cluster_keys = svc.ProxyClusterKeys(channel, self) 518 ''' 519 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 520 The proxies within a cluster share the same key. One cluster can have 521 multiple keys in order to facilitate key rotation. 522 523 See `strongdm.svc.ProxyClusterKeys`. 524 ''' 525 self.queries = svc.Queries(channel, self) 526 ''' 527 A Query is a record of a single client request to a resource, such as a SQL query. 528 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 529 The Queries service is read-only. 530 531 See `strongdm.svc.Queries`. 532 ''' 533 self.remote_identities = svc.RemoteIdentities(channel, self) 534 ''' 535 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 536 537 See `strongdm.svc.RemoteIdentities`. 538 ''' 539 self.remote_identities_history = svc.RemoteIdentitiesHistory( 540 channel, self) 541 ''' 542 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 543 544 See `strongdm.svc.RemoteIdentitiesHistory`. 545 ''' 546 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 547 ''' 548 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 549 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 550 551 See `strongdm.svc.RemoteIdentityGroups`. 552 ''' 553 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 554 channel, self) 555 ''' 556 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 557 558 See `strongdm.svc.RemoteIdentityGroupsHistory`. 559 ''' 560 self.replays = svc.Replays(channel, self) 561 ''' 562 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 563 (otherwise referred to as a query). The Replays service is read-only. 564 565 See `strongdm.svc.Replays`. 566 ''' 567 self.requestable_account_entitlements = svc.RequestableAccountEntitlements( 568 channel, self) 569 ''' 570 RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. 571 The RequestableAccountEntitlements service is read-only. 572 573 See `strongdm.svc.RequestableAccountEntitlements`. 574 ''' 575 self.requestable_resource_entitlements = svc.RequestableResourceEntitlements( 576 channel, self) 577 ''' 578 RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. 579 The RequestableResourceEntitlements service is read-only. 580 581 See `strongdm.svc.RequestableResourceEntitlements`. 582 ''' 583 self.requestable_role_entitlements = svc.RequestableRoleEntitlements( 584 channel, self) 585 ''' 586 RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. 587 The RequestableRoleEntitlements service is read-only. 588 589 See `strongdm.svc.RequestableRoleEntitlements`. 590 ''' 591 self.resources = svc.Resources(channel, self) 592 ''' 593 Resources are databases, servers, clusters, websites, or clouds that strongDM 594 delegates access to. 595 596 See `strongdm.svc.Resources`. 597 ''' 598 self.resources_history = svc.ResourcesHistory(channel, self) 599 ''' 600 ResourcesHistory records all changes to the state of a Resource. 601 602 See `strongdm.svc.ResourcesHistory`. 603 ''' 604 self.role_resources = svc.RoleResources(channel, self) 605 ''' 606 RoleResources enumerates the resources to which roles have access. 607 The RoleResources service is read-only. 608 609 See `strongdm.svc.RoleResources`. 610 ''' 611 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 612 ''' 613 RoleResourcesHistory records all changes to the state of a RoleResource. 614 615 See `strongdm.svc.RoleResourcesHistory`. 616 ''' 617 self.roles_history = svc.RolesHistory(channel, self) 618 ''' 619 RolesHistory records all changes to the state of a Role. 620 621 See `strongdm.svc.RolesHistory`. 622 ''' 623 self.secret_stores = svc.SecretStores(channel, self) 624 ''' 625 SecretStores are servers where resource secrets (passwords, keys) are stored. 626 627 See `strongdm.svc.SecretStores`. 628 ''' 629 self.secret_engines = svc.SecretEngines(channel, self) 630 ''' 631 632 633 See `strongdm.svc.SecretEngines`. 634 ''' 635 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 636 ''' 637 SecretStoreHealths exposes health states for secret stores. 638 639 See `strongdm.svc.SecretStoreHealths`. 640 ''' 641 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 642 ''' 643 SecretStoresHistory records all changes to the state of a SecretStore. 644 645 See `strongdm.svc.SecretStoresHistory`. 646 ''' 647 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 648 ''' 649 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 650 651 See `strongdm.svc.WorkflowApprovers`. 652 ''' 653 self.workflow_approvers_history = svc.WorkflowApproversHistory( 654 channel, self) 655 ''' 656 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 657 658 See `strongdm.svc.WorkflowApproversHistory`. 659 ''' 660 self.workflow_roles = svc.WorkflowRoles(channel, self) 661 ''' 662 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 663 to request access to a resource via the workflow. 664 665 See `strongdm.svc.WorkflowRoles`. 666 ''' 667 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 668 ''' 669 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 670 671 See `strongdm.svc.WorkflowRolesHistory`. 672 ''' 673 self.workflows = svc.Workflows(channel, self) 674 ''' 675 Workflows are the collection of rules that define the resources to which access can be requested, 676 the users that can request that access, and the mechanism for approving those requests which can either 677 be automatic approval or a set of users authorized to approve the requests. 678 679 See `strongdm.svc.Workflows`. 680 ''' 681 self.workflows_history = svc.WorkflowsHistory(channel, self) 682 ''' 683 WorkflowsHistory provides records of all changes to the state of a Workflow. 684 685 See `strongdm.svc.WorkflowsHistory`. 686 ''' 687 688 def close(self): 689 '''Closes this Client and releases all resources held by it. 690 691 Closing the Client will immediately terminate all RPCs active with the 692 Client and it is not valid to invoke new RPCs with the Client. 693 694 This method is idempotent. 695 ''' 696 self.channel.close() 697 698 def get_metadata(self, method_name, req): 699 return [ 700 ('x-sdm-authentication', self.api_access_key), 701 ('x-sdm-signature', self.sign(method_name, 702 req.SerializeToString())), 703 ('x-sdm-api-version', API_VERSION), 704 ('x-sdm-user-agent', USER_AGENT), 705 ] 706 707 def sign(self, method_name, request_bytes): 708 def hmac_digest(key, msg_byte_string): 709 return hmac.new(key, msg=msg_byte_string, 710 digestmod=hashlib.sha256).digest() 711 712 current_utc_date = datetime.datetime.now( 713 datetime.timezone.utc).strftime('%Y-%m-%d') 714 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 715 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 716 717 hash = hashlib.sha256() 718 719 hash.update(method_name.encode()) 720 hash.update(b'\n') 721 hash.update(request_bytes) 722 723 return base64.b64encode(hmac_digest(signing_key, hash.digest())) 724 725 def exponentialBackoff(self, retries, deadline=None): 726 def applyDeadline(delay, deadline): 727 if deadline is None: 728 return delay 729 remaining = deadline - time.time() 730 if remaining < 0: 731 return 0 732 return min(delay, remaining) 733 734 if retries == 0: 735 return applyDeadline(self.base_retry_delay, deadline) 736 737 backoff, max_delay = self.base_retry_delay, self.max_retry_delay 738 while backoff < max_delay and retries > 0: 739 backoff *= self.retry_factor 740 retries -= 1 741 742 if backoff > max_delay: 743 backoff = max_delay 744 745 # Randomize backoff delays so that if a cluster of requests start at 746 # the same time, they won't operate in lockstep. 747 backoff *= 1 + self.retry_jitter * (random.random() * 2 - 1) 748 if backoff < 0: 749 return 0 750 751 return applyDeadline(backoff, deadline) 752 753 def shouldRetry(self, retries, err, deadline=None): 754 # Check if we've passed the deadline 755 if deadline is not None and time.time() >= deadline: 756 return False 757 758 if not isinstance(err, grpc.RpcError): 759 return False 760 761 if self.retry_rate_limit_errors and err.code( 762 ) == grpc.StatusCode.RESOURCE_EXHAUSTED: 763 return True 764 765 return retries <= 3 and (err.code() == grpc.StatusCode.INTERNAL 766 or err.code() == grpc.StatusCode.UNAVAILABLE) 767 768 def snapshot_at(self, snapshot_datetime): 769 ''' 770 Constructs a read-only client that will provide historical data from the provided timestamp. 771 772 See `SnapshotClient`. 773 ''' 774 client = copy.copy(self) 775 client.snapshot_datetime = snapshot_datetime 776 client.access_requests = svc.AccessRequests(client.channel, client) 777 client.account_attachments = svc.AccountAttachments( 778 client.channel, client) 779 client.account_grants = svc.AccountGrants(client.channel, client) 780 client.account_permissions = svc.AccountPermissions( 781 client.channel, client) 782 client.account_resources = svc.AccountResources(client.channel, client) 783 client.accounts = svc.Accounts(client.channel, client) 784 client.accounts_groups = svc.AccountsGroups(client.channel, client) 785 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 786 client.channel, client) 787 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 788 client.channel, client) 789 client.approval_workflows = svc.ApprovalWorkflows( 790 client.channel, client) 791 client.discovery_connectors = svc.DiscoveryConnectors( 792 client.channel, client) 793 client.granted_account_entitlements = svc.GrantedAccountEntitlements( 794 client.channel, client) 795 client.granted_resource_entitlements = svc.GrantedResourceEntitlements( 796 client.channel, client) 797 client.granted_role_entitlements = svc.GrantedRoleEntitlements( 798 client.channel, client) 799 client.roles = svc.Roles(client.channel, client) 800 client.groups = svc.Groups(client.channel, client) 801 client.groups_roles = svc.GroupsRoles(client.channel, client) 802 client.identity_aliases = svc.IdentityAliases(client.channel, client) 803 client.identity_sets = svc.IdentitySets(client.channel, client) 804 client.nodes = svc.Nodes(client.channel, client) 805 client.policies = svc.Policies(client.channel, client) 806 client.proxy_cluster_keys = svc.ProxyClusterKeys( 807 client.channel, client) 808 client.remote_identities = svc.RemoteIdentities(client.channel, client) 809 client.remote_identity_groups = svc.RemoteIdentityGroups( 810 client.channel, client) 811 client.requestable_account_entitlements = svc.RequestableAccountEntitlements( 812 client.channel, client) 813 client.requestable_resource_entitlements = svc.RequestableResourceEntitlements( 814 client.channel, client) 815 client.requestable_role_entitlements = svc.RequestableRoleEntitlements( 816 client.channel, client) 817 client.resources = svc.Resources(client.channel, client) 818 client.role_resources = svc.RoleResources(client.channel, client) 819 client.secret_stores = svc.SecretStores(client.channel, client) 820 client.workflow_approvers = svc.WorkflowApprovers( 821 client.channel, client) 822 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 823 client.workflows = svc.Workflows(client.channel, client) 824 return SnapshotClient(client)
Client interacts with the strongDM API.
Client( api_access_key, api_secret, host='app.strongdm.com:443', insecure=False, retry_rate_limit_errors=True, page_limit=0)
173 def __init__(self, 174 api_access_key, 175 api_secret, 176 host='app.strongdm.com:443', 177 insecure=False, 178 retry_rate_limit_errors=True, 179 page_limit=0): 180 ''' 181 Create a new Client. 182 183 - api_access_key: the access key to authenticate with strongDM 184 - api_secret: the secret key to authenticate with strongDM 185 ''' 186 self.api_access_key = api_access_key.strip() 187 self.api_secret = base64.b64decode(api_secret.strip()) 188 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 189 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 190 self.retry_factor = DEFAULT_RETRY_FACTOR 191 self.retry_jitter = DEFAULT_RETRY_JITTER 192 self.retry_rate_limit_errors = retry_rate_limit_errors 193 self.snapshot_datetime = None 194 self.page_limit = page_limit 195 196 try: 197 if insecure: 198 channel = grpc.insecure_channel(host) 199 else: 200 creds = grpc.ssl_channel_credentials() 201 channel = grpc.secure_channel(host, creds) 202 except Exception as e: 203 raise plumbing.convert_error_to_porcelain(e) from e 204 channel = grpc.intercept_channel(channel, _EncryptionInterceptor(self)) 205 self.channel = channel 206 self.access_requests = svc.AccessRequests(channel, self) 207 ''' 208 AccessRequests are requests for access to a resource that may match a Workflow. 209 210 See `strongdm.svc.AccessRequests`. 211 ''' 212 self.access_request_events_history = svc.AccessRequestEventsHistory( 213 channel, self) 214 ''' 215 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 216 217 See `strongdm.svc.AccessRequestEventsHistory`. 218 ''' 219 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 220 ''' 221 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 222 223 See `strongdm.svc.AccessRequestsHistory`. 224 ''' 225 self.account_attachments = svc.AccountAttachments(channel, self) 226 ''' 227 AccountAttachments assign an account to a role. 228 229 See `strongdm.svc.AccountAttachments`. 230 ''' 231 self.account_attachments_history = svc.AccountAttachmentsHistory( 232 channel, self) 233 ''' 234 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 235 236 See `strongdm.svc.AccountAttachmentsHistory`. 237 ''' 238 self.account_grants = svc.AccountGrants(channel, self) 239 ''' 240 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 241 242 See `strongdm.svc.AccountGrants`. 243 ''' 244 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 245 ''' 246 AccountGrantsHistory records all changes to the state of an AccountGrant. 247 248 See `strongdm.svc.AccountGrantsHistory`. 249 ''' 250 self.account_permissions = svc.AccountPermissions(channel, self) 251 ''' 252 AccountPermissions records the granular permissions accounts have, allowing them to execute 253 relevant commands via StrongDM's APIs. 254 255 See `strongdm.svc.AccountPermissions`. 256 ''' 257 self.account_resources = svc.AccountResources(channel, self) 258 ''' 259 AccountResources enumerates the resources to which accounts have access. 260 The AccountResources service is read-only. 261 262 See `strongdm.svc.AccountResources`. 263 ''' 264 self.account_resources_history = svc.AccountResourcesHistory( 265 channel, self) 266 ''' 267 AccountResourcesHistory records all changes to the state of a AccountResource. 268 269 See `strongdm.svc.AccountResourcesHistory`. 270 ''' 271 self.accounts = svc.Accounts(channel, self) 272 ''' 273 Accounts are users that have access to strongDM. There are two types of accounts: 274 1. **Users:** humans who are authenticated through username and password or SSO. 275 2. **Service Accounts:** machines that are authenticated using a service token. 276 3. **Tokens** are access keys with permissions that can be used for authentication. 277 278 See `strongdm.svc.Accounts`. 279 ''' 280 self.accounts_groups = svc.AccountsGroups(channel, self) 281 ''' 282 An AccountGroup links an account and a group. 283 284 See `strongdm.svc.AccountsGroups`. 285 ''' 286 self.accounts_groups_history = svc.AccountsGroupsHistory(channel, self) 287 ''' 288 AccountsGroupsHistory records all changes to the state of an AccountGroup. 289 290 See `strongdm.svc.AccountsGroupsHistory`. 291 ''' 292 self.accounts_history = svc.AccountsHistory(channel, self) 293 ''' 294 AccountsHistory records all changes to the state of an Account. 295 296 See `strongdm.svc.AccountsHistory`. 297 ''' 298 self.activities = svc.Activities(channel, self) 299 ''' 300 An Activity is a record of an action taken against a strongDM deployment, e.g. 301 a user creation, resource deletion, sso configuration change, etc. The Activities 302 service is read-only. 303 304 See `strongdm.svc.Activities`. 305 ''' 306 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 307 channel, self) 308 ''' 309 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 310 311 See `strongdm.svc.ApprovalWorkflowApprovers`. 312 ''' 313 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 314 channel, self) 315 ''' 316 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 317 318 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 319 ''' 320 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 321 ''' 322 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 323 324 See `strongdm.svc.ApprovalWorkflowSteps`. 325 ''' 326 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 327 channel, self) 328 ''' 329 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 330 331 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 332 ''' 333 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 334 ''' 335 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 336 approvers and be approved or denied. 337 338 See `strongdm.svc.ApprovalWorkflows`. 339 ''' 340 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 341 channel, self) 342 ''' 343 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 344 345 See `strongdm.svc.ApprovalWorkflowsHistory`. 346 ''' 347 self.control_panel = svc.ControlPanel(channel, self) 348 ''' 349 ControlPanel contains all administrative controls. 350 351 See `strongdm.svc.ControlPanel`. 352 ''' 353 self.discovery_connectors = svc.DiscoveryConnectors(channel, self) 354 ''' 355 A Discovery Connector is a configuration object for performing Resource 356 Scans in remote systems such as AWS, GCP, Azure, and other systems. 357 358 See `strongdm.svc.DiscoveryConnectors`. 359 ''' 360 self.granted_account_entitlements = svc.GrantedAccountEntitlements( 361 channel, self) 362 ''' 363 GrantedAccountEntitlements enumerates the resources to which an account has been granted access. 364 The GrantedAccountEntitlements service is read-only. 365 366 See `strongdm.svc.GrantedAccountEntitlements`. 367 ''' 368 self.granted_resource_entitlements = svc.GrantedResourceEntitlements( 369 channel, self) 370 ''' 371 GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. 372 The GrantedResourceEntitlements service is read-only. 373 374 See `strongdm.svc.GrantedResourceEntitlements`. 375 ''' 376 self.granted_role_entitlements = svc.GrantedRoleEntitlements( 377 channel, self) 378 ''' 379 GrantedRoleEntitlements enumerates the resources to which a role grants access. 380 The GrantedRoleEntitlements service is read-only. 381 382 See `strongdm.svc.GrantedRoleEntitlements`. 383 ''' 384 self.roles = svc.Roles(channel, self) 385 ''' 386 A Role has a list of access rules which determine which Resources the members 387 of the Role have access to. An Account can be a member of multiple Roles via 388 AccountAttachments. 389 390 See `strongdm.svc.Roles`. 391 ''' 392 self.groups = svc.Groups(channel, self) 393 ''' 394 A Group is a set of principals. 395 396 See `strongdm.svc.Groups`. 397 ''' 398 self.groups_history = svc.GroupsHistory(channel, self) 399 ''' 400 GroupsHistory records all changes to the state of a Group. 401 402 See `strongdm.svc.GroupsHistory`. 403 ''' 404 self.groups_roles = svc.GroupsRoles(channel, self) 405 ''' 406 A GroupRole is an assignment of a Group to a Role. 407 408 See `strongdm.svc.GroupsRoles`. 409 ''' 410 self.groups_roles_history = svc.GroupsRolesHistory(channel, self) 411 ''' 412 GroupsRolesHistory records all changes to the state of a GroupRole. 413 414 See `strongdm.svc.GroupsRolesHistory`. 415 ''' 416 self.health_checks = svc.HealthChecks(channel, self) 417 ''' 418 HealthChecks lists the last healthcheck between each node and resource. 419 Note the unconventional capitalization here is to prevent having a collision with GRPC 420 421 See `strongdm.svc.HealthChecks`. 422 ''' 423 self.identity_aliases = svc.IdentityAliases(channel, self) 424 ''' 425 IdentityAliases assign an alias to an account within an IdentitySet. 426 The alias is used as the username when connecting to a identity supported resource. 427 428 See `strongdm.svc.IdentityAliases`. 429 ''' 430 self.identity_aliases_history = svc.IdentityAliasesHistory( 431 channel, self) 432 ''' 433 IdentityAliasesHistory records all changes to the state of a IdentityAlias. 434 435 See `strongdm.svc.IdentityAliasesHistory`. 436 ''' 437 self.identity_sets = svc.IdentitySets(channel, self) 438 ''' 439 A IdentitySet is a named grouping of Identity Aliases for Accounts. 440 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 441 442 See `strongdm.svc.IdentitySets`. 443 ''' 444 self.identity_sets_history = svc.IdentitySetsHistory(channel, self) 445 ''' 446 IdentitySetsHistory records all changes to the state of a IdentitySet. 447 448 See `strongdm.svc.IdentitySetsHistory`. 449 ''' 450 self.managed_secrets = svc.ManagedSecrets(channel, self) 451 ''' 452 ManagedSecret is a private vertical for creating, reading, updating, 453 deleting, listing and rotating the managed secrets in the secrets engines as 454 an authenticated user. 455 456 See `strongdm.svc.ManagedSecrets`. 457 ''' 458 self.nodes = svc.Nodes(channel, self) 459 ''' 460 Nodes make up the StrongDM network, and allow your users to connect securely to your resources. 461 There are three types of nodes: 462 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall 463 2. **Gateway:** a relay that also listens for connections from StrongDM clients 464 3. **Proxy Cluster:** a cluster of workers that together mediate access from clients to resources 465 466 See `strongdm.svc.Nodes`. 467 ''' 468 self.nodes_history = svc.NodesHistory(channel, self) 469 ''' 470 NodesHistory records all changes to the state of a Node. 471 472 See `strongdm.svc.NodesHistory`. 473 ''' 474 self.organization_history = svc.OrganizationHistory(channel, self) 475 ''' 476 OrganizationHistory records all changes to the state of an Organization. 477 478 See `strongdm.svc.OrganizationHistory`. 479 ''' 480 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 481 ''' 482 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 483 484 See `strongdm.svc.PeeringGroupNodes`. 485 ''' 486 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 487 ''' 488 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 489 490 See `strongdm.svc.PeeringGroupPeers`. 491 ''' 492 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 493 ''' 494 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 495 496 See `strongdm.svc.PeeringGroupResources`. 497 ''' 498 self.peering_groups = svc.PeeringGroups(channel, self) 499 ''' 500 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 501 502 See `strongdm.svc.PeeringGroups`. 503 ''' 504 self.policies = svc.Policies(channel, self) 505 ''' 506 Policies are the collection of one or more statements that enforce fine-grained access 507 control for the users of an organization. 508 509 See `strongdm.svc.Policies`. 510 ''' 511 self.policies_history = svc.PoliciesHistory(channel, self) 512 ''' 513 PoliciesHistory records all changes to the state of a Policy. 514 515 See `strongdm.svc.PoliciesHistory`. 516 ''' 517 self.proxy_cluster_keys = svc.ProxyClusterKeys(channel, self) 518 ''' 519 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 520 The proxies within a cluster share the same key. One cluster can have 521 multiple keys in order to facilitate key rotation. 522 523 See `strongdm.svc.ProxyClusterKeys`. 524 ''' 525 self.queries = svc.Queries(channel, self) 526 ''' 527 A Query is a record of a single client request to a resource, such as a SQL query. 528 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 529 The Queries service is read-only. 530 531 See `strongdm.svc.Queries`. 532 ''' 533 self.remote_identities = svc.RemoteIdentities(channel, self) 534 ''' 535 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 536 537 See `strongdm.svc.RemoteIdentities`. 538 ''' 539 self.remote_identities_history = svc.RemoteIdentitiesHistory( 540 channel, self) 541 ''' 542 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 543 544 See `strongdm.svc.RemoteIdentitiesHistory`. 545 ''' 546 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 547 ''' 548 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 549 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 550 551 See `strongdm.svc.RemoteIdentityGroups`. 552 ''' 553 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 554 channel, self) 555 ''' 556 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 557 558 See `strongdm.svc.RemoteIdentityGroupsHistory`. 559 ''' 560 self.replays = svc.Replays(channel, self) 561 ''' 562 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 563 (otherwise referred to as a query). The Replays service is read-only. 564 565 See `strongdm.svc.Replays`. 566 ''' 567 self.requestable_account_entitlements = svc.RequestableAccountEntitlements( 568 channel, self) 569 ''' 570 RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. 571 The RequestableAccountEntitlements service is read-only. 572 573 See `strongdm.svc.RequestableAccountEntitlements`. 574 ''' 575 self.requestable_resource_entitlements = svc.RequestableResourceEntitlements( 576 channel, self) 577 ''' 578 RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. 579 The RequestableResourceEntitlements service is read-only. 580 581 See `strongdm.svc.RequestableResourceEntitlements`. 582 ''' 583 self.requestable_role_entitlements = svc.RequestableRoleEntitlements( 584 channel, self) 585 ''' 586 RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. 587 The RequestableRoleEntitlements service is read-only. 588 589 See `strongdm.svc.RequestableRoleEntitlements`. 590 ''' 591 self.resources = svc.Resources(channel, self) 592 ''' 593 Resources are databases, servers, clusters, websites, or clouds that strongDM 594 delegates access to. 595 596 See `strongdm.svc.Resources`. 597 ''' 598 self.resources_history = svc.ResourcesHistory(channel, self) 599 ''' 600 ResourcesHistory records all changes to the state of a Resource. 601 602 See `strongdm.svc.ResourcesHistory`. 603 ''' 604 self.role_resources = svc.RoleResources(channel, self) 605 ''' 606 RoleResources enumerates the resources to which roles have access. 607 The RoleResources service is read-only. 608 609 See `strongdm.svc.RoleResources`. 610 ''' 611 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 612 ''' 613 RoleResourcesHistory records all changes to the state of a RoleResource. 614 615 See `strongdm.svc.RoleResourcesHistory`. 616 ''' 617 self.roles_history = svc.RolesHistory(channel, self) 618 ''' 619 RolesHistory records all changes to the state of a Role. 620 621 See `strongdm.svc.RolesHistory`. 622 ''' 623 self.secret_stores = svc.SecretStores(channel, self) 624 ''' 625 SecretStores are servers where resource secrets (passwords, keys) are stored. 626 627 See `strongdm.svc.SecretStores`. 628 ''' 629 self.secret_engines = svc.SecretEngines(channel, self) 630 ''' 631 632 633 See `strongdm.svc.SecretEngines`. 634 ''' 635 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 636 ''' 637 SecretStoreHealths exposes health states for secret stores. 638 639 See `strongdm.svc.SecretStoreHealths`. 640 ''' 641 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 642 ''' 643 SecretStoresHistory records all changes to the state of a SecretStore. 644 645 See `strongdm.svc.SecretStoresHistory`. 646 ''' 647 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 648 ''' 649 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 650 651 See `strongdm.svc.WorkflowApprovers`. 652 ''' 653 self.workflow_approvers_history = svc.WorkflowApproversHistory( 654 channel, self) 655 ''' 656 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 657 658 See `strongdm.svc.WorkflowApproversHistory`. 659 ''' 660 self.workflow_roles = svc.WorkflowRoles(channel, self) 661 ''' 662 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 663 to request access to a resource via the workflow. 664 665 See `strongdm.svc.WorkflowRoles`. 666 ''' 667 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 668 ''' 669 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 670 671 See `strongdm.svc.WorkflowRolesHistory`. 672 ''' 673 self.workflows = svc.Workflows(channel, self) 674 ''' 675 Workflows are the collection of rules that define the resources to which access can be requested, 676 the users that can request that access, and the mechanism for approving those requests which can either 677 be automatic approval or a set of users authorized to approve the requests. 678 679 See `strongdm.svc.Workflows`. 680 ''' 681 self.workflows_history = svc.WorkflowsHistory(channel, self) 682 ''' 683 WorkflowsHistory provides records of all changes to the state of a Workflow. 684 685 See `strongdm.svc.WorkflowsHistory`. 686 '''
Create a new Client.
- api_access_key: the access key to authenticate with strongDM
- api_secret: the secret key to authenticate with strongDM
access_request_events_history
AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest.
access_requests_history
AccessRequestsHistory provides records of all changes to the state of an AccessRequest.
account_attachments_history
AccountAttachmentsHistory records all changes to the state of an AccountAttachment.
account_grants
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
account_permissions
AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.
account_resources
AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.
account_resources_history
AccountResourcesHistory records all changes to the state of a AccountResource.
accounts
Accounts are users that have access to strongDM. There are two types of accounts:
- Users: humans who are authenticated through username and password or SSO.
- Service Accounts: machines that are authenticated using a service token.
- Tokens are access keys with permissions that can be used for authentication.
activities
An Activity is a record of an action taken against a strongDM deployment, e.g. a user creation, resource deletion, sso configuration change, etc. The Activities service is read-only.
approval_workflow_approvers
ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
approval_workflow_approvers_history
ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover.
approval_workflow_steps_history
ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep.
approval_workflows
ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.
approval_workflows_history
ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow.
discovery_connectors
A Discovery Connector is a configuration object for performing Resource Scans in remote systems such as AWS, GCP, Azure, and other systems.
granted_account_entitlements
GrantedAccountEntitlements enumerates the resources to which an account has been granted access. The GrantedAccountEntitlements service is read-only.
granted_resource_entitlements
GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. The GrantedResourceEntitlements service is read-only.
granted_role_entitlements
GrantedRoleEntitlements enumerates the resources to which a role grants access. The GrantedRoleEntitlements service is read-only.
roles
A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.
See strongdm.svc.Roles.
health_checks
HealthChecks lists the last healthcheck between each node and resource. Note the unconventional capitalization here is to prevent having a collision with GRPC
identity_aliases
IdentityAliases assign an alias to an account within an IdentitySet. The alias is used as the username when connecting to a identity supported resource.
identity_aliases_history
IdentityAliasesHistory records all changes to the state of a IdentityAlias.
identity_sets
A IdentitySet is a named grouping of Identity Aliases for Accounts. An Account's relationship to a IdentitySet is defined via IdentityAlias objects.
managed_secrets
ManagedSecret is a private vertical for creating, reading, updating, deleting, listing and rotating the managed secrets in the secrets engines as an authenticated user.
nodes
Nodes make up the StrongDM network, and allow your users to connect securely to your resources. There are three types of nodes:
- Relay: creates connectivity to your datasources, while maintaining the egress-only nature of your firewall
- Gateway: a relay that also listens for connections from StrongDM clients
- Proxy Cluster: a cluster of workers that together mediate access from clients to resources
See strongdm.svc.Nodes.
peering_group_nodes
PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group.
peering_group_peers
PeeringGroupPeers provides the building blocks necessary to link two peering groups.
peering_group_resources
PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group.
peering_groups
PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing.
policies
Policies are the collection of one or more statements that enforce fine-grained access control for the users of an organization.
proxy_cluster_keys
Proxy Cluster Keys are authentication keys for all proxies within a cluster. The proxies within a cluster share the same key. One cluster can have multiple keys in order to facilitate key rotation.
queries
A Query is a record of a single client request to a resource, such as a SQL query. Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. The Queries service is read-only.
See strongdm.svc.Queries.
remote_identities
RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
remote_identities_history
RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.
remote_identity_groups
A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
remote_identity_groups_history
RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.
replays
A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query). The Replays service is read-only.
See strongdm.svc.Replays.
requestable_account_entitlements
RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. The RequestableAccountEntitlements service is read-only.
requestable_resource_entitlements
RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. The RequestableResourceEntitlements service is read-only.
requestable_role_entitlements
RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. The RequestableRoleEntitlements service is read-only.
resources
Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.
role_resources
RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.
workflow_approvers
WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
workflow_approvers_history
WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover.
workflow_roles
WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.
workflow_roles_history
WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole
workflows
Workflows are the collection of rules that define the resources to which access can be requested, the users that can request that access, and the mechanism for approving those requests which can either be automatic approval or a set of users authorized to approve the requests.
def
close(self)
688 def close(self): 689 '''Closes this Client and releases all resources held by it. 690 691 Closing the Client will immediately terminate all RPCs active with the 692 Client and it is not valid to invoke new RPCs with the Client. 693 694 This method is idempotent. 695 ''' 696 self.channel.close()
Closes this Client and releases all resources held by it.
Closing the Client will immediately terminate all RPCs active with the Client and it is not valid to invoke new RPCs with the Client.
This method is idempotent.
def
sign(self, method_name, request_bytes)
707 def sign(self, method_name, request_bytes): 708 def hmac_digest(key, msg_byte_string): 709 return hmac.new(key, msg=msg_byte_string, 710 digestmod=hashlib.sha256).digest() 711 712 current_utc_date = datetime.datetime.now( 713 datetime.timezone.utc).strftime('%Y-%m-%d') 714 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 715 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 716 717 hash = hashlib.sha256() 718 719 hash.update(method_name.encode()) 720 hash.update(b'\n') 721 hash.update(request_bytes) 722 723 return base64.b64encode(hmac_digest(signing_key, hash.digest()))
def
exponentialBackoff(self, retries, deadline=None)
725 def exponentialBackoff(self, retries, deadline=None): 726 def applyDeadline(delay, deadline): 727 if deadline is None: 728 return delay 729 remaining = deadline - time.time() 730 if remaining < 0: 731 return 0 732 return min(delay, remaining) 733 734 if retries == 0: 735 return applyDeadline(self.base_retry_delay, deadline) 736 737 backoff, max_delay = self.base_retry_delay, self.max_retry_delay 738 while backoff < max_delay and retries > 0: 739 backoff *= self.retry_factor 740 retries -= 1 741 742 if backoff > max_delay: 743 backoff = max_delay 744 745 # Randomize backoff delays so that if a cluster of requests start at 746 # the same time, they won't operate in lockstep. 747 backoff *= 1 + self.retry_jitter * (random.random() * 2 - 1) 748 if backoff < 0: 749 return 0 750 751 return applyDeadline(backoff, deadline)
def
shouldRetry(self, retries, err, deadline=None)
753 def shouldRetry(self, retries, err, deadline=None): 754 # Check if we've passed the deadline 755 if deadline is not None and time.time() >= deadline: 756 return False 757 758 if not isinstance(err, grpc.RpcError): 759 return False 760 761 if self.retry_rate_limit_errors and err.code( 762 ) == grpc.StatusCode.RESOURCE_EXHAUSTED: 763 return True 764 765 return retries <= 3 and (err.code() == grpc.StatusCode.INTERNAL 766 or err.code() == grpc.StatusCode.UNAVAILABLE)
def
snapshot_at(self, snapshot_datetime)
768 def snapshot_at(self, snapshot_datetime): 769 ''' 770 Constructs a read-only client that will provide historical data from the provided timestamp. 771 772 See `SnapshotClient`. 773 ''' 774 client = copy.copy(self) 775 client.snapshot_datetime = snapshot_datetime 776 client.access_requests = svc.AccessRequests(client.channel, client) 777 client.account_attachments = svc.AccountAttachments( 778 client.channel, client) 779 client.account_grants = svc.AccountGrants(client.channel, client) 780 client.account_permissions = svc.AccountPermissions( 781 client.channel, client) 782 client.account_resources = svc.AccountResources(client.channel, client) 783 client.accounts = svc.Accounts(client.channel, client) 784 client.accounts_groups = svc.AccountsGroups(client.channel, client) 785 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 786 client.channel, client) 787 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 788 client.channel, client) 789 client.approval_workflows = svc.ApprovalWorkflows( 790 client.channel, client) 791 client.discovery_connectors = svc.DiscoveryConnectors( 792 client.channel, client) 793 client.granted_account_entitlements = svc.GrantedAccountEntitlements( 794 client.channel, client) 795 client.granted_resource_entitlements = svc.GrantedResourceEntitlements( 796 client.channel, client) 797 client.granted_role_entitlements = svc.GrantedRoleEntitlements( 798 client.channel, client) 799 client.roles = svc.Roles(client.channel, client) 800 client.groups = svc.Groups(client.channel, client) 801 client.groups_roles = svc.GroupsRoles(client.channel, client) 802 client.identity_aliases = svc.IdentityAliases(client.channel, client) 803 client.identity_sets = svc.IdentitySets(client.channel, client) 804 client.nodes = svc.Nodes(client.channel, client) 805 client.policies = svc.Policies(client.channel, client) 806 client.proxy_cluster_keys = svc.ProxyClusterKeys( 807 client.channel, client) 808 client.remote_identities = svc.RemoteIdentities(client.channel, client) 809 client.remote_identity_groups = svc.RemoteIdentityGroups( 810 client.channel, client) 811 client.requestable_account_entitlements = svc.RequestableAccountEntitlements( 812 client.channel, client) 813 client.requestable_resource_entitlements = svc.RequestableResourceEntitlements( 814 client.channel, client) 815 client.requestable_role_entitlements = svc.RequestableRoleEntitlements( 816 client.channel, client) 817 client.resources = svc.Resources(client.channel, client) 818 client.role_resources = svc.RoleResources(client.channel, client) 819 client.secret_stores = svc.SecretStores(client.channel, client) 820 client.workflow_approvers = svc.WorkflowApprovers( 821 client.channel, client) 822 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 823 client.workflows = svc.Workflows(client.channel, client) 824 return SnapshotClient(client)
Constructs a read-only client that will provide historical data from the provided timestamp.
See SnapshotClient.
class
SnapshotClient:
827class SnapshotClient: 828 '''SnapshotClient exposes methods to query historical records at a provided timestamp.''' 829 def __init__(self, client): 830 self.access_requests = svc.SnapshotAccessRequests( 831 client.access_requests) 832 ''' 833 AccessRequests are requests for access to a resource that may match a Workflow. 834 835 See `strongdm.svc.SnapshotAccessRequests`. 836 ''' 837 self.account_attachments = svc.SnapshotAccountAttachments( 838 client.account_attachments) 839 ''' 840 AccountAttachments assign an account to a role. 841 842 See `strongdm.svc.SnapshotAccountAttachments`. 843 ''' 844 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 845 ''' 846 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 847 848 See `strongdm.svc.SnapshotAccountGrants`. 849 ''' 850 self.account_permissions = svc.SnapshotAccountPermissions( 851 client.account_permissions) 852 ''' 853 AccountPermissions records the granular permissions accounts have, allowing them to execute 854 relevant commands via StrongDM's APIs. 855 856 See `strongdm.svc.SnapshotAccountPermissions`. 857 ''' 858 self.account_resources = svc.SnapshotAccountResources( 859 client.account_resources) 860 ''' 861 AccountResources enumerates the resources to which accounts have access. 862 The AccountResources service is read-only. 863 864 See `strongdm.svc.SnapshotAccountResources`. 865 ''' 866 self.accounts = svc.SnapshotAccounts(client.accounts) 867 ''' 868 Accounts are users that have access to strongDM. There are two types of accounts: 869 1. **Users:** humans who are authenticated through username and password or SSO. 870 2. **Service Accounts:** machines that are authenticated using a service token. 871 3. **Tokens** are access keys with permissions that can be used for authentication. 872 873 See `strongdm.svc.SnapshotAccounts`. 874 ''' 875 self.accounts_groups = svc.SnapshotAccountsGroups( 876 client.accounts_groups) 877 ''' 878 An AccountGroup links an account and a group. 879 880 See `strongdm.svc.SnapshotAccountsGroups`. 881 ''' 882 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 883 client.approval_workflow_approvers) 884 ''' 885 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 886 887 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 888 ''' 889 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 890 client.approval_workflow_steps) 891 ''' 892 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 893 894 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 895 ''' 896 self.approval_workflows = svc.SnapshotApprovalWorkflows( 897 client.approval_workflows) 898 ''' 899 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 900 approvers and be approved or denied. 901 902 See `strongdm.svc.SnapshotApprovalWorkflows`. 903 ''' 904 self.discovery_connectors = svc.SnapshotDiscoveryConnectors( 905 client.discovery_connectors) 906 ''' 907 A Discovery Connector is a configuration object for performing Resource 908 Scans in remote systems such as AWS, GCP, Azure, and other systems. 909 910 See `strongdm.svc.SnapshotDiscoveryConnectors`. 911 ''' 912 self.granted_account_entitlements = svc.SnapshotGrantedAccountEntitlements( 913 client.granted_account_entitlements) 914 ''' 915 GrantedAccountEntitlements enumerates the resources to which an account has been granted access. 916 The GrantedAccountEntitlements service is read-only. 917 918 See `strongdm.svc.SnapshotGrantedAccountEntitlements`. 919 ''' 920 self.granted_resource_entitlements = svc.SnapshotGrantedResourceEntitlements( 921 client.granted_resource_entitlements) 922 ''' 923 GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. 924 The GrantedResourceEntitlements service is read-only. 925 926 See `strongdm.svc.SnapshotGrantedResourceEntitlements`. 927 ''' 928 self.granted_role_entitlements = svc.SnapshotGrantedRoleEntitlements( 929 client.granted_role_entitlements) 930 ''' 931 GrantedRoleEntitlements enumerates the resources to which a role grants access. 932 The GrantedRoleEntitlements service is read-only. 933 934 See `strongdm.svc.SnapshotGrantedRoleEntitlements`. 935 ''' 936 self.roles = svc.SnapshotRoles(client.roles) 937 ''' 938 A Role has a list of access rules which determine which Resources the members 939 of the Role have access to. An Account can be a member of multiple Roles via 940 AccountAttachments. 941 942 See `strongdm.svc.SnapshotRoles`. 943 ''' 944 self.groups = svc.SnapshotGroups(client.groups) 945 ''' 946 A Group is a set of principals. 947 948 See `strongdm.svc.SnapshotGroups`. 949 ''' 950 self.groups_roles = svc.SnapshotGroupsRoles(client.groups_roles) 951 ''' 952 A GroupRole is an assignment of a Group to a Role. 953 954 See `strongdm.svc.SnapshotGroupsRoles`. 955 ''' 956 self.identity_aliases = svc.SnapshotIdentityAliases( 957 client.identity_aliases) 958 ''' 959 IdentityAliases assign an alias to an account within an IdentitySet. 960 The alias is used as the username when connecting to a identity supported resource. 961 962 See `strongdm.svc.SnapshotIdentityAliases`. 963 ''' 964 self.identity_sets = svc.SnapshotIdentitySets(client.identity_sets) 965 ''' 966 A IdentitySet is a named grouping of Identity Aliases for Accounts. 967 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 968 969 See `strongdm.svc.SnapshotIdentitySets`. 970 ''' 971 self.nodes = svc.SnapshotNodes(client.nodes) 972 ''' 973 Nodes make up the StrongDM network, and allow your users to connect securely to your resources. 974 There are three types of nodes: 975 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall 976 2. **Gateway:** a relay that also listens for connections from StrongDM clients 977 3. **Proxy Cluster:** a cluster of workers that together mediate access from clients to resources 978 979 See `strongdm.svc.SnapshotNodes`. 980 ''' 981 self.policies = svc.SnapshotPolicies(client.policies) 982 ''' 983 Policies are the collection of one or more statements that enforce fine-grained access 984 control for the users of an organization. 985 986 See `strongdm.svc.SnapshotPolicies`. 987 ''' 988 self.proxy_cluster_keys = svc.SnapshotProxyClusterKeys( 989 client.proxy_cluster_keys) 990 ''' 991 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 992 The proxies within a cluster share the same key. One cluster can have 993 multiple keys in order to facilitate key rotation. 994 995 See `strongdm.svc.SnapshotProxyClusterKeys`. 996 ''' 997 self.remote_identities = svc.SnapshotRemoteIdentities( 998 client.remote_identities) 999 ''' 1000 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 1001 1002 See `strongdm.svc.SnapshotRemoteIdentities`. 1003 ''' 1004 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 1005 client.remote_identity_groups) 1006 ''' 1007 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 1008 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 1009 1010 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 1011 ''' 1012 self.requestable_account_entitlements = svc.SnapshotRequestableAccountEntitlements( 1013 client.requestable_account_entitlements) 1014 ''' 1015 RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. 1016 The RequestableAccountEntitlements service is read-only. 1017 1018 See `strongdm.svc.SnapshotRequestableAccountEntitlements`. 1019 ''' 1020 self.requestable_resource_entitlements = svc.SnapshotRequestableResourceEntitlements( 1021 client.requestable_resource_entitlements) 1022 ''' 1023 RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. 1024 The RequestableResourceEntitlements service is read-only. 1025 1026 See `strongdm.svc.SnapshotRequestableResourceEntitlements`. 1027 ''' 1028 self.requestable_role_entitlements = svc.SnapshotRequestableRoleEntitlements( 1029 client.requestable_role_entitlements) 1030 ''' 1031 RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. 1032 The RequestableRoleEntitlements service is read-only. 1033 1034 See `strongdm.svc.SnapshotRequestableRoleEntitlements`. 1035 ''' 1036 self.resources = svc.SnapshotResources(client.resources) 1037 ''' 1038 Resources are databases, servers, clusters, websites, or clouds that strongDM 1039 delegates access to. 1040 1041 See `strongdm.svc.SnapshotResources`. 1042 ''' 1043 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 1044 ''' 1045 RoleResources enumerates the resources to which roles have access. 1046 The RoleResources service is read-only. 1047 1048 See `strongdm.svc.SnapshotRoleResources`. 1049 ''' 1050 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 1051 ''' 1052 SecretStores are servers where resource secrets (passwords, keys) are stored. 1053 1054 See `strongdm.svc.SnapshotSecretStores`. 1055 ''' 1056 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 1057 client.workflow_approvers) 1058 ''' 1059 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 1060 1061 See `strongdm.svc.SnapshotWorkflowApprovers`. 1062 ''' 1063 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 1064 ''' 1065 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 1066 to request access to a resource via the workflow. 1067 1068 See `strongdm.svc.SnapshotWorkflowRoles`. 1069 ''' 1070 self.workflows = svc.SnapshotWorkflows(client.workflows) 1071 ''' 1072 Workflows are the collection of rules that define the resources to which access can be requested, 1073 the users that can request that access, and the mechanism for approving those requests which can either 1074 be automatic approval or a set of users authorized to approve the requests. 1075 1076 See `strongdm.svc.SnapshotWorkflows`. 1077 '''
SnapshotClient exposes methods to query historical records at a provided timestamp.
SnapshotClient(client)
829 def __init__(self, client): 830 self.access_requests = svc.SnapshotAccessRequests( 831 client.access_requests) 832 ''' 833 AccessRequests are requests for access to a resource that may match a Workflow. 834 835 See `strongdm.svc.SnapshotAccessRequests`. 836 ''' 837 self.account_attachments = svc.SnapshotAccountAttachments( 838 client.account_attachments) 839 ''' 840 AccountAttachments assign an account to a role. 841 842 See `strongdm.svc.SnapshotAccountAttachments`. 843 ''' 844 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 845 ''' 846 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 847 848 See `strongdm.svc.SnapshotAccountGrants`. 849 ''' 850 self.account_permissions = svc.SnapshotAccountPermissions( 851 client.account_permissions) 852 ''' 853 AccountPermissions records the granular permissions accounts have, allowing them to execute 854 relevant commands via StrongDM's APIs. 855 856 See `strongdm.svc.SnapshotAccountPermissions`. 857 ''' 858 self.account_resources = svc.SnapshotAccountResources( 859 client.account_resources) 860 ''' 861 AccountResources enumerates the resources to which accounts have access. 862 The AccountResources service is read-only. 863 864 See `strongdm.svc.SnapshotAccountResources`. 865 ''' 866 self.accounts = svc.SnapshotAccounts(client.accounts) 867 ''' 868 Accounts are users that have access to strongDM. There are two types of accounts: 869 1. **Users:** humans who are authenticated through username and password or SSO. 870 2. **Service Accounts:** machines that are authenticated using a service token. 871 3. **Tokens** are access keys with permissions that can be used for authentication. 872 873 See `strongdm.svc.SnapshotAccounts`. 874 ''' 875 self.accounts_groups = svc.SnapshotAccountsGroups( 876 client.accounts_groups) 877 ''' 878 An AccountGroup links an account and a group. 879 880 See `strongdm.svc.SnapshotAccountsGroups`. 881 ''' 882 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 883 client.approval_workflow_approvers) 884 ''' 885 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 886 887 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 888 ''' 889 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 890 client.approval_workflow_steps) 891 ''' 892 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 893 894 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 895 ''' 896 self.approval_workflows = svc.SnapshotApprovalWorkflows( 897 client.approval_workflows) 898 ''' 899 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 900 approvers and be approved or denied. 901 902 See `strongdm.svc.SnapshotApprovalWorkflows`. 903 ''' 904 self.discovery_connectors = svc.SnapshotDiscoveryConnectors( 905 client.discovery_connectors) 906 ''' 907 A Discovery Connector is a configuration object for performing Resource 908 Scans in remote systems such as AWS, GCP, Azure, and other systems. 909 910 See `strongdm.svc.SnapshotDiscoveryConnectors`. 911 ''' 912 self.granted_account_entitlements = svc.SnapshotGrantedAccountEntitlements( 913 client.granted_account_entitlements) 914 ''' 915 GrantedAccountEntitlements enumerates the resources to which an account has been granted access. 916 The GrantedAccountEntitlements service is read-only. 917 918 See `strongdm.svc.SnapshotGrantedAccountEntitlements`. 919 ''' 920 self.granted_resource_entitlements = svc.SnapshotGrantedResourceEntitlements( 921 client.granted_resource_entitlements) 922 ''' 923 GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. 924 The GrantedResourceEntitlements service is read-only. 925 926 See `strongdm.svc.SnapshotGrantedResourceEntitlements`. 927 ''' 928 self.granted_role_entitlements = svc.SnapshotGrantedRoleEntitlements( 929 client.granted_role_entitlements) 930 ''' 931 GrantedRoleEntitlements enumerates the resources to which a role grants access. 932 The GrantedRoleEntitlements service is read-only. 933 934 See `strongdm.svc.SnapshotGrantedRoleEntitlements`. 935 ''' 936 self.roles = svc.SnapshotRoles(client.roles) 937 ''' 938 A Role has a list of access rules which determine which Resources the members 939 of the Role have access to. An Account can be a member of multiple Roles via 940 AccountAttachments. 941 942 See `strongdm.svc.SnapshotRoles`. 943 ''' 944 self.groups = svc.SnapshotGroups(client.groups) 945 ''' 946 A Group is a set of principals. 947 948 See `strongdm.svc.SnapshotGroups`. 949 ''' 950 self.groups_roles = svc.SnapshotGroupsRoles(client.groups_roles) 951 ''' 952 A GroupRole is an assignment of a Group to a Role. 953 954 See `strongdm.svc.SnapshotGroupsRoles`. 955 ''' 956 self.identity_aliases = svc.SnapshotIdentityAliases( 957 client.identity_aliases) 958 ''' 959 IdentityAliases assign an alias to an account within an IdentitySet. 960 The alias is used as the username when connecting to a identity supported resource. 961 962 See `strongdm.svc.SnapshotIdentityAliases`. 963 ''' 964 self.identity_sets = svc.SnapshotIdentitySets(client.identity_sets) 965 ''' 966 A IdentitySet is a named grouping of Identity Aliases for Accounts. 967 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 968 969 See `strongdm.svc.SnapshotIdentitySets`. 970 ''' 971 self.nodes = svc.SnapshotNodes(client.nodes) 972 ''' 973 Nodes make up the StrongDM network, and allow your users to connect securely to your resources. 974 There are three types of nodes: 975 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall 976 2. **Gateway:** a relay that also listens for connections from StrongDM clients 977 3. **Proxy Cluster:** a cluster of workers that together mediate access from clients to resources 978 979 See `strongdm.svc.SnapshotNodes`. 980 ''' 981 self.policies = svc.SnapshotPolicies(client.policies) 982 ''' 983 Policies are the collection of one or more statements that enforce fine-grained access 984 control for the users of an organization. 985 986 See `strongdm.svc.SnapshotPolicies`. 987 ''' 988 self.proxy_cluster_keys = svc.SnapshotProxyClusterKeys( 989 client.proxy_cluster_keys) 990 ''' 991 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 992 The proxies within a cluster share the same key. One cluster can have 993 multiple keys in order to facilitate key rotation. 994 995 See `strongdm.svc.SnapshotProxyClusterKeys`. 996 ''' 997 self.remote_identities = svc.SnapshotRemoteIdentities( 998 client.remote_identities) 999 ''' 1000 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 1001 1002 See `strongdm.svc.SnapshotRemoteIdentities`. 1003 ''' 1004 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 1005 client.remote_identity_groups) 1006 ''' 1007 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 1008 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 1009 1010 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 1011 ''' 1012 self.requestable_account_entitlements = svc.SnapshotRequestableAccountEntitlements( 1013 client.requestable_account_entitlements) 1014 ''' 1015 RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. 1016 The RequestableAccountEntitlements service is read-only. 1017 1018 See `strongdm.svc.SnapshotRequestableAccountEntitlements`. 1019 ''' 1020 self.requestable_resource_entitlements = svc.SnapshotRequestableResourceEntitlements( 1021 client.requestable_resource_entitlements) 1022 ''' 1023 RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. 1024 The RequestableResourceEntitlements service is read-only. 1025 1026 See `strongdm.svc.SnapshotRequestableResourceEntitlements`. 1027 ''' 1028 self.requestable_role_entitlements = svc.SnapshotRequestableRoleEntitlements( 1029 client.requestable_role_entitlements) 1030 ''' 1031 RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. 1032 The RequestableRoleEntitlements service is read-only. 1033 1034 See `strongdm.svc.SnapshotRequestableRoleEntitlements`. 1035 ''' 1036 self.resources = svc.SnapshotResources(client.resources) 1037 ''' 1038 Resources are databases, servers, clusters, websites, or clouds that strongDM 1039 delegates access to. 1040 1041 See `strongdm.svc.SnapshotResources`. 1042 ''' 1043 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 1044 ''' 1045 RoleResources enumerates the resources to which roles have access. 1046 The RoleResources service is read-only. 1047 1048 See `strongdm.svc.SnapshotRoleResources`. 1049 ''' 1050 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 1051 ''' 1052 SecretStores are servers where resource secrets (passwords, keys) are stored. 1053 1054 See `strongdm.svc.SnapshotSecretStores`. 1055 ''' 1056 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 1057 client.workflow_approvers) 1058 ''' 1059 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 1060 1061 See `strongdm.svc.SnapshotWorkflowApprovers`. 1062 ''' 1063 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 1064 ''' 1065 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 1066 to request access to a resource via the workflow. 1067 1068 See `strongdm.svc.SnapshotWorkflowRoles`. 1069 ''' 1070 self.workflows = svc.SnapshotWorkflows(client.workflows) 1071 ''' 1072 Workflows are the collection of rules that define the resources to which access can be requested, 1073 the users that can request that access, and the mechanism for approving those requests which can either 1074 be automatic approval or a set of users authorized to approve the requests. 1075 1076 See `strongdm.svc.SnapshotWorkflows`. 1077 '''
account_grants
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
account_permissions
AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.
account_resources
AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.
accounts
Accounts are users that have access to strongDM. There are two types of accounts:
- Users: humans who are authenticated through username and password or SSO.
- Service Accounts: machines that are authenticated using a service token.
- Tokens are access keys with permissions that can be used for authentication.
approval_workflow_approvers
ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
approval_workflows
ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.
discovery_connectors
A Discovery Connector is a configuration object for performing Resource Scans in remote systems such as AWS, GCP, Azure, and other systems.
granted_account_entitlements
GrantedAccountEntitlements enumerates the resources to which an account has been granted access. The GrantedAccountEntitlements service is read-only.
granted_resource_entitlements
GrantedResourceEntitlements enumerates the accounts that have been granted access to a given resource. The GrantedResourceEntitlements service is read-only.
granted_role_entitlements
GrantedRoleEntitlements enumerates the resources to which a role grants access. The GrantedRoleEntitlements service is read-only.
roles
A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.
identity_aliases
IdentityAliases assign an alias to an account within an IdentitySet. The alias is used as the username when connecting to a identity supported resource.
identity_sets
A IdentitySet is a named grouping of Identity Aliases for Accounts. An Account's relationship to a IdentitySet is defined via IdentityAlias objects.
nodes
Nodes make up the StrongDM network, and allow your users to connect securely to your resources. There are three types of nodes:
- Relay: creates connectivity to your datasources, while maintaining the egress-only nature of your firewall
- Gateway: a relay that also listens for connections from StrongDM clients
- Proxy Cluster: a cluster of workers that together mediate access from clients to resources
policies
Policies are the collection of one or more statements that enforce fine-grained access control for the users of an organization.
proxy_cluster_keys
Proxy Cluster Keys are authentication keys for all proxies within a cluster. The proxies within a cluster share the same key. One cluster can have multiple keys in order to facilitate key rotation.
remote_identities
RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
remote_identity_groups
A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
requestable_account_entitlements
RequestableAccountEntitlements enumerates the resources that an account is permitted to request access to. The RequestableAccountEntitlements service is read-only.
requestable_resource_entitlements
RequestableResourceEntitlements enumerates the accounts that are permitted to request access to a given resource. The RequestableResourceEntitlements service is read-only.
requestable_role_entitlements
RequestableRoleEntitlements enumerates the resources that a role permits its members to request access to. The RequestableRoleEntitlements service is read-only.
resources
Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.
role_resources
RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.
workflow_approvers
WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
workflow_roles
WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.