strongdm.client
1# Copyright 2020 StrongDM Inc 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14# 15 16# Code generated by protogen. DO NOT EDIT. 17 18import base64 19import copy 20import datetime 21import grpc 22import hashlib 23import hmac 24import random 25import time 26from . import errors 27from . import plumbing 28from . import svc 29 30# These defaults are taken from AWS. Customization of these values 31# is a future step in the API. 32DEFAULT_MAX_RETRIES = 3 33DEFAULT_BASE_RETRY_DELAY = 0.0030 # 30 ms 34DEFAULT_MAX_RETRY_DELAY = 300 # 300 seconds 35API_VERSION = '2024-03-28' 36USER_AGENT = 'strongdm-sdk-python/11.20.0' 37 38 39class Client: 40 '''Client interacts with the strongDM API.''' 41 def __init__(self, 42 api_access_key, 43 api_secret, 44 host='api.strongdm.com:443', 45 insecure=False, 46 retry_rate_limit_errors=True, 47 page_limit=50): 48 ''' 49 Create a new Client. 50 51 - api_access_key: the access key to authenticate with strongDM 52 - api_secret: the secret key to authenticate with strongDM 53 ''' 54 self.api_access_key = api_access_key.strip() 55 self.api_secret = base64.b64decode(api_secret.strip()) 56 self.max_retries = DEFAULT_MAX_RETRIES 57 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 58 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 59 self.expose_rate_limit_errors = (not retry_rate_limit_errors) 60 self.snapshot_datetime = None 61 self.page_limit = page_limit 62 63 try: 64 if insecure: 65 channel = grpc.insecure_channel(host) 66 else: 67 creds = grpc.ssl_channel_credentials() 68 channel = grpc.secure_channel(host, creds) 69 except Exception as e: 70 raise plumbing.convert_error_to_porcelain(e) from e 71 self.channel = channel 72 self.access_requests = svc.AccessRequests(channel, self) 73 ''' 74 AccessRequests are requests for access to a resource that may match a Workflow. 75 76 See `strongdm.svc.AccessRequests`. 77 ''' 78 self.access_request_events_history = svc.AccessRequestEventsHistory( 79 channel, self) 80 ''' 81 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 82 83 See `strongdm.svc.AccessRequestEventsHistory`. 84 ''' 85 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 86 ''' 87 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 88 89 See `strongdm.svc.AccessRequestsHistory`. 90 ''' 91 self.account_attachments = svc.AccountAttachments(channel, self) 92 ''' 93 AccountAttachments assign an account to a role. 94 95 See `strongdm.svc.AccountAttachments`. 96 ''' 97 self.account_attachments_history = svc.AccountAttachmentsHistory( 98 channel, self) 99 ''' 100 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 101 102 See `strongdm.svc.AccountAttachmentsHistory`. 103 ''' 104 self.account_grants = svc.AccountGrants(channel, self) 105 ''' 106 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 107 108 See `strongdm.svc.AccountGrants`. 109 ''' 110 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 111 ''' 112 AccountGrantsHistory records all changes to the state of an AccountGrant. 113 114 See `strongdm.svc.AccountGrantsHistory`. 115 ''' 116 self.account_permissions = svc.AccountPermissions(channel, self) 117 ''' 118 AccountPermissions records the granular permissions accounts have, allowing them to execute 119 relevant commands via StrongDM's APIs. 120 121 See `strongdm.svc.AccountPermissions`. 122 ''' 123 self.account_resources = svc.AccountResources(channel, self) 124 ''' 125 AccountResources enumerates the resources to which accounts have access. 126 The AccountResources service is read-only. 127 128 See `strongdm.svc.AccountResources`. 129 ''' 130 self.account_resources_history = svc.AccountResourcesHistory( 131 channel, self) 132 ''' 133 AccountResourcesHistory records all changes to the state of a AccountResource. 134 135 See `strongdm.svc.AccountResourcesHistory`. 136 ''' 137 self.accounts = svc.Accounts(channel, self) 138 ''' 139 Accounts are users that have access to strongDM. There are two types of accounts: 140 1. **Users:** humans who are authenticated through username and password or SSO. 141 2. **Service Accounts:** machines that are authenticated using a service token. 142 3. **Tokens** are access keys with permissions that can be used for authentication. 143 144 See `strongdm.svc.Accounts`. 145 ''' 146 self.accounts_history = svc.AccountsHistory(channel, self) 147 ''' 148 AccountsHistory records all changes to the state of an Account. 149 150 See `strongdm.svc.AccountsHistory`. 151 ''' 152 self.activities = svc.Activities(channel, self) 153 ''' 154 An Activity is a record of an action taken against a strongDM deployment, e.g. 155 a user creation, resource deletion, sso configuration change, etc. The Activities 156 service is read-only. 157 158 See `strongdm.svc.Activities`. 159 ''' 160 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 161 channel, self) 162 ''' 163 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 164 165 See `strongdm.svc.ApprovalWorkflowApprovers`. 166 ''' 167 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 168 channel, self) 169 ''' 170 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 171 172 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 173 ''' 174 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 175 ''' 176 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 177 178 See `strongdm.svc.ApprovalWorkflowSteps`. 179 ''' 180 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 181 channel, self) 182 ''' 183 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 184 185 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 186 ''' 187 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 188 ''' 189 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 190 approvers and be approved or denied. 191 192 See `strongdm.svc.ApprovalWorkflows`. 193 ''' 194 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 195 channel, self) 196 ''' 197 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 198 199 See `strongdm.svc.ApprovalWorkflowsHistory`. 200 ''' 201 self.control_panel = svc.ControlPanel(channel, self) 202 ''' 203 ControlPanel contains all administrative controls. 204 205 See `strongdm.svc.ControlPanel`. 206 ''' 207 self.health_checks = svc.HealthChecks(channel, self) 208 ''' 209 HealthChecks lists the last healthcheck between each node and resource. 210 Note the unconventional capitalization here is to prevent having a collision with GRPC 211 212 See `strongdm.svc.HealthChecks`. 213 ''' 214 self.identity_aliases = svc.IdentityAliases(channel, self) 215 ''' 216 IdentityAliases assign an alias to an account within an IdentitySet. 217 The alias is used as the username when connecting to a identity supported resource. 218 219 See `strongdm.svc.IdentityAliases`. 220 ''' 221 self.identity_aliases_history = svc.IdentityAliasesHistory( 222 channel, self) 223 ''' 224 IdentityAliasesHistory records all changes to the state of a IdentityAlias. 225 226 See `strongdm.svc.IdentityAliasesHistory`. 227 ''' 228 self.identity_sets = svc.IdentitySets(channel, self) 229 ''' 230 A IdentitySet is a named grouping of Identity Aliases for Accounts. 231 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 232 233 See `strongdm.svc.IdentitySets`. 234 ''' 235 self.identity_sets_history = svc.IdentitySetsHistory(channel, self) 236 ''' 237 IdentitySetsHistory records all changes to the state of a IdentitySet. 238 239 See `strongdm.svc.IdentitySetsHistory`. 240 ''' 241 self.nodes = svc.Nodes(channel, self) 242 ''' 243 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 244 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 245 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 246 247 See `strongdm.svc.Nodes`. 248 ''' 249 self.nodes_history = svc.NodesHistory(channel, self) 250 ''' 251 NodesHistory records all changes to the state of a Node. 252 253 See `strongdm.svc.NodesHistory`. 254 ''' 255 self.organization_history = svc.OrganizationHistory(channel, self) 256 ''' 257 OrganizationHistory records all changes to the state of an Organization. 258 259 See `strongdm.svc.OrganizationHistory`. 260 ''' 261 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 262 ''' 263 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 264 265 See `strongdm.svc.PeeringGroupNodes`. 266 ''' 267 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 268 ''' 269 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 270 271 See `strongdm.svc.PeeringGroupPeers`. 272 ''' 273 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 274 ''' 275 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 276 277 See `strongdm.svc.PeeringGroupResources`. 278 ''' 279 self.peering_groups = svc.PeeringGroups(channel, self) 280 ''' 281 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 282 283 See `strongdm.svc.PeeringGroups`. 284 ''' 285 self.policies = svc.Policies(channel, self) 286 ''' 287 Policies are the collection of one or more statements that enforce fine-grained access 288 control for the users of an organization. 289 290 See `strongdm.svc.Policies`. 291 ''' 292 self.policies_history = svc.PoliciesHistory(channel, self) 293 ''' 294 PoliciesHistory records all changes to the state of a Policy. 295 296 See `strongdm.svc.PoliciesHistory`. 297 ''' 298 self.proxy_cluster_keys = svc.ProxyClusterKeys(channel, self) 299 ''' 300 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 301 The proxies within a cluster share the same key. One cluster can have 302 multiple keys in order to facilitate key rotation. 303 304 See `strongdm.svc.ProxyClusterKeys`. 305 ''' 306 self.queries = svc.Queries(channel, self) 307 ''' 308 A Query is a record of a single client request to a resource, such as a SQL query. 309 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 310 The Queries service is read-only. 311 312 See `strongdm.svc.Queries`. 313 ''' 314 self.remote_identities = svc.RemoteIdentities(channel, self) 315 ''' 316 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 317 318 See `strongdm.svc.RemoteIdentities`. 319 ''' 320 self.remote_identities_history = svc.RemoteIdentitiesHistory( 321 channel, self) 322 ''' 323 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 324 325 See `strongdm.svc.RemoteIdentitiesHistory`. 326 ''' 327 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 328 ''' 329 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 330 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 331 332 See `strongdm.svc.RemoteIdentityGroups`. 333 ''' 334 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 335 channel, self) 336 ''' 337 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 338 339 See `strongdm.svc.RemoteIdentityGroupsHistory`. 340 ''' 341 self.replays = svc.Replays(channel, self) 342 ''' 343 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 344 (otherwise referred to as a query). The Replays service is read-only. 345 346 See `strongdm.svc.Replays`. 347 ''' 348 self.resources = svc.Resources(channel, self) 349 ''' 350 Resources are databases, servers, clusters, websites, or clouds that strongDM 351 delegates access to. 352 353 See `strongdm.svc.Resources`. 354 ''' 355 self.resources_history = svc.ResourcesHistory(channel, self) 356 ''' 357 ResourcesHistory records all changes to the state of a Resource. 358 359 See `strongdm.svc.ResourcesHistory`. 360 ''' 361 self.role_resources = svc.RoleResources(channel, self) 362 ''' 363 RoleResources enumerates the resources to which roles have access. 364 The RoleResources service is read-only. 365 366 See `strongdm.svc.RoleResources`. 367 ''' 368 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 369 ''' 370 RoleResourcesHistory records all changes to the state of a RoleResource. 371 372 See `strongdm.svc.RoleResourcesHistory`. 373 ''' 374 self.roles = svc.Roles(channel, self) 375 ''' 376 A Role has a list of access rules which determine which Resources the members 377 of the Role have access to. An Account can be a member of multiple Roles via 378 AccountAttachments. 379 380 See `strongdm.svc.Roles`. 381 ''' 382 self.roles_history = svc.RolesHistory(channel, self) 383 ''' 384 RolesHistory records all changes to the state of a Role. 385 386 See `strongdm.svc.RolesHistory`. 387 ''' 388 self.secret_stores = svc.SecretStores(channel, self) 389 ''' 390 SecretStores are servers where resource secrets (passwords, keys) are stored. 391 392 See `strongdm.svc.SecretStores`. 393 ''' 394 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 395 ''' 396 SecretStoreHealths exposes health states for secret stores. 397 398 See `strongdm.svc.SecretStoreHealths`. 399 ''' 400 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 401 ''' 402 SecretStoresHistory records all changes to the state of a SecretStore. 403 404 See `strongdm.svc.SecretStoresHistory`. 405 ''' 406 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 407 ''' 408 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 409 410 See `strongdm.svc.WorkflowApprovers`. 411 ''' 412 self.workflow_approvers_history = svc.WorkflowApproversHistory( 413 channel, self) 414 ''' 415 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 416 417 See `strongdm.svc.WorkflowApproversHistory`. 418 ''' 419 self.workflow_assignments = svc.WorkflowAssignments(channel, self) 420 ''' 421 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 422 access to via the workflow. 423 424 See `strongdm.svc.WorkflowAssignments`. 425 ''' 426 self.workflow_assignments_history = svc.WorkflowAssignmentsHistory( 427 channel, self) 428 ''' 429 WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment. 430 431 See `strongdm.svc.WorkflowAssignmentsHistory`. 432 ''' 433 self.workflow_roles = svc.WorkflowRoles(channel, self) 434 ''' 435 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 436 to request access to a resource via the workflow. 437 438 See `strongdm.svc.WorkflowRoles`. 439 ''' 440 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 441 ''' 442 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 443 444 See `strongdm.svc.WorkflowRolesHistory`. 445 ''' 446 self.workflows = svc.Workflows(channel, self) 447 ''' 448 Workflows are the collection of rules that define the resources to which access can be requested, 449 the users that can request that access, and the mechanism for approving those requests which can either 450 be automatic approval or a set of users authorized to approve the requests. 451 452 See `strongdm.svc.Workflows`. 453 ''' 454 self.workflows_history = svc.WorkflowsHistory(channel, self) 455 ''' 456 WorkflowsHistory provides records of all changes to the state of a Workflow. 457 458 See `strongdm.svc.WorkflowsHistory`. 459 ''' 460 461 def close(self): 462 '''Closes this Client and releases all resources held by it. 463 464 Closing the Client will immediately terminate all RPCs active with the 465 Client and it is not valid to invoke new RPCs with the Client. 466 467 This method is idempotent. 468 ''' 469 self.channel.close() 470 471 def get_metadata(self, method_name, req): 472 return [ 473 ('x-sdm-authentication', self.api_access_key), 474 ('x-sdm-signature', self.sign(method_name, 475 req.SerializeToString())), 476 ('x-sdm-api-version', API_VERSION), 477 ('x-sdm-user-agent', USER_AGENT), 478 ] 479 480 def sign(self, method_name, request_bytes): 481 def hmac_digest(key, msg_byte_string): 482 return hmac.new(key, msg=msg_byte_string, 483 digestmod=hashlib.sha256).digest() 484 485 current_utc_date = datetime.datetime.now( 486 datetime.timezone.utc).strftime('%Y-%m-%d') 487 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 488 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 489 490 hash = hashlib.sha256() 491 492 hash.update(method_name.encode()) 493 hash.update(b'\n') 494 hash.update(request_bytes) 495 496 return base64.b64encode(hmac_digest(signing_key, hash.digest())) 497 498 def jitterSleep(self, iter): 499 dur_max = self.base_retry_delay * 2**iter 500 if (dur_max > self.max_retry_delay): 501 dur_max = self.max_retry_delay 502 # get a value between 0 and max 503 dur = random.random() * dur_max 504 time.sleep(dur) 505 506 def shouldRetry(self, iter, err): 507 if (iter >= self.max_retries - 1): 508 return False 509 if not isinstance(err, grpc.RpcError): 510 return True 511 porcelain_err = plumbing.convert_error_to_porcelain(err) 512 if (not self.expose_rate_limit_errors) and isinstance( 513 porcelain_err, errors.RateLimitError): 514 wait_until = porcelain_err.rate_limit.reset_at 515 now = datetime.datetime.now(datetime.timezone.utc) 516 sleep_for = (wait_until - now).total_seconds() 517 # If timezones or clock drift causes this calculation to fail, 518 # wait at most one minute. 519 if sleep_for < 0 or sleep_for > 60: 520 sleep_for = 60 521 time.sleep(sleep_for) 522 return True 523 return err.code() == grpc.StatusCode.INTERNAL or err.code( 524 ) == grpc.StatusCode.UNAVAILABLE 525 526 def snapshot_at(self, snapshot_datetime): 527 ''' 528 Constructs a read-only client that will provide historical data from the provided timestamp. 529 530 See `SnapshotClient`. 531 ''' 532 client = copy.copy(self) 533 client.snapshot_datetime = snapshot_datetime 534 client.access_requests = svc.AccessRequests(client.channel, client) 535 client.account_attachments = svc.AccountAttachments( 536 client.channel, client) 537 client.account_grants = svc.AccountGrants(client.channel, client) 538 client.account_permissions = svc.AccountPermissions( 539 client.channel, client) 540 client.account_resources = svc.AccountResources(client.channel, client) 541 client.accounts = svc.Accounts(client.channel, client) 542 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 543 client.channel, client) 544 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 545 client.channel, client) 546 client.approval_workflows = svc.ApprovalWorkflows( 547 client.channel, client) 548 client.identity_aliases = svc.IdentityAliases(client.channel, client) 549 client.identity_sets = svc.IdentitySets(client.channel, client) 550 client.nodes = svc.Nodes(client.channel, client) 551 client.policies = svc.Policies(client.channel, client) 552 client.proxy_cluster_keys = svc.ProxyClusterKeys( 553 client.channel, client) 554 client.remote_identities = svc.RemoteIdentities(client.channel, client) 555 client.remote_identity_groups = svc.RemoteIdentityGroups( 556 client.channel, client) 557 client.resources = svc.Resources(client.channel, client) 558 client.role_resources = svc.RoleResources(client.channel, client) 559 client.roles = svc.Roles(client.channel, client) 560 client.secret_stores = svc.SecretStores(client.channel, client) 561 client.workflow_approvers = svc.WorkflowApprovers( 562 client.channel, client) 563 client.workflow_assignments = svc.WorkflowAssignments( 564 client.channel, client) 565 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 566 client.workflows = svc.Workflows(client.channel, client) 567 return SnapshotClient(client) 568 569 570class SnapshotClient: 571 '''SnapshotClient exposes methods to query historical records at a provided timestamp.''' 572 def __init__(self, client): 573 self.access_requests = svc.SnapshotAccessRequests( 574 client.access_requests) 575 ''' 576 AccessRequests are requests for access to a resource that may match a Workflow. 577 578 See `strongdm.svc.SnapshotAccessRequests`. 579 ''' 580 self.account_attachments = svc.SnapshotAccountAttachments( 581 client.account_attachments) 582 ''' 583 AccountAttachments assign an account to a role. 584 585 See `strongdm.svc.SnapshotAccountAttachments`. 586 ''' 587 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 588 ''' 589 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 590 591 See `strongdm.svc.SnapshotAccountGrants`. 592 ''' 593 self.account_permissions = svc.SnapshotAccountPermissions( 594 client.account_permissions) 595 ''' 596 AccountPermissions records the granular permissions accounts have, allowing them to execute 597 relevant commands via StrongDM's APIs. 598 599 See `strongdm.svc.SnapshotAccountPermissions`. 600 ''' 601 self.account_resources = svc.SnapshotAccountResources( 602 client.account_resources) 603 ''' 604 AccountResources enumerates the resources to which accounts have access. 605 The AccountResources service is read-only. 606 607 See `strongdm.svc.SnapshotAccountResources`. 608 ''' 609 self.accounts = svc.SnapshotAccounts(client.accounts) 610 ''' 611 Accounts are users that have access to strongDM. There are two types of accounts: 612 1. **Users:** humans who are authenticated through username and password or SSO. 613 2. **Service Accounts:** machines that are authenticated using a service token. 614 3. **Tokens** are access keys with permissions that can be used for authentication. 615 616 See `strongdm.svc.SnapshotAccounts`. 617 ''' 618 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 619 client.approval_workflow_approvers) 620 ''' 621 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 622 623 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 624 ''' 625 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 626 client.approval_workflow_steps) 627 ''' 628 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 629 630 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 631 ''' 632 self.approval_workflows = svc.SnapshotApprovalWorkflows( 633 client.approval_workflows) 634 ''' 635 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 636 approvers and be approved or denied. 637 638 See `strongdm.svc.SnapshotApprovalWorkflows`. 639 ''' 640 self.identity_aliases = svc.SnapshotIdentityAliases( 641 client.identity_aliases) 642 ''' 643 IdentityAliases assign an alias to an account within an IdentitySet. 644 The alias is used as the username when connecting to a identity supported resource. 645 646 See `strongdm.svc.SnapshotIdentityAliases`. 647 ''' 648 self.identity_sets = svc.SnapshotIdentitySets(client.identity_sets) 649 ''' 650 A IdentitySet is a named grouping of Identity Aliases for Accounts. 651 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 652 653 See `strongdm.svc.SnapshotIdentitySets`. 654 ''' 655 self.nodes = svc.SnapshotNodes(client.nodes) 656 ''' 657 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 658 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 659 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 660 661 See `strongdm.svc.SnapshotNodes`. 662 ''' 663 self.policies = svc.SnapshotPolicies(client.policies) 664 ''' 665 Policies are the collection of one or more statements that enforce fine-grained access 666 control for the users of an organization. 667 668 See `strongdm.svc.SnapshotPolicies`. 669 ''' 670 self.proxy_cluster_keys = svc.SnapshotProxyClusterKeys( 671 client.proxy_cluster_keys) 672 ''' 673 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 674 The proxies within a cluster share the same key. One cluster can have 675 multiple keys in order to facilitate key rotation. 676 677 See `strongdm.svc.SnapshotProxyClusterKeys`. 678 ''' 679 self.remote_identities = svc.SnapshotRemoteIdentities( 680 client.remote_identities) 681 ''' 682 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 683 684 See `strongdm.svc.SnapshotRemoteIdentities`. 685 ''' 686 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 687 client.remote_identity_groups) 688 ''' 689 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 690 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 691 692 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 693 ''' 694 self.resources = svc.SnapshotResources(client.resources) 695 ''' 696 Resources are databases, servers, clusters, websites, or clouds that strongDM 697 delegates access to. 698 699 See `strongdm.svc.SnapshotResources`. 700 ''' 701 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 702 ''' 703 RoleResources enumerates the resources to which roles have access. 704 The RoleResources service is read-only. 705 706 See `strongdm.svc.SnapshotRoleResources`. 707 ''' 708 self.roles = svc.SnapshotRoles(client.roles) 709 ''' 710 A Role has a list of access rules which determine which Resources the members 711 of the Role have access to. An Account can be a member of multiple Roles via 712 AccountAttachments. 713 714 See `strongdm.svc.SnapshotRoles`. 715 ''' 716 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 717 ''' 718 SecretStores are servers where resource secrets (passwords, keys) are stored. 719 720 See `strongdm.svc.SnapshotSecretStores`. 721 ''' 722 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 723 client.workflow_approvers) 724 ''' 725 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 726 727 See `strongdm.svc.SnapshotWorkflowApprovers`. 728 ''' 729 self.workflow_assignments = svc.SnapshotWorkflowAssignments( 730 client.workflow_assignments) 731 ''' 732 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 733 access to via the workflow. 734 735 See `strongdm.svc.SnapshotWorkflowAssignments`. 736 ''' 737 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 738 ''' 739 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 740 to request access to a resource via the workflow. 741 742 See `strongdm.svc.SnapshotWorkflowRoles`. 743 ''' 744 self.workflows = svc.SnapshotWorkflows(client.workflows) 745 ''' 746 Workflows are the collection of rules that define the resources to which access can be requested, 747 the users that can request that access, and the mechanism for approving those requests which can either 748 be automatic approval or a set of users authorized to approve the requests. 749 750 See `strongdm.svc.SnapshotWorkflows`. 751 '''
class
Client:
40class Client: 41 '''Client interacts with the strongDM API.''' 42 def __init__(self, 43 api_access_key, 44 api_secret, 45 host='api.strongdm.com:443', 46 insecure=False, 47 retry_rate_limit_errors=True, 48 page_limit=50): 49 ''' 50 Create a new Client. 51 52 - api_access_key: the access key to authenticate with strongDM 53 - api_secret: the secret key to authenticate with strongDM 54 ''' 55 self.api_access_key = api_access_key.strip() 56 self.api_secret = base64.b64decode(api_secret.strip()) 57 self.max_retries = DEFAULT_MAX_RETRIES 58 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 59 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 60 self.expose_rate_limit_errors = (not retry_rate_limit_errors) 61 self.snapshot_datetime = None 62 self.page_limit = page_limit 63 64 try: 65 if insecure: 66 channel = grpc.insecure_channel(host) 67 else: 68 creds = grpc.ssl_channel_credentials() 69 channel = grpc.secure_channel(host, creds) 70 except Exception as e: 71 raise plumbing.convert_error_to_porcelain(e) from e 72 self.channel = channel 73 self.access_requests = svc.AccessRequests(channel, self) 74 ''' 75 AccessRequests are requests for access to a resource that may match a Workflow. 76 77 See `strongdm.svc.AccessRequests`. 78 ''' 79 self.access_request_events_history = svc.AccessRequestEventsHistory( 80 channel, self) 81 ''' 82 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 83 84 See `strongdm.svc.AccessRequestEventsHistory`. 85 ''' 86 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 87 ''' 88 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 89 90 See `strongdm.svc.AccessRequestsHistory`. 91 ''' 92 self.account_attachments = svc.AccountAttachments(channel, self) 93 ''' 94 AccountAttachments assign an account to a role. 95 96 See `strongdm.svc.AccountAttachments`. 97 ''' 98 self.account_attachments_history = svc.AccountAttachmentsHistory( 99 channel, self) 100 ''' 101 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 102 103 See `strongdm.svc.AccountAttachmentsHistory`. 104 ''' 105 self.account_grants = svc.AccountGrants(channel, self) 106 ''' 107 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 108 109 See `strongdm.svc.AccountGrants`. 110 ''' 111 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 112 ''' 113 AccountGrantsHistory records all changes to the state of an AccountGrant. 114 115 See `strongdm.svc.AccountGrantsHistory`. 116 ''' 117 self.account_permissions = svc.AccountPermissions(channel, self) 118 ''' 119 AccountPermissions records the granular permissions accounts have, allowing them to execute 120 relevant commands via StrongDM's APIs. 121 122 See `strongdm.svc.AccountPermissions`. 123 ''' 124 self.account_resources = svc.AccountResources(channel, self) 125 ''' 126 AccountResources enumerates the resources to which accounts have access. 127 The AccountResources service is read-only. 128 129 See `strongdm.svc.AccountResources`. 130 ''' 131 self.account_resources_history = svc.AccountResourcesHistory( 132 channel, self) 133 ''' 134 AccountResourcesHistory records all changes to the state of a AccountResource. 135 136 See `strongdm.svc.AccountResourcesHistory`. 137 ''' 138 self.accounts = svc.Accounts(channel, self) 139 ''' 140 Accounts are users that have access to strongDM. There are two types of accounts: 141 1. **Users:** humans who are authenticated through username and password or SSO. 142 2. **Service Accounts:** machines that are authenticated using a service token. 143 3. **Tokens** are access keys with permissions that can be used for authentication. 144 145 See `strongdm.svc.Accounts`. 146 ''' 147 self.accounts_history = svc.AccountsHistory(channel, self) 148 ''' 149 AccountsHistory records all changes to the state of an Account. 150 151 See `strongdm.svc.AccountsHistory`. 152 ''' 153 self.activities = svc.Activities(channel, self) 154 ''' 155 An Activity is a record of an action taken against a strongDM deployment, e.g. 156 a user creation, resource deletion, sso configuration change, etc. The Activities 157 service is read-only. 158 159 See `strongdm.svc.Activities`. 160 ''' 161 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 162 channel, self) 163 ''' 164 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 165 166 See `strongdm.svc.ApprovalWorkflowApprovers`. 167 ''' 168 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 169 channel, self) 170 ''' 171 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 172 173 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 174 ''' 175 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 176 ''' 177 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 178 179 See `strongdm.svc.ApprovalWorkflowSteps`. 180 ''' 181 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 182 channel, self) 183 ''' 184 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 185 186 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 187 ''' 188 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 189 ''' 190 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 191 approvers and be approved or denied. 192 193 See `strongdm.svc.ApprovalWorkflows`. 194 ''' 195 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 196 channel, self) 197 ''' 198 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 199 200 See `strongdm.svc.ApprovalWorkflowsHistory`. 201 ''' 202 self.control_panel = svc.ControlPanel(channel, self) 203 ''' 204 ControlPanel contains all administrative controls. 205 206 See `strongdm.svc.ControlPanel`. 207 ''' 208 self.health_checks = svc.HealthChecks(channel, self) 209 ''' 210 HealthChecks lists the last healthcheck between each node and resource. 211 Note the unconventional capitalization here is to prevent having a collision with GRPC 212 213 See `strongdm.svc.HealthChecks`. 214 ''' 215 self.identity_aliases = svc.IdentityAliases(channel, self) 216 ''' 217 IdentityAliases assign an alias to an account within an IdentitySet. 218 The alias is used as the username when connecting to a identity supported resource. 219 220 See `strongdm.svc.IdentityAliases`. 221 ''' 222 self.identity_aliases_history = svc.IdentityAliasesHistory( 223 channel, self) 224 ''' 225 IdentityAliasesHistory records all changes to the state of a IdentityAlias. 226 227 See `strongdm.svc.IdentityAliasesHistory`. 228 ''' 229 self.identity_sets = svc.IdentitySets(channel, self) 230 ''' 231 A IdentitySet is a named grouping of Identity Aliases for Accounts. 232 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 233 234 See `strongdm.svc.IdentitySets`. 235 ''' 236 self.identity_sets_history = svc.IdentitySetsHistory(channel, self) 237 ''' 238 IdentitySetsHistory records all changes to the state of a IdentitySet. 239 240 See `strongdm.svc.IdentitySetsHistory`. 241 ''' 242 self.nodes = svc.Nodes(channel, self) 243 ''' 244 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 245 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 246 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 247 248 See `strongdm.svc.Nodes`. 249 ''' 250 self.nodes_history = svc.NodesHistory(channel, self) 251 ''' 252 NodesHistory records all changes to the state of a Node. 253 254 See `strongdm.svc.NodesHistory`. 255 ''' 256 self.organization_history = svc.OrganizationHistory(channel, self) 257 ''' 258 OrganizationHistory records all changes to the state of an Organization. 259 260 See `strongdm.svc.OrganizationHistory`. 261 ''' 262 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 263 ''' 264 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 265 266 See `strongdm.svc.PeeringGroupNodes`. 267 ''' 268 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 269 ''' 270 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 271 272 See `strongdm.svc.PeeringGroupPeers`. 273 ''' 274 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 275 ''' 276 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 277 278 See `strongdm.svc.PeeringGroupResources`. 279 ''' 280 self.peering_groups = svc.PeeringGroups(channel, self) 281 ''' 282 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 283 284 See `strongdm.svc.PeeringGroups`. 285 ''' 286 self.policies = svc.Policies(channel, self) 287 ''' 288 Policies are the collection of one or more statements that enforce fine-grained access 289 control for the users of an organization. 290 291 See `strongdm.svc.Policies`. 292 ''' 293 self.policies_history = svc.PoliciesHistory(channel, self) 294 ''' 295 PoliciesHistory records all changes to the state of a Policy. 296 297 See `strongdm.svc.PoliciesHistory`. 298 ''' 299 self.proxy_cluster_keys = svc.ProxyClusterKeys(channel, self) 300 ''' 301 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 302 The proxies within a cluster share the same key. One cluster can have 303 multiple keys in order to facilitate key rotation. 304 305 See `strongdm.svc.ProxyClusterKeys`. 306 ''' 307 self.queries = svc.Queries(channel, self) 308 ''' 309 A Query is a record of a single client request to a resource, such as a SQL query. 310 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 311 The Queries service is read-only. 312 313 See `strongdm.svc.Queries`. 314 ''' 315 self.remote_identities = svc.RemoteIdentities(channel, self) 316 ''' 317 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 318 319 See `strongdm.svc.RemoteIdentities`. 320 ''' 321 self.remote_identities_history = svc.RemoteIdentitiesHistory( 322 channel, self) 323 ''' 324 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 325 326 See `strongdm.svc.RemoteIdentitiesHistory`. 327 ''' 328 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 329 ''' 330 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 331 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 332 333 See `strongdm.svc.RemoteIdentityGroups`. 334 ''' 335 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 336 channel, self) 337 ''' 338 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 339 340 See `strongdm.svc.RemoteIdentityGroupsHistory`. 341 ''' 342 self.replays = svc.Replays(channel, self) 343 ''' 344 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 345 (otherwise referred to as a query). The Replays service is read-only. 346 347 See `strongdm.svc.Replays`. 348 ''' 349 self.resources = svc.Resources(channel, self) 350 ''' 351 Resources are databases, servers, clusters, websites, or clouds that strongDM 352 delegates access to. 353 354 See `strongdm.svc.Resources`. 355 ''' 356 self.resources_history = svc.ResourcesHistory(channel, self) 357 ''' 358 ResourcesHistory records all changes to the state of a Resource. 359 360 See `strongdm.svc.ResourcesHistory`. 361 ''' 362 self.role_resources = svc.RoleResources(channel, self) 363 ''' 364 RoleResources enumerates the resources to which roles have access. 365 The RoleResources service is read-only. 366 367 See `strongdm.svc.RoleResources`. 368 ''' 369 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 370 ''' 371 RoleResourcesHistory records all changes to the state of a RoleResource. 372 373 See `strongdm.svc.RoleResourcesHistory`. 374 ''' 375 self.roles = svc.Roles(channel, self) 376 ''' 377 A Role has a list of access rules which determine which Resources the members 378 of the Role have access to. An Account can be a member of multiple Roles via 379 AccountAttachments. 380 381 See `strongdm.svc.Roles`. 382 ''' 383 self.roles_history = svc.RolesHistory(channel, self) 384 ''' 385 RolesHistory records all changes to the state of a Role. 386 387 See `strongdm.svc.RolesHistory`. 388 ''' 389 self.secret_stores = svc.SecretStores(channel, self) 390 ''' 391 SecretStores are servers where resource secrets (passwords, keys) are stored. 392 393 See `strongdm.svc.SecretStores`. 394 ''' 395 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 396 ''' 397 SecretStoreHealths exposes health states for secret stores. 398 399 See `strongdm.svc.SecretStoreHealths`. 400 ''' 401 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 402 ''' 403 SecretStoresHistory records all changes to the state of a SecretStore. 404 405 See `strongdm.svc.SecretStoresHistory`. 406 ''' 407 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 408 ''' 409 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 410 411 See `strongdm.svc.WorkflowApprovers`. 412 ''' 413 self.workflow_approvers_history = svc.WorkflowApproversHistory( 414 channel, self) 415 ''' 416 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 417 418 See `strongdm.svc.WorkflowApproversHistory`. 419 ''' 420 self.workflow_assignments = svc.WorkflowAssignments(channel, self) 421 ''' 422 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 423 access to via the workflow. 424 425 See `strongdm.svc.WorkflowAssignments`. 426 ''' 427 self.workflow_assignments_history = svc.WorkflowAssignmentsHistory( 428 channel, self) 429 ''' 430 WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment. 431 432 See `strongdm.svc.WorkflowAssignmentsHistory`. 433 ''' 434 self.workflow_roles = svc.WorkflowRoles(channel, self) 435 ''' 436 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 437 to request access to a resource via the workflow. 438 439 See `strongdm.svc.WorkflowRoles`. 440 ''' 441 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 442 ''' 443 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 444 445 See `strongdm.svc.WorkflowRolesHistory`. 446 ''' 447 self.workflows = svc.Workflows(channel, self) 448 ''' 449 Workflows are the collection of rules that define the resources to which access can be requested, 450 the users that can request that access, and the mechanism for approving those requests which can either 451 be automatic approval or a set of users authorized to approve the requests. 452 453 See `strongdm.svc.Workflows`. 454 ''' 455 self.workflows_history = svc.WorkflowsHistory(channel, self) 456 ''' 457 WorkflowsHistory provides records of all changes to the state of a Workflow. 458 459 See `strongdm.svc.WorkflowsHistory`. 460 ''' 461 462 def close(self): 463 '''Closes this Client and releases all resources held by it. 464 465 Closing the Client will immediately terminate all RPCs active with the 466 Client and it is not valid to invoke new RPCs with the Client. 467 468 This method is idempotent. 469 ''' 470 self.channel.close() 471 472 def get_metadata(self, method_name, req): 473 return [ 474 ('x-sdm-authentication', self.api_access_key), 475 ('x-sdm-signature', self.sign(method_name, 476 req.SerializeToString())), 477 ('x-sdm-api-version', API_VERSION), 478 ('x-sdm-user-agent', USER_AGENT), 479 ] 480 481 def sign(self, method_name, request_bytes): 482 def hmac_digest(key, msg_byte_string): 483 return hmac.new(key, msg=msg_byte_string, 484 digestmod=hashlib.sha256).digest() 485 486 current_utc_date = datetime.datetime.now( 487 datetime.timezone.utc).strftime('%Y-%m-%d') 488 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 489 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 490 491 hash = hashlib.sha256() 492 493 hash.update(method_name.encode()) 494 hash.update(b'\n') 495 hash.update(request_bytes) 496 497 return base64.b64encode(hmac_digest(signing_key, hash.digest())) 498 499 def jitterSleep(self, iter): 500 dur_max = self.base_retry_delay * 2**iter 501 if (dur_max > self.max_retry_delay): 502 dur_max = self.max_retry_delay 503 # get a value between 0 and max 504 dur = random.random() * dur_max 505 time.sleep(dur) 506 507 def shouldRetry(self, iter, err): 508 if (iter >= self.max_retries - 1): 509 return False 510 if not isinstance(err, grpc.RpcError): 511 return True 512 porcelain_err = plumbing.convert_error_to_porcelain(err) 513 if (not self.expose_rate_limit_errors) and isinstance( 514 porcelain_err, errors.RateLimitError): 515 wait_until = porcelain_err.rate_limit.reset_at 516 now = datetime.datetime.now(datetime.timezone.utc) 517 sleep_for = (wait_until - now).total_seconds() 518 # If timezones or clock drift causes this calculation to fail, 519 # wait at most one minute. 520 if sleep_for < 0 or sleep_for > 60: 521 sleep_for = 60 522 time.sleep(sleep_for) 523 return True 524 return err.code() == grpc.StatusCode.INTERNAL or err.code( 525 ) == grpc.StatusCode.UNAVAILABLE 526 527 def snapshot_at(self, snapshot_datetime): 528 ''' 529 Constructs a read-only client that will provide historical data from the provided timestamp. 530 531 See `SnapshotClient`. 532 ''' 533 client = copy.copy(self) 534 client.snapshot_datetime = snapshot_datetime 535 client.access_requests = svc.AccessRequests(client.channel, client) 536 client.account_attachments = svc.AccountAttachments( 537 client.channel, client) 538 client.account_grants = svc.AccountGrants(client.channel, client) 539 client.account_permissions = svc.AccountPermissions( 540 client.channel, client) 541 client.account_resources = svc.AccountResources(client.channel, client) 542 client.accounts = svc.Accounts(client.channel, client) 543 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 544 client.channel, client) 545 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 546 client.channel, client) 547 client.approval_workflows = svc.ApprovalWorkflows( 548 client.channel, client) 549 client.identity_aliases = svc.IdentityAliases(client.channel, client) 550 client.identity_sets = svc.IdentitySets(client.channel, client) 551 client.nodes = svc.Nodes(client.channel, client) 552 client.policies = svc.Policies(client.channel, client) 553 client.proxy_cluster_keys = svc.ProxyClusterKeys( 554 client.channel, client) 555 client.remote_identities = svc.RemoteIdentities(client.channel, client) 556 client.remote_identity_groups = svc.RemoteIdentityGroups( 557 client.channel, client) 558 client.resources = svc.Resources(client.channel, client) 559 client.role_resources = svc.RoleResources(client.channel, client) 560 client.roles = svc.Roles(client.channel, client) 561 client.secret_stores = svc.SecretStores(client.channel, client) 562 client.workflow_approvers = svc.WorkflowApprovers( 563 client.channel, client) 564 client.workflow_assignments = svc.WorkflowAssignments( 565 client.channel, client) 566 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 567 client.workflows = svc.Workflows(client.channel, client) 568 return SnapshotClient(client)
Client interacts with the strongDM API.
Client( api_access_key, api_secret, host='api.strongdm.com:443', insecure=False, retry_rate_limit_errors=True, page_limit=50)
42 def __init__(self, 43 api_access_key, 44 api_secret, 45 host='api.strongdm.com:443', 46 insecure=False, 47 retry_rate_limit_errors=True, 48 page_limit=50): 49 ''' 50 Create a new Client. 51 52 - api_access_key: the access key to authenticate with strongDM 53 - api_secret: the secret key to authenticate with strongDM 54 ''' 55 self.api_access_key = api_access_key.strip() 56 self.api_secret = base64.b64decode(api_secret.strip()) 57 self.max_retries = DEFAULT_MAX_RETRIES 58 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 59 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 60 self.expose_rate_limit_errors = (not retry_rate_limit_errors) 61 self.snapshot_datetime = None 62 self.page_limit = page_limit 63 64 try: 65 if insecure: 66 channel = grpc.insecure_channel(host) 67 else: 68 creds = grpc.ssl_channel_credentials() 69 channel = grpc.secure_channel(host, creds) 70 except Exception as e: 71 raise plumbing.convert_error_to_porcelain(e) from e 72 self.channel = channel 73 self.access_requests = svc.AccessRequests(channel, self) 74 ''' 75 AccessRequests are requests for access to a resource that may match a Workflow. 76 77 See `strongdm.svc.AccessRequests`. 78 ''' 79 self.access_request_events_history = svc.AccessRequestEventsHistory( 80 channel, self) 81 ''' 82 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 83 84 See `strongdm.svc.AccessRequestEventsHistory`. 85 ''' 86 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 87 ''' 88 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 89 90 See `strongdm.svc.AccessRequestsHistory`. 91 ''' 92 self.account_attachments = svc.AccountAttachments(channel, self) 93 ''' 94 AccountAttachments assign an account to a role. 95 96 See `strongdm.svc.AccountAttachments`. 97 ''' 98 self.account_attachments_history = svc.AccountAttachmentsHistory( 99 channel, self) 100 ''' 101 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 102 103 See `strongdm.svc.AccountAttachmentsHistory`. 104 ''' 105 self.account_grants = svc.AccountGrants(channel, self) 106 ''' 107 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 108 109 See `strongdm.svc.AccountGrants`. 110 ''' 111 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 112 ''' 113 AccountGrantsHistory records all changes to the state of an AccountGrant. 114 115 See `strongdm.svc.AccountGrantsHistory`. 116 ''' 117 self.account_permissions = svc.AccountPermissions(channel, self) 118 ''' 119 AccountPermissions records the granular permissions accounts have, allowing them to execute 120 relevant commands via StrongDM's APIs. 121 122 See `strongdm.svc.AccountPermissions`. 123 ''' 124 self.account_resources = svc.AccountResources(channel, self) 125 ''' 126 AccountResources enumerates the resources to which accounts have access. 127 The AccountResources service is read-only. 128 129 See `strongdm.svc.AccountResources`. 130 ''' 131 self.account_resources_history = svc.AccountResourcesHistory( 132 channel, self) 133 ''' 134 AccountResourcesHistory records all changes to the state of a AccountResource. 135 136 See `strongdm.svc.AccountResourcesHistory`. 137 ''' 138 self.accounts = svc.Accounts(channel, self) 139 ''' 140 Accounts are users that have access to strongDM. There are two types of accounts: 141 1. **Users:** humans who are authenticated through username and password or SSO. 142 2. **Service Accounts:** machines that are authenticated using a service token. 143 3. **Tokens** are access keys with permissions that can be used for authentication. 144 145 See `strongdm.svc.Accounts`. 146 ''' 147 self.accounts_history = svc.AccountsHistory(channel, self) 148 ''' 149 AccountsHistory records all changes to the state of an Account. 150 151 See `strongdm.svc.AccountsHistory`. 152 ''' 153 self.activities = svc.Activities(channel, self) 154 ''' 155 An Activity is a record of an action taken against a strongDM deployment, e.g. 156 a user creation, resource deletion, sso configuration change, etc. The Activities 157 service is read-only. 158 159 See `strongdm.svc.Activities`. 160 ''' 161 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 162 channel, self) 163 ''' 164 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 165 166 See `strongdm.svc.ApprovalWorkflowApprovers`. 167 ''' 168 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 169 channel, self) 170 ''' 171 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 172 173 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 174 ''' 175 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 176 ''' 177 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 178 179 See `strongdm.svc.ApprovalWorkflowSteps`. 180 ''' 181 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 182 channel, self) 183 ''' 184 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 185 186 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 187 ''' 188 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 189 ''' 190 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 191 approvers and be approved or denied. 192 193 See `strongdm.svc.ApprovalWorkflows`. 194 ''' 195 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 196 channel, self) 197 ''' 198 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 199 200 See `strongdm.svc.ApprovalWorkflowsHistory`. 201 ''' 202 self.control_panel = svc.ControlPanel(channel, self) 203 ''' 204 ControlPanel contains all administrative controls. 205 206 See `strongdm.svc.ControlPanel`. 207 ''' 208 self.health_checks = svc.HealthChecks(channel, self) 209 ''' 210 HealthChecks lists the last healthcheck between each node and resource. 211 Note the unconventional capitalization here is to prevent having a collision with GRPC 212 213 See `strongdm.svc.HealthChecks`. 214 ''' 215 self.identity_aliases = svc.IdentityAliases(channel, self) 216 ''' 217 IdentityAliases assign an alias to an account within an IdentitySet. 218 The alias is used as the username when connecting to a identity supported resource. 219 220 See `strongdm.svc.IdentityAliases`. 221 ''' 222 self.identity_aliases_history = svc.IdentityAliasesHistory( 223 channel, self) 224 ''' 225 IdentityAliasesHistory records all changes to the state of a IdentityAlias. 226 227 See `strongdm.svc.IdentityAliasesHistory`. 228 ''' 229 self.identity_sets = svc.IdentitySets(channel, self) 230 ''' 231 A IdentitySet is a named grouping of Identity Aliases for Accounts. 232 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 233 234 See `strongdm.svc.IdentitySets`. 235 ''' 236 self.identity_sets_history = svc.IdentitySetsHistory(channel, self) 237 ''' 238 IdentitySetsHistory records all changes to the state of a IdentitySet. 239 240 See `strongdm.svc.IdentitySetsHistory`. 241 ''' 242 self.nodes = svc.Nodes(channel, self) 243 ''' 244 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 245 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 246 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 247 248 See `strongdm.svc.Nodes`. 249 ''' 250 self.nodes_history = svc.NodesHistory(channel, self) 251 ''' 252 NodesHistory records all changes to the state of a Node. 253 254 See `strongdm.svc.NodesHistory`. 255 ''' 256 self.organization_history = svc.OrganizationHistory(channel, self) 257 ''' 258 OrganizationHistory records all changes to the state of an Organization. 259 260 See `strongdm.svc.OrganizationHistory`. 261 ''' 262 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 263 ''' 264 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 265 266 See `strongdm.svc.PeeringGroupNodes`. 267 ''' 268 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 269 ''' 270 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 271 272 See `strongdm.svc.PeeringGroupPeers`. 273 ''' 274 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 275 ''' 276 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 277 278 See `strongdm.svc.PeeringGroupResources`. 279 ''' 280 self.peering_groups = svc.PeeringGroups(channel, self) 281 ''' 282 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 283 284 See `strongdm.svc.PeeringGroups`. 285 ''' 286 self.policies = svc.Policies(channel, self) 287 ''' 288 Policies are the collection of one or more statements that enforce fine-grained access 289 control for the users of an organization. 290 291 See `strongdm.svc.Policies`. 292 ''' 293 self.policies_history = svc.PoliciesHistory(channel, self) 294 ''' 295 PoliciesHistory records all changes to the state of a Policy. 296 297 See `strongdm.svc.PoliciesHistory`. 298 ''' 299 self.proxy_cluster_keys = svc.ProxyClusterKeys(channel, self) 300 ''' 301 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 302 The proxies within a cluster share the same key. One cluster can have 303 multiple keys in order to facilitate key rotation. 304 305 See `strongdm.svc.ProxyClusterKeys`. 306 ''' 307 self.queries = svc.Queries(channel, self) 308 ''' 309 A Query is a record of a single client request to a resource, such as a SQL query. 310 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 311 The Queries service is read-only. 312 313 See `strongdm.svc.Queries`. 314 ''' 315 self.remote_identities = svc.RemoteIdentities(channel, self) 316 ''' 317 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 318 319 See `strongdm.svc.RemoteIdentities`. 320 ''' 321 self.remote_identities_history = svc.RemoteIdentitiesHistory( 322 channel, self) 323 ''' 324 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 325 326 See `strongdm.svc.RemoteIdentitiesHistory`. 327 ''' 328 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 329 ''' 330 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 331 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 332 333 See `strongdm.svc.RemoteIdentityGroups`. 334 ''' 335 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 336 channel, self) 337 ''' 338 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 339 340 See `strongdm.svc.RemoteIdentityGroupsHistory`. 341 ''' 342 self.replays = svc.Replays(channel, self) 343 ''' 344 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 345 (otherwise referred to as a query). The Replays service is read-only. 346 347 See `strongdm.svc.Replays`. 348 ''' 349 self.resources = svc.Resources(channel, self) 350 ''' 351 Resources are databases, servers, clusters, websites, or clouds that strongDM 352 delegates access to. 353 354 See `strongdm.svc.Resources`. 355 ''' 356 self.resources_history = svc.ResourcesHistory(channel, self) 357 ''' 358 ResourcesHistory records all changes to the state of a Resource. 359 360 See `strongdm.svc.ResourcesHistory`. 361 ''' 362 self.role_resources = svc.RoleResources(channel, self) 363 ''' 364 RoleResources enumerates the resources to which roles have access. 365 The RoleResources service is read-only. 366 367 See `strongdm.svc.RoleResources`. 368 ''' 369 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 370 ''' 371 RoleResourcesHistory records all changes to the state of a RoleResource. 372 373 See `strongdm.svc.RoleResourcesHistory`. 374 ''' 375 self.roles = svc.Roles(channel, self) 376 ''' 377 A Role has a list of access rules which determine which Resources the members 378 of the Role have access to. An Account can be a member of multiple Roles via 379 AccountAttachments. 380 381 See `strongdm.svc.Roles`. 382 ''' 383 self.roles_history = svc.RolesHistory(channel, self) 384 ''' 385 RolesHistory records all changes to the state of a Role. 386 387 See `strongdm.svc.RolesHistory`. 388 ''' 389 self.secret_stores = svc.SecretStores(channel, self) 390 ''' 391 SecretStores are servers where resource secrets (passwords, keys) are stored. 392 393 See `strongdm.svc.SecretStores`. 394 ''' 395 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 396 ''' 397 SecretStoreHealths exposes health states for secret stores. 398 399 See `strongdm.svc.SecretStoreHealths`. 400 ''' 401 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 402 ''' 403 SecretStoresHistory records all changes to the state of a SecretStore. 404 405 See `strongdm.svc.SecretStoresHistory`. 406 ''' 407 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 408 ''' 409 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 410 411 See `strongdm.svc.WorkflowApprovers`. 412 ''' 413 self.workflow_approvers_history = svc.WorkflowApproversHistory( 414 channel, self) 415 ''' 416 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 417 418 See `strongdm.svc.WorkflowApproversHistory`. 419 ''' 420 self.workflow_assignments = svc.WorkflowAssignments(channel, self) 421 ''' 422 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 423 access to via the workflow. 424 425 See `strongdm.svc.WorkflowAssignments`. 426 ''' 427 self.workflow_assignments_history = svc.WorkflowAssignmentsHistory( 428 channel, self) 429 ''' 430 WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment. 431 432 See `strongdm.svc.WorkflowAssignmentsHistory`. 433 ''' 434 self.workflow_roles = svc.WorkflowRoles(channel, self) 435 ''' 436 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 437 to request access to a resource via the workflow. 438 439 See `strongdm.svc.WorkflowRoles`. 440 ''' 441 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 442 ''' 443 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 444 445 See `strongdm.svc.WorkflowRolesHistory`. 446 ''' 447 self.workflows = svc.Workflows(channel, self) 448 ''' 449 Workflows are the collection of rules that define the resources to which access can be requested, 450 the users that can request that access, and the mechanism for approving those requests which can either 451 be automatic approval or a set of users authorized to approve the requests. 452 453 See `strongdm.svc.Workflows`. 454 ''' 455 self.workflows_history = svc.WorkflowsHistory(channel, self) 456 ''' 457 WorkflowsHistory provides records of all changes to the state of a Workflow. 458 459 See `strongdm.svc.WorkflowsHistory`. 460 '''
Create a new Client.
- api_access_key: the access key to authenticate with strongDM
- api_secret: the secret key to authenticate with strongDM
access_request_events_history
AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest.
access_requests_history
AccessRequestsHistory provides records of all changes to the state of an AccessRequest.
account_attachments_history
AccountAttachmentsHistory records all changes to the state of an AccountAttachment.
account_grants
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
account_permissions
AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.
account_resources
AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.
account_resources_history
AccountResourcesHistory records all changes to the state of a AccountResource.
accounts
Accounts are users that have access to strongDM. There are two types of accounts:
- Users: humans who are authenticated through username and password or SSO.
- Service Accounts: machines that are authenticated using a service token.
- Tokens are access keys with permissions that can be used for authentication.
activities
An Activity is a record of an action taken against a strongDM deployment, e.g. a user creation, resource deletion, sso configuration change, etc. The Activities service is read-only.
approval_workflow_approvers
ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
approval_workflow_approvers_history
ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover.
approval_workflow_steps_history
ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep.
approval_workflows
ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.
approval_workflows_history
ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow.
health_checks
HealthChecks lists the last healthcheck between each node and resource. Note the unconventional capitalization here is to prevent having a collision with GRPC
identity_aliases
IdentityAliases assign an alias to an account within an IdentitySet. The alias is used as the username when connecting to a identity supported resource.
identity_aliases_history
IdentityAliasesHistory records all changes to the state of a IdentityAlias.
identity_sets
A IdentitySet is a named grouping of Identity Aliases for Accounts. An Account's relationship to a IdentitySet is defined via IdentityAlias objects.
nodes
Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
- Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
- Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
See strongdm.svc.Nodes.
peering_group_nodes
PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group.
peering_group_peers
PeeringGroupPeers provides the building blocks necessary to link two peering groups.
peering_group_resources
PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group.
peering_groups
PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing.
policies
Policies are the collection of one or more statements that enforce fine-grained access control for the users of an organization.
proxy_cluster_keys
Proxy Cluster Keys are authentication keys for all proxies within a cluster. The proxies within a cluster share the same key. One cluster can have multiple keys in order to facilitate key rotation.
queries
A Query is a record of a single client request to a resource, such as a SQL query. Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. The Queries service is read-only.
See strongdm.svc.Queries.
remote_identities
RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
remote_identities_history
RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.
remote_identity_groups
A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
remote_identity_groups_history
RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.
replays
A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query). The Replays service is read-only.
See strongdm.svc.Replays.
resources
Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.
role_resources
RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.
roles
A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.
See strongdm.svc.Roles.
workflow_approvers
WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
workflow_approvers_history
WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover.
workflow_assignments
WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request access to via the workflow.
workflow_assignments_history
WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment.
workflow_roles
WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.
workflow_roles_history
WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole
workflows
Workflows are the collection of rules that define the resources to which access can be requested, the users that can request that access, and the mechanism for approving those requests which can either be automatic approval or a set of users authorized to approve the requests.
def
close(self)
462 def close(self): 463 '''Closes this Client and releases all resources held by it. 464 465 Closing the Client will immediately terminate all RPCs active with the 466 Client and it is not valid to invoke new RPCs with the Client. 467 468 This method is idempotent. 469 ''' 470 self.channel.close()
Closes this Client and releases all resources held by it.
Closing the Client will immediately terminate all RPCs active with the Client and it is not valid to invoke new RPCs with the Client.
This method is idempotent.
def
sign(self, method_name, request_bytes)
481 def sign(self, method_name, request_bytes): 482 def hmac_digest(key, msg_byte_string): 483 return hmac.new(key, msg=msg_byte_string, 484 digestmod=hashlib.sha256).digest() 485 486 current_utc_date = datetime.datetime.now( 487 datetime.timezone.utc).strftime('%Y-%m-%d') 488 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 489 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 490 491 hash = hashlib.sha256() 492 493 hash.update(method_name.encode()) 494 hash.update(b'\n') 495 hash.update(request_bytes) 496 497 return base64.b64encode(hmac_digest(signing_key, hash.digest()))
def
shouldRetry(self, iter, err)
507 def shouldRetry(self, iter, err): 508 if (iter >= self.max_retries - 1): 509 return False 510 if not isinstance(err, grpc.RpcError): 511 return True 512 porcelain_err = plumbing.convert_error_to_porcelain(err) 513 if (not self.expose_rate_limit_errors) and isinstance( 514 porcelain_err, errors.RateLimitError): 515 wait_until = porcelain_err.rate_limit.reset_at 516 now = datetime.datetime.now(datetime.timezone.utc) 517 sleep_for = (wait_until - now).total_seconds() 518 # If timezones or clock drift causes this calculation to fail, 519 # wait at most one minute. 520 if sleep_for < 0 or sleep_for > 60: 521 sleep_for = 60 522 time.sleep(sleep_for) 523 return True 524 return err.code() == grpc.StatusCode.INTERNAL or err.code( 525 ) == grpc.StatusCode.UNAVAILABLE
def
snapshot_at(self, snapshot_datetime)
527 def snapshot_at(self, snapshot_datetime): 528 ''' 529 Constructs a read-only client that will provide historical data from the provided timestamp. 530 531 See `SnapshotClient`. 532 ''' 533 client = copy.copy(self) 534 client.snapshot_datetime = snapshot_datetime 535 client.access_requests = svc.AccessRequests(client.channel, client) 536 client.account_attachments = svc.AccountAttachments( 537 client.channel, client) 538 client.account_grants = svc.AccountGrants(client.channel, client) 539 client.account_permissions = svc.AccountPermissions( 540 client.channel, client) 541 client.account_resources = svc.AccountResources(client.channel, client) 542 client.accounts = svc.Accounts(client.channel, client) 543 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 544 client.channel, client) 545 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 546 client.channel, client) 547 client.approval_workflows = svc.ApprovalWorkflows( 548 client.channel, client) 549 client.identity_aliases = svc.IdentityAliases(client.channel, client) 550 client.identity_sets = svc.IdentitySets(client.channel, client) 551 client.nodes = svc.Nodes(client.channel, client) 552 client.policies = svc.Policies(client.channel, client) 553 client.proxy_cluster_keys = svc.ProxyClusterKeys( 554 client.channel, client) 555 client.remote_identities = svc.RemoteIdentities(client.channel, client) 556 client.remote_identity_groups = svc.RemoteIdentityGroups( 557 client.channel, client) 558 client.resources = svc.Resources(client.channel, client) 559 client.role_resources = svc.RoleResources(client.channel, client) 560 client.roles = svc.Roles(client.channel, client) 561 client.secret_stores = svc.SecretStores(client.channel, client) 562 client.workflow_approvers = svc.WorkflowApprovers( 563 client.channel, client) 564 client.workflow_assignments = svc.WorkflowAssignments( 565 client.channel, client) 566 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 567 client.workflows = svc.Workflows(client.channel, client) 568 return SnapshotClient(client)
Constructs a read-only client that will provide historical data from the provided timestamp.
See SnapshotClient.
class
SnapshotClient:
571class SnapshotClient: 572 '''SnapshotClient exposes methods to query historical records at a provided timestamp.''' 573 def __init__(self, client): 574 self.access_requests = svc.SnapshotAccessRequests( 575 client.access_requests) 576 ''' 577 AccessRequests are requests for access to a resource that may match a Workflow. 578 579 See `strongdm.svc.SnapshotAccessRequests`. 580 ''' 581 self.account_attachments = svc.SnapshotAccountAttachments( 582 client.account_attachments) 583 ''' 584 AccountAttachments assign an account to a role. 585 586 See `strongdm.svc.SnapshotAccountAttachments`. 587 ''' 588 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 589 ''' 590 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 591 592 See `strongdm.svc.SnapshotAccountGrants`. 593 ''' 594 self.account_permissions = svc.SnapshotAccountPermissions( 595 client.account_permissions) 596 ''' 597 AccountPermissions records the granular permissions accounts have, allowing them to execute 598 relevant commands via StrongDM's APIs. 599 600 See `strongdm.svc.SnapshotAccountPermissions`. 601 ''' 602 self.account_resources = svc.SnapshotAccountResources( 603 client.account_resources) 604 ''' 605 AccountResources enumerates the resources to which accounts have access. 606 The AccountResources service is read-only. 607 608 See `strongdm.svc.SnapshotAccountResources`. 609 ''' 610 self.accounts = svc.SnapshotAccounts(client.accounts) 611 ''' 612 Accounts are users that have access to strongDM. There are two types of accounts: 613 1. **Users:** humans who are authenticated through username and password or SSO. 614 2. **Service Accounts:** machines that are authenticated using a service token. 615 3. **Tokens** are access keys with permissions that can be used for authentication. 616 617 See `strongdm.svc.SnapshotAccounts`. 618 ''' 619 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 620 client.approval_workflow_approvers) 621 ''' 622 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 623 624 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 625 ''' 626 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 627 client.approval_workflow_steps) 628 ''' 629 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 630 631 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 632 ''' 633 self.approval_workflows = svc.SnapshotApprovalWorkflows( 634 client.approval_workflows) 635 ''' 636 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 637 approvers and be approved or denied. 638 639 See `strongdm.svc.SnapshotApprovalWorkflows`. 640 ''' 641 self.identity_aliases = svc.SnapshotIdentityAliases( 642 client.identity_aliases) 643 ''' 644 IdentityAliases assign an alias to an account within an IdentitySet. 645 The alias is used as the username when connecting to a identity supported resource. 646 647 See `strongdm.svc.SnapshotIdentityAliases`. 648 ''' 649 self.identity_sets = svc.SnapshotIdentitySets(client.identity_sets) 650 ''' 651 A IdentitySet is a named grouping of Identity Aliases for Accounts. 652 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 653 654 See `strongdm.svc.SnapshotIdentitySets`. 655 ''' 656 self.nodes = svc.SnapshotNodes(client.nodes) 657 ''' 658 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 659 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 660 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 661 662 See `strongdm.svc.SnapshotNodes`. 663 ''' 664 self.policies = svc.SnapshotPolicies(client.policies) 665 ''' 666 Policies are the collection of one or more statements that enforce fine-grained access 667 control for the users of an organization. 668 669 See `strongdm.svc.SnapshotPolicies`. 670 ''' 671 self.proxy_cluster_keys = svc.SnapshotProxyClusterKeys( 672 client.proxy_cluster_keys) 673 ''' 674 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 675 The proxies within a cluster share the same key. One cluster can have 676 multiple keys in order to facilitate key rotation. 677 678 See `strongdm.svc.SnapshotProxyClusterKeys`. 679 ''' 680 self.remote_identities = svc.SnapshotRemoteIdentities( 681 client.remote_identities) 682 ''' 683 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 684 685 See `strongdm.svc.SnapshotRemoteIdentities`. 686 ''' 687 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 688 client.remote_identity_groups) 689 ''' 690 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 691 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 692 693 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 694 ''' 695 self.resources = svc.SnapshotResources(client.resources) 696 ''' 697 Resources are databases, servers, clusters, websites, or clouds that strongDM 698 delegates access to. 699 700 See `strongdm.svc.SnapshotResources`. 701 ''' 702 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 703 ''' 704 RoleResources enumerates the resources to which roles have access. 705 The RoleResources service is read-only. 706 707 See `strongdm.svc.SnapshotRoleResources`. 708 ''' 709 self.roles = svc.SnapshotRoles(client.roles) 710 ''' 711 A Role has a list of access rules which determine which Resources the members 712 of the Role have access to. An Account can be a member of multiple Roles via 713 AccountAttachments. 714 715 See `strongdm.svc.SnapshotRoles`. 716 ''' 717 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 718 ''' 719 SecretStores are servers where resource secrets (passwords, keys) are stored. 720 721 See `strongdm.svc.SnapshotSecretStores`. 722 ''' 723 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 724 client.workflow_approvers) 725 ''' 726 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 727 728 See `strongdm.svc.SnapshotWorkflowApprovers`. 729 ''' 730 self.workflow_assignments = svc.SnapshotWorkflowAssignments( 731 client.workflow_assignments) 732 ''' 733 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 734 access to via the workflow. 735 736 See `strongdm.svc.SnapshotWorkflowAssignments`. 737 ''' 738 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 739 ''' 740 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 741 to request access to a resource via the workflow. 742 743 See `strongdm.svc.SnapshotWorkflowRoles`. 744 ''' 745 self.workflows = svc.SnapshotWorkflows(client.workflows) 746 ''' 747 Workflows are the collection of rules that define the resources to which access can be requested, 748 the users that can request that access, and the mechanism for approving those requests which can either 749 be automatic approval or a set of users authorized to approve the requests. 750 751 See `strongdm.svc.SnapshotWorkflows`. 752 '''
SnapshotClient exposes methods to query historical records at a provided timestamp.
SnapshotClient(client)
573 def __init__(self, client): 574 self.access_requests = svc.SnapshotAccessRequests( 575 client.access_requests) 576 ''' 577 AccessRequests are requests for access to a resource that may match a Workflow. 578 579 See `strongdm.svc.SnapshotAccessRequests`. 580 ''' 581 self.account_attachments = svc.SnapshotAccountAttachments( 582 client.account_attachments) 583 ''' 584 AccountAttachments assign an account to a role. 585 586 See `strongdm.svc.SnapshotAccountAttachments`. 587 ''' 588 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 589 ''' 590 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 591 592 See `strongdm.svc.SnapshotAccountGrants`. 593 ''' 594 self.account_permissions = svc.SnapshotAccountPermissions( 595 client.account_permissions) 596 ''' 597 AccountPermissions records the granular permissions accounts have, allowing them to execute 598 relevant commands via StrongDM's APIs. 599 600 See `strongdm.svc.SnapshotAccountPermissions`. 601 ''' 602 self.account_resources = svc.SnapshotAccountResources( 603 client.account_resources) 604 ''' 605 AccountResources enumerates the resources to which accounts have access. 606 The AccountResources service is read-only. 607 608 See `strongdm.svc.SnapshotAccountResources`. 609 ''' 610 self.accounts = svc.SnapshotAccounts(client.accounts) 611 ''' 612 Accounts are users that have access to strongDM. There are two types of accounts: 613 1. **Users:** humans who are authenticated through username and password or SSO. 614 2. **Service Accounts:** machines that are authenticated using a service token. 615 3. **Tokens** are access keys with permissions that can be used for authentication. 616 617 See `strongdm.svc.SnapshotAccounts`. 618 ''' 619 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 620 client.approval_workflow_approvers) 621 ''' 622 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 623 624 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 625 ''' 626 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 627 client.approval_workflow_steps) 628 ''' 629 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 630 631 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 632 ''' 633 self.approval_workflows = svc.SnapshotApprovalWorkflows( 634 client.approval_workflows) 635 ''' 636 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 637 approvers and be approved or denied. 638 639 See `strongdm.svc.SnapshotApprovalWorkflows`. 640 ''' 641 self.identity_aliases = svc.SnapshotIdentityAliases( 642 client.identity_aliases) 643 ''' 644 IdentityAliases assign an alias to an account within an IdentitySet. 645 The alias is used as the username when connecting to a identity supported resource. 646 647 See `strongdm.svc.SnapshotIdentityAliases`. 648 ''' 649 self.identity_sets = svc.SnapshotIdentitySets(client.identity_sets) 650 ''' 651 A IdentitySet is a named grouping of Identity Aliases for Accounts. 652 An Account's relationship to a IdentitySet is defined via IdentityAlias objects. 653 654 See `strongdm.svc.SnapshotIdentitySets`. 655 ''' 656 self.nodes = svc.SnapshotNodes(client.nodes) 657 ''' 658 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 659 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 660 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 661 662 See `strongdm.svc.SnapshotNodes`. 663 ''' 664 self.policies = svc.SnapshotPolicies(client.policies) 665 ''' 666 Policies are the collection of one or more statements that enforce fine-grained access 667 control for the users of an organization. 668 669 See `strongdm.svc.SnapshotPolicies`. 670 ''' 671 self.proxy_cluster_keys = svc.SnapshotProxyClusterKeys( 672 client.proxy_cluster_keys) 673 ''' 674 Proxy Cluster Keys are authentication keys for all proxies within a cluster. 675 The proxies within a cluster share the same key. One cluster can have 676 multiple keys in order to facilitate key rotation. 677 678 See `strongdm.svc.SnapshotProxyClusterKeys`. 679 ''' 680 self.remote_identities = svc.SnapshotRemoteIdentities( 681 client.remote_identities) 682 ''' 683 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 684 685 See `strongdm.svc.SnapshotRemoteIdentities`. 686 ''' 687 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 688 client.remote_identity_groups) 689 ''' 690 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 691 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 692 693 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 694 ''' 695 self.resources = svc.SnapshotResources(client.resources) 696 ''' 697 Resources are databases, servers, clusters, websites, or clouds that strongDM 698 delegates access to. 699 700 See `strongdm.svc.SnapshotResources`. 701 ''' 702 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 703 ''' 704 RoleResources enumerates the resources to which roles have access. 705 The RoleResources service is read-only. 706 707 See `strongdm.svc.SnapshotRoleResources`. 708 ''' 709 self.roles = svc.SnapshotRoles(client.roles) 710 ''' 711 A Role has a list of access rules which determine which Resources the members 712 of the Role have access to. An Account can be a member of multiple Roles via 713 AccountAttachments. 714 715 See `strongdm.svc.SnapshotRoles`. 716 ''' 717 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 718 ''' 719 SecretStores are servers where resource secrets (passwords, keys) are stored. 720 721 See `strongdm.svc.SnapshotSecretStores`. 722 ''' 723 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 724 client.workflow_approvers) 725 ''' 726 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 727 728 See `strongdm.svc.SnapshotWorkflowApprovers`. 729 ''' 730 self.workflow_assignments = svc.SnapshotWorkflowAssignments( 731 client.workflow_assignments) 732 ''' 733 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 734 access to via the workflow. 735 736 See `strongdm.svc.SnapshotWorkflowAssignments`. 737 ''' 738 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 739 ''' 740 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 741 to request access to a resource via the workflow. 742 743 See `strongdm.svc.SnapshotWorkflowRoles`. 744 ''' 745 self.workflows = svc.SnapshotWorkflows(client.workflows) 746 ''' 747 Workflows are the collection of rules that define the resources to which access can be requested, 748 the users that can request that access, and the mechanism for approving those requests which can either 749 be automatic approval or a set of users authorized to approve the requests. 750 751 See `strongdm.svc.SnapshotWorkflows`. 752 '''
account_grants
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
account_permissions
AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.
account_resources
AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.
accounts
Accounts are users that have access to strongDM. There are two types of accounts:
- Users: humans who are authenticated through username and password or SSO.
- Service Accounts: machines that are authenticated using a service token.
- Tokens are access keys with permissions that can be used for authentication.
approval_workflow_approvers
ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
approval_workflows
ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.
identity_aliases
IdentityAliases assign an alias to an account within an IdentitySet. The alias is used as the username when connecting to a identity supported resource.
identity_sets
A IdentitySet is a named grouping of Identity Aliases for Accounts. An Account's relationship to a IdentitySet is defined via IdentityAlias objects.
nodes
Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
- Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
- Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
policies
Policies are the collection of one or more statements that enforce fine-grained access control for the users of an organization.
proxy_cluster_keys
Proxy Cluster Keys are authentication keys for all proxies within a cluster. The proxies within a cluster share the same key. One cluster can have multiple keys in order to facilitate key rotation.
remote_identities
RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
remote_identity_groups
A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
resources
Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.
role_resources
RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.
roles
A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.
workflow_approvers
WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
workflow_assignments
WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request access to via the workflow.
workflow_roles
WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.