strongdm.client
1# Copyright 2020 StrongDM Inc 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14# 15 16# Code generated by protogen. DO NOT EDIT. 17 18import base64 19import copy 20import datetime 21import grpc 22import hashlib 23import hmac 24import random 25import time 26from . import errors 27from . import plumbing 28from . import svc 29 30# These defaults are taken from AWS. Customization of these values 31# is a future step in the API. 32DEFAULT_MAX_RETRIES = 3 33DEFAULT_BASE_RETRY_DELAY = 0.0030 # 30 ms 34DEFAULT_MAX_RETRY_DELAY = 300 # 300 seconds 35API_VERSION = '2024-03-28' 36USER_AGENT = 'strongdm-sdk-python/8.1.0' 37 38 39class Client: 40 '''Client interacts with the strongDM API.''' 41 def __init__(self, 42 api_access_key, 43 api_secret, 44 host='api.strongdm.com:443', 45 insecure=False, 46 retry_rate_limit_errors=True, 47 page_limit=50): 48 ''' 49 Create a new Client. 50 51 - api_access_key: the access key to authenticate with strongDM 52 - api_secret: the secret key to authenticate with strongDM 53 ''' 54 self.api_access_key = api_access_key.strip() 55 self.api_secret = base64.b64decode(api_secret.strip()) 56 self.max_retries = DEFAULT_MAX_RETRIES 57 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 58 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 59 self.expose_rate_limit_errors = (not retry_rate_limit_errors) 60 self.snapshot_datetime = None 61 self.page_limit = page_limit 62 63 try: 64 if insecure: 65 channel = grpc.insecure_channel(host) 66 else: 67 creds = grpc.ssl_channel_credentials() 68 channel = grpc.secure_channel(host, creds) 69 except Exception as e: 70 raise plumbing.convert_error_to_porcelain(e) from e 71 self.channel = channel 72 self.access_requests = svc.AccessRequests(channel, self) 73 ''' 74 AccessRequests are requests for access to a resource that may match a Workflow. 75 76 See `strongdm.svc.AccessRequests`. 77 ''' 78 self.access_request_events_history = svc.AccessRequestEventsHistory( 79 channel, self) 80 ''' 81 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 82 83 See `strongdm.svc.AccessRequestEventsHistory`. 84 ''' 85 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 86 ''' 87 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 88 89 See `strongdm.svc.AccessRequestsHistory`. 90 ''' 91 self.account_attachments = svc.AccountAttachments(channel, self) 92 ''' 93 AccountAttachments assign an account to a role. 94 95 See `strongdm.svc.AccountAttachments`. 96 ''' 97 self.account_attachments_history = svc.AccountAttachmentsHistory( 98 channel, self) 99 ''' 100 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 101 102 See `strongdm.svc.AccountAttachmentsHistory`. 103 ''' 104 self.account_grants = svc.AccountGrants(channel, self) 105 ''' 106 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 107 108 See `strongdm.svc.AccountGrants`. 109 ''' 110 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 111 ''' 112 AccountGrantsHistory records all changes to the state of an AccountGrant. 113 114 See `strongdm.svc.AccountGrantsHistory`. 115 ''' 116 self.account_permissions = svc.AccountPermissions(channel, self) 117 ''' 118 AccountPermissions records the granular permissions accounts have, allowing them to execute 119 relevant commands via StrongDM's APIs. 120 121 See `strongdm.svc.AccountPermissions`. 122 ''' 123 self.account_resources = svc.AccountResources(channel, self) 124 ''' 125 AccountResources enumerates the resources to which accounts have access. 126 The AccountResources service is read-only. 127 128 See `strongdm.svc.AccountResources`. 129 ''' 130 self.account_resources_history = svc.AccountResourcesHistory( 131 channel, self) 132 ''' 133 AccountResourcesHistory records all changes to the state of a AccountResource. 134 135 See `strongdm.svc.AccountResourcesHistory`. 136 ''' 137 self.accounts = svc.Accounts(channel, self) 138 ''' 139 Accounts are users that have access to strongDM. There are two types of accounts: 140 1. **Users:** humans who are authenticated through username and password or SSO. 141 2. **Service Accounts:** machines that are authenticated using a service token. 142 3. **Tokens** are access keys with permissions that can be used for authentication. 143 144 See `strongdm.svc.Accounts`. 145 ''' 146 self.accounts_history = svc.AccountsHistory(channel, self) 147 ''' 148 AccountsHistory records all changes to the state of an Account. 149 150 See `strongdm.svc.AccountsHistory`. 151 ''' 152 self.activities = svc.Activities(channel, self) 153 ''' 154 An Activity is a record of an action taken against a strongDM deployment, e.g. 155 a user creation, resource deletion, sso configuration change, etc. The Activities 156 service is read-only. 157 158 See `strongdm.svc.Activities`. 159 ''' 160 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 161 channel, self) 162 ''' 163 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 164 165 See `strongdm.svc.ApprovalWorkflowApprovers`. 166 ''' 167 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 168 channel, self) 169 ''' 170 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 171 172 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 173 ''' 174 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 175 ''' 176 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 177 178 See `strongdm.svc.ApprovalWorkflowSteps`. 179 ''' 180 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 181 channel, self) 182 ''' 183 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 184 185 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 186 ''' 187 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 188 ''' 189 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 190 approvers and be approved or denied. 191 192 See `strongdm.svc.ApprovalWorkflows`. 193 ''' 194 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 195 channel, self) 196 ''' 197 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 198 199 See `strongdm.svc.ApprovalWorkflowsHistory`. 200 ''' 201 self.control_panel = svc.ControlPanel(channel, self) 202 ''' 203 ControlPanel contains all administrative controls. 204 205 See `strongdm.svc.ControlPanel`. 206 ''' 207 self.nodes = svc.Nodes(channel, self) 208 ''' 209 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 210 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 211 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 212 213 See `strongdm.svc.Nodes`. 214 ''' 215 self.nodes_history = svc.NodesHistory(channel, self) 216 ''' 217 NodesHistory records all changes to the state of a Node. 218 219 See `strongdm.svc.NodesHistory`. 220 ''' 221 self.organization_history = svc.OrganizationHistory(channel, self) 222 ''' 223 OrganizationHistory records all changes to the state of an Organization. 224 225 See `strongdm.svc.OrganizationHistory`. 226 ''' 227 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 228 ''' 229 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 230 231 See `strongdm.svc.PeeringGroupNodes`. 232 ''' 233 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 234 ''' 235 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 236 237 See `strongdm.svc.PeeringGroupPeers`. 238 ''' 239 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 240 ''' 241 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 242 243 See `strongdm.svc.PeeringGroupResources`. 244 ''' 245 self.peering_groups = svc.PeeringGroups(channel, self) 246 ''' 247 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 248 249 See `strongdm.svc.PeeringGroups`. 250 ''' 251 self.queries = svc.Queries(channel, self) 252 ''' 253 A Query is a record of a single client request to a resource, such as a SQL query. 254 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 255 The Queries service is read-only. 256 257 See `strongdm.svc.Queries`. 258 ''' 259 self.remote_identities = svc.RemoteIdentities(channel, self) 260 ''' 261 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 262 263 See `strongdm.svc.RemoteIdentities`. 264 ''' 265 self.remote_identities_history = svc.RemoteIdentitiesHistory( 266 channel, self) 267 ''' 268 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 269 270 See `strongdm.svc.RemoteIdentitiesHistory`. 271 ''' 272 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 273 ''' 274 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 275 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 276 277 See `strongdm.svc.RemoteIdentityGroups`. 278 ''' 279 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 280 channel, self) 281 ''' 282 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 283 284 See `strongdm.svc.RemoteIdentityGroupsHistory`. 285 ''' 286 self.replays = svc.Replays(channel, self) 287 ''' 288 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 289 (otherwise referred to as a query). The Replays service is read-only. 290 291 See `strongdm.svc.Replays`. 292 ''' 293 self.resources = svc.Resources(channel, self) 294 ''' 295 Resources are databases, servers, clusters, websites, or clouds that strongDM 296 delegates access to. 297 298 See `strongdm.svc.Resources`. 299 ''' 300 self.resources_history = svc.ResourcesHistory(channel, self) 301 ''' 302 ResourcesHistory records all changes to the state of a Resource. 303 304 See `strongdm.svc.ResourcesHistory`. 305 ''' 306 self.role_resources = svc.RoleResources(channel, self) 307 ''' 308 RoleResources enumerates the resources to which roles have access. 309 The RoleResources service is read-only. 310 311 See `strongdm.svc.RoleResources`. 312 ''' 313 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 314 ''' 315 RoleResourcesHistory records all changes to the state of a RoleResource. 316 317 See `strongdm.svc.RoleResourcesHistory`. 318 ''' 319 self.roles = svc.Roles(channel, self) 320 ''' 321 A Role has a list of access rules which determine which Resources the members 322 of the Role have access to. An Account can be a member of multiple Roles via 323 AccountAttachments. 324 325 See `strongdm.svc.Roles`. 326 ''' 327 self.roles_history = svc.RolesHistory(channel, self) 328 ''' 329 RolesHistory records all changes to the state of a Role. 330 331 See `strongdm.svc.RolesHistory`. 332 ''' 333 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 334 ''' 335 SecretStoreHealths exposes health states for secret stores. 336 337 See `strongdm.svc.SecretStoreHealths`. 338 ''' 339 self.secret_stores = svc.SecretStores(channel, self) 340 ''' 341 SecretStores are servers where resource secrets (passwords, keys) are stored. 342 343 See `strongdm.svc.SecretStores`. 344 ''' 345 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 346 ''' 347 SecretStoresHistory records all changes to the state of a SecretStore. 348 349 See `strongdm.svc.SecretStoresHistory`. 350 ''' 351 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 352 ''' 353 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 354 355 See `strongdm.svc.WorkflowApprovers`. 356 ''' 357 self.workflow_approvers_history = svc.WorkflowApproversHistory( 358 channel, self) 359 ''' 360 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 361 362 See `strongdm.svc.WorkflowApproversHistory`. 363 ''' 364 self.workflow_assignments = svc.WorkflowAssignments(channel, self) 365 ''' 366 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 367 access to via the workflow. 368 369 See `strongdm.svc.WorkflowAssignments`. 370 ''' 371 self.workflow_assignments_history = svc.WorkflowAssignmentsHistory( 372 channel, self) 373 ''' 374 WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment. 375 376 See `strongdm.svc.WorkflowAssignmentsHistory`. 377 ''' 378 self.workflow_roles = svc.WorkflowRoles(channel, self) 379 ''' 380 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 381 to request access to a resource via the workflow. 382 383 See `strongdm.svc.WorkflowRoles`. 384 ''' 385 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 386 ''' 387 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 388 389 See `strongdm.svc.WorkflowRolesHistory`. 390 ''' 391 self.workflows = svc.Workflows(channel, self) 392 ''' 393 Workflows are the collection of rules that define the resources to which access can be requested, 394 the users that can request that access, and the mechanism for approving those requests which can either 395 be automatic approval or a set of users authorized to approve the requests. 396 397 See `strongdm.svc.Workflows`. 398 ''' 399 self.workflows_history = svc.WorkflowsHistory(channel, self) 400 ''' 401 WorkflowsHistory provides records of all changes to the state of a Workflow. 402 403 See `strongdm.svc.WorkflowsHistory`. 404 ''' 405 406 def close(self): 407 '''Closes this Client and releases all resources held by it. 408 409 Closing the Client will immediately terminate all RPCs active with the 410 Client and it is not valid to invoke new RPCs with the Client. 411 412 This method is idempotent. 413 ''' 414 self.channel.close() 415 416 def get_metadata(self, method_name, req): 417 return [ 418 ('x-sdm-authentication', self.api_access_key), 419 ('x-sdm-signature', self.sign(method_name, 420 req.SerializeToString())), 421 ('x-sdm-api-version', API_VERSION), 422 ('x-sdm-user-agent', USER_AGENT), 423 ] 424 425 def sign(self, method_name, request_bytes): 426 def hmac_digest(key, msg_byte_string): 427 return hmac.new(key, msg=msg_byte_string, 428 digestmod=hashlib.sha256).digest() 429 430 current_utc_date = datetime.datetime.now( 431 datetime.timezone.utc).strftime('%Y-%m-%d') 432 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 433 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 434 435 hash = hashlib.sha256() 436 437 hash.update(method_name.encode()) 438 hash.update(b'\n') 439 hash.update(request_bytes) 440 441 return base64.b64encode(hmac_digest(signing_key, hash.digest())) 442 443 def jitterSleep(self, iter): 444 dur_max = self.base_retry_delay * 2**iter 445 if (dur_max > self.max_retry_delay): 446 dur_max = self.max_retry_delay 447 # get a value between 0 and max 448 dur = random.random() * dur_max 449 time.sleep(dur) 450 451 def shouldRetry(self, iter, err): 452 if (iter >= self.max_retries - 1): 453 return False 454 if not isinstance(err, grpc.RpcError): 455 return True 456 porcelain_err = plumbing.convert_error_to_porcelain(err) 457 if (not self.expose_rate_limit_errors) and isinstance( 458 porcelain_err, errors.RateLimitError): 459 wait_until = porcelain_err.rate_limit.reset_at 460 now = datetime.datetime.now(datetime.timezone.utc) 461 sleep_for = (wait_until - now).total_seconds() 462 # If timezones or clock drift causes this calculation to fail, 463 # wait at most one minute. 464 if sleep_for < 0 or sleep_for > 60: 465 sleep_for = 60 466 time.sleep(sleep_for) 467 return True 468 return err.code() == grpc.StatusCode.INTERNAL or err.code( 469 ) == grpc.StatusCode.UNAVAILABLE 470 471 def snapshot_at(self, snapshot_datetime): 472 ''' 473 Constructs a read-only client that will provide historical data from the provided timestamp. 474 475 See `SnapshotClient`. 476 ''' 477 client = copy.copy(self) 478 client.snapshot_datetime = snapshot_datetime 479 client.access_requests = svc.AccessRequests(client.channel, client) 480 client.account_attachments = svc.AccountAttachments( 481 client.channel, client) 482 client.account_grants = svc.AccountGrants(client.channel, client) 483 client.account_permissions = svc.AccountPermissions( 484 client.channel, client) 485 client.account_resources = svc.AccountResources(client.channel, client) 486 client.accounts = svc.Accounts(client.channel, client) 487 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 488 client.channel, client) 489 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 490 client.channel, client) 491 client.approval_workflows = svc.ApprovalWorkflows( 492 client.channel, client) 493 client.nodes = svc.Nodes(client.channel, client) 494 client.remote_identities = svc.RemoteIdentities(client.channel, client) 495 client.remote_identity_groups = svc.RemoteIdentityGroups( 496 client.channel, client) 497 client.resources = svc.Resources(client.channel, client) 498 client.role_resources = svc.RoleResources(client.channel, client) 499 client.roles = svc.Roles(client.channel, client) 500 client.secret_stores = svc.SecretStores(client.channel, client) 501 client.workflow_approvers = svc.WorkflowApprovers( 502 client.channel, client) 503 client.workflow_assignments = svc.WorkflowAssignments( 504 client.channel, client) 505 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 506 client.workflows = svc.Workflows(client.channel, client) 507 return SnapshotClient(client) 508 509 510class SnapshotClient: 511 '''SnapshotClient exposes methods to query historical records at a provided timestamp.''' 512 def __init__(self, client): 513 self.access_requests = svc.SnapshotAccessRequests( 514 client.access_requests) 515 ''' 516 AccessRequests are requests for access to a resource that may match a Workflow. 517 518 See `strongdm.svc.SnapshotAccessRequests`. 519 ''' 520 self.account_attachments = svc.SnapshotAccountAttachments( 521 client.account_attachments) 522 ''' 523 AccountAttachments assign an account to a role. 524 525 See `strongdm.svc.SnapshotAccountAttachments`. 526 ''' 527 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 528 ''' 529 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 530 531 See `strongdm.svc.SnapshotAccountGrants`. 532 ''' 533 self.account_permissions = svc.SnapshotAccountPermissions( 534 client.account_permissions) 535 ''' 536 AccountPermissions records the granular permissions accounts have, allowing them to execute 537 relevant commands via StrongDM's APIs. 538 539 See `strongdm.svc.SnapshotAccountPermissions`. 540 ''' 541 self.account_resources = svc.SnapshotAccountResources( 542 client.account_resources) 543 ''' 544 AccountResources enumerates the resources to which accounts have access. 545 The AccountResources service is read-only. 546 547 See `strongdm.svc.SnapshotAccountResources`. 548 ''' 549 self.accounts = svc.SnapshotAccounts(client.accounts) 550 ''' 551 Accounts are users that have access to strongDM. There are two types of accounts: 552 1. **Users:** humans who are authenticated through username and password or SSO. 553 2. **Service Accounts:** machines that are authenticated using a service token. 554 3. **Tokens** are access keys with permissions that can be used for authentication. 555 556 See `strongdm.svc.SnapshotAccounts`. 557 ''' 558 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 559 client.approval_workflow_approvers) 560 ''' 561 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 562 563 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 564 ''' 565 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 566 client.approval_workflow_steps) 567 ''' 568 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 569 570 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 571 ''' 572 self.approval_workflows = svc.SnapshotApprovalWorkflows( 573 client.approval_workflows) 574 ''' 575 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 576 approvers and be approved or denied. 577 578 See `strongdm.svc.SnapshotApprovalWorkflows`. 579 ''' 580 self.nodes = svc.SnapshotNodes(client.nodes) 581 ''' 582 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 583 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 584 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 585 586 See `strongdm.svc.SnapshotNodes`. 587 ''' 588 self.remote_identities = svc.SnapshotRemoteIdentities( 589 client.remote_identities) 590 ''' 591 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 592 593 See `strongdm.svc.SnapshotRemoteIdentities`. 594 ''' 595 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 596 client.remote_identity_groups) 597 ''' 598 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 599 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 600 601 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 602 ''' 603 self.resources = svc.SnapshotResources(client.resources) 604 ''' 605 Resources are databases, servers, clusters, websites, or clouds that strongDM 606 delegates access to. 607 608 See `strongdm.svc.SnapshotResources`. 609 ''' 610 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 611 ''' 612 RoleResources enumerates the resources to which roles have access. 613 The RoleResources service is read-only. 614 615 See `strongdm.svc.SnapshotRoleResources`. 616 ''' 617 self.roles = svc.SnapshotRoles(client.roles) 618 ''' 619 A Role has a list of access rules which determine which Resources the members 620 of the Role have access to. An Account can be a member of multiple Roles via 621 AccountAttachments. 622 623 See `strongdm.svc.SnapshotRoles`. 624 ''' 625 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 626 ''' 627 SecretStores are servers where resource secrets (passwords, keys) are stored. 628 629 See `strongdm.svc.SnapshotSecretStores`. 630 ''' 631 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 632 client.workflow_approvers) 633 ''' 634 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 635 636 See `strongdm.svc.SnapshotWorkflowApprovers`. 637 ''' 638 self.workflow_assignments = svc.SnapshotWorkflowAssignments( 639 client.workflow_assignments) 640 ''' 641 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 642 access to via the workflow. 643 644 See `strongdm.svc.SnapshotWorkflowAssignments`. 645 ''' 646 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 647 ''' 648 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 649 to request access to a resource via the workflow. 650 651 See `strongdm.svc.SnapshotWorkflowRoles`. 652 ''' 653 self.workflows = svc.SnapshotWorkflows(client.workflows) 654 ''' 655 Workflows are the collection of rules that define the resources to which access can be requested, 656 the users that can request that access, and the mechanism for approving those requests which can either 657 be automatic approval or a set of users authorized to approve the requests. 658 659 See `strongdm.svc.SnapshotWorkflows`. 660 '''
40class Client: 41 '''Client interacts with the strongDM API.''' 42 def __init__(self, 43 api_access_key, 44 api_secret, 45 host='api.strongdm.com:443', 46 insecure=False, 47 retry_rate_limit_errors=True, 48 page_limit=50): 49 ''' 50 Create a new Client. 51 52 - api_access_key: the access key to authenticate with strongDM 53 - api_secret: the secret key to authenticate with strongDM 54 ''' 55 self.api_access_key = api_access_key.strip() 56 self.api_secret = base64.b64decode(api_secret.strip()) 57 self.max_retries = DEFAULT_MAX_RETRIES 58 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 59 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 60 self.expose_rate_limit_errors = (not retry_rate_limit_errors) 61 self.snapshot_datetime = None 62 self.page_limit = page_limit 63 64 try: 65 if insecure: 66 channel = grpc.insecure_channel(host) 67 else: 68 creds = grpc.ssl_channel_credentials() 69 channel = grpc.secure_channel(host, creds) 70 except Exception as e: 71 raise plumbing.convert_error_to_porcelain(e) from e 72 self.channel = channel 73 self.access_requests = svc.AccessRequests(channel, self) 74 ''' 75 AccessRequests are requests for access to a resource that may match a Workflow. 76 77 See `strongdm.svc.AccessRequests`. 78 ''' 79 self.access_request_events_history = svc.AccessRequestEventsHistory( 80 channel, self) 81 ''' 82 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 83 84 See `strongdm.svc.AccessRequestEventsHistory`. 85 ''' 86 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 87 ''' 88 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 89 90 See `strongdm.svc.AccessRequestsHistory`. 91 ''' 92 self.account_attachments = svc.AccountAttachments(channel, self) 93 ''' 94 AccountAttachments assign an account to a role. 95 96 See `strongdm.svc.AccountAttachments`. 97 ''' 98 self.account_attachments_history = svc.AccountAttachmentsHistory( 99 channel, self) 100 ''' 101 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 102 103 See `strongdm.svc.AccountAttachmentsHistory`. 104 ''' 105 self.account_grants = svc.AccountGrants(channel, self) 106 ''' 107 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 108 109 See `strongdm.svc.AccountGrants`. 110 ''' 111 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 112 ''' 113 AccountGrantsHistory records all changes to the state of an AccountGrant. 114 115 See `strongdm.svc.AccountGrantsHistory`. 116 ''' 117 self.account_permissions = svc.AccountPermissions(channel, self) 118 ''' 119 AccountPermissions records the granular permissions accounts have, allowing them to execute 120 relevant commands via StrongDM's APIs. 121 122 See `strongdm.svc.AccountPermissions`. 123 ''' 124 self.account_resources = svc.AccountResources(channel, self) 125 ''' 126 AccountResources enumerates the resources to which accounts have access. 127 The AccountResources service is read-only. 128 129 See `strongdm.svc.AccountResources`. 130 ''' 131 self.account_resources_history = svc.AccountResourcesHistory( 132 channel, self) 133 ''' 134 AccountResourcesHistory records all changes to the state of a AccountResource. 135 136 See `strongdm.svc.AccountResourcesHistory`. 137 ''' 138 self.accounts = svc.Accounts(channel, self) 139 ''' 140 Accounts are users that have access to strongDM. There are two types of accounts: 141 1. **Users:** humans who are authenticated through username and password or SSO. 142 2. **Service Accounts:** machines that are authenticated using a service token. 143 3. **Tokens** are access keys with permissions that can be used for authentication. 144 145 See `strongdm.svc.Accounts`. 146 ''' 147 self.accounts_history = svc.AccountsHistory(channel, self) 148 ''' 149 AccountsHistory records all changes to the state of an Account. 150 151 See `strongdm.svc.AccountsHistory`. 152 ''' 153 self.activities = svc.Activities(channel, self) 154 ''' 155 An Activity is a record of an action taken against a strongDM deployment, e.g. 156 a user creation, resource deletion, sso configuration change, etc. The Activities 157 service is read-only. 158 159 See `strongdm.svc.Activities`. 160 ''' 161 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 162 channel, self) 163 ''' 164 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 165 166 See `strongdm.svc.ApprovalWorkflowApprovers`. 167 ''' 168 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 169 channel, self) 170 ''' 171 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 172 173 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 174 ''' 175 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 176 ''' 177 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 178 179 See `strongdm.svc.ApprovalWorkflowSteps`. 180 ''' 181 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 182 channel, self) 183 ''' 184 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 185 186 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 187 ''' 188 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 189 ''' 190 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 191 approvers and be approved or denied. 192 193 See `strongdm.svc.ApprovalWorkflows`. 194 ''' 195 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 196 channel, self) 197 ''' 198 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 199 200 See `strongdm.svc.ApprovalWorkflowsHistory`. 201 ''' 202 self.control_panel = svc.ControlPanel(channel, self) 203 ''' 204 ControlPanel contains all administrative controls. 205 206 See `strongdm.svc.ControlPanel`. 207 ''' 208 self.nodes = svc.Nodes(channel, self) 209 ''' 210 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 211 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 212 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 213 214 See `strongdm.svc.Nodes`. 215 ''' 216 self.nodes_history = svc.NodesHistory(channel, self) 217 ''' 218 NodesHistory records all changes to the state of a Node. 219 220 See `strongdm.svc.NodesHistory`. 221 ''' 222 self.organization_history = svc.OrganizationHistory(channel, self) 223 ''' 224 OrganizationHistory records all changes to the state of an Organization. 225 226 See `strongdm.svc.OrganizationHistory`. 227 ''' 228 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 229 ''' 230 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 231 232 See `strongdm.svc.PeeringGroupNodes`. 233 ''' 234 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 235 ''' 236 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 237 238 See `strongdm.svc.PeeringGroupPeers`. 239 ''' 240 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 241 ''' 242 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 243 244 See `strongdm.svc.PeeringGroupResources`. 245 ''' 246 self.peering_groups = svc.PeeringGroups(channel, self) 247 ''' 248 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 249 250 See `strongdm.svc.PeeringGroups`. 251 ''' 252 self.queries = svc.Queries(channel, self) 253 ''' 254 A Query is a record of a single client request to a resource, such as a SQL query. 255 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 256 The Queries service is read-only. 257 258 See `strongdm.svc.Queries`. 259 ''' 260 self.remote_identities = svc.RemoteIdentities(channel, self) 261 ''' 262 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 263 264 See `strongdm.svc.RemoteIdentities`. 265 ''' 266 self.remote_identities_history = svc.RemoteIdentitiesHistory( 267 channel, self) 268 ''' 269 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 270 271 See `strongdm.svc.RemoteIdentitiesHistory`. 272 ''' 273 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 274 ''' 275 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 276 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 277 278 See `strongdm.svc.RemoteIdentityGroups`. 279 ''' 280 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 281 channel, self) 282 ''' 283 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 284 285 See `strongdm.svc.RemoteIdentityGroupsHistory`. 286 ''' 287 self.replays = svc.Replays(channel, self) 288 ''' 289 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 290 (otherwise referred to as a query). The Replays service is read-only. 291 292 See `strongdm.svc.Replays`. 293 ''' 294 self.resources = svc.Resources(channel, self) 295 ''' 296 Resources are databases, servers, clusters, websites, or clouds that strongDM 297 delegates access to. 298 299 See `strongdm.svc.Resources`. 300 ''' 301 self.resources_history = svc.ResourcesHistory(channel, self) 302 ''' 303 ResourcesHistory records all changes to the state of a Resource. 304 305 See `strongdm.svc.ResourcesHistory`. 306 ''' 307 self.role_resources = svc.RoleResources(channel, self) 308 ''' 309 RoleResources enumerates the resources to which roles have access. 310 The RoleResources service is read-only. 311 312 See `strongdm.svc.RoleResources`. 313 ''' 314 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 315 ''' 316 RoleResourcesHistory records all changes to the state of a RoleResource. 317 318 See `strongdm.svc.RoleResourcesHistory`. 319 ''' 320 self.roles = svc.Roles(channel, self) 321 ''' 322 A Role has a list of access rules which determine which Resources the members 323 of the Role have access to. An Account can be a member of multiple Roles via 324 AccountAttachments. 325 326 See `strongdm.svc.Roles`. 327 ''' 328 self.roles_history = svc.RolesHistory(channel, self) 329 ''' 330 RolesHistory records all changes to the state of a Role. 331 332 See `strongdm.svc.RolesHistory`. 333 ''' 334 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 335 ''' 336 SecretStoreHealths exposes health states for secret stores. 337 338 See `strongdm.svc.SecretStoreHealths`. 339 ''' 340 self.secret_stores = svc.SecretStores(channel, self) 341 ''' 342 SecretStores are servers where resource secrets (passwords, keys) are stored. 343 344 See `strongdm.svc.SecretStores`. 345 ''' 346 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 347 ''' 348 SecretStoresHistory records all changes to the state of a SecretStore. 349 350 See `strongdm.svc.SecretStoresHistory`. 351 ''' 352 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 353 ''' 354 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 355 356 See `strongdm.svc.WorkflowApprovers`. 357 ''' 358 self.workflow_approvers_history = svc.WorkflowApproversHistory( 359 channel, self) 360 ''' 361 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 362 363 See `strongdm.svc.WorkflowApproversHistory`. 364 ''' 365 self.workflow_assignments = svc.WorkflowAssignments(channel, self) 366 ''' 367 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 368 access to via the workflow. 369 370 See `strongdm.svc.WorkflowAssignments`. 371 ''' 372 self.workflow_assignments_history = svc.WorkflowAssignmentsHistory( 373 channel, self) 374 ''' 375 WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment. 376 377 See `strongdm.svc.WorkflowAssignmentsHistory`. 378 ''' 379 self.workflow_roles = svc.WorkflowRoles(channel, self) 380 ''' 381 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 382 to request access to a resource via the workflow. 383 384 See `strongdm.svc.WorkflowRoles`. 385 ''' 386 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 387 ''' 388 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 389 390 See `strongdm.svc.WorkflowRolesHistory`. 391 ''' 392 self.workflows = svc.Workflows(channel, self) 393 ''' 394 Workflows are the collection of rules that define the resources to which access can be requested, 395 the users that can request that access, and the mechanism for approving those requests which can either 396 be automatic approval or a set of users authorized to approve the requests. 397 398 See `strongdm.svc.Workflows`. 399 ''' 400 self.workflows_history = svc.WorkflowsHistory(channel, self) 401 ''' 402 WorkflowsHistory provides records of all changes to the state of a Workflow. 403 404 See `strongdm.svc.WorkflowsHistory`. 405 ''' 406 407 def close(self): 408 '''Closes this Client and releases all resources held by it. 409 410 Closing the Client will immediately terminate all RPCs active with the 411 Client and it is not valid to invoke new RPCs with the Client. 412 413 This method is idempotent. 414 ''' 415 self.channel.close() 416 417 def get_metadata(self, method_name, req): 418 return [ 419 ('x-sdm-authentication', self.api_access_key), 420 ('x-sdm-signature', self.sign(method_name, 421 req.SerializeToString())), 422 ('x-sdm-api-version', API_VERSION), 423 ('x-sdm-user-agent', USER_AGENT), 424 ] 425 426 def sign(self, method_name, request_bytes): 427 def hmac_digest(key, msg_byte_string): 428 return hmac.new(key, msg=msg_byte_string, 429 digestmod=hashlib.sha256).digest() 430 431 current_utc_date = datetime.datetime.now( 432 datetime.timezone.utc).strftime('%Y-%m-%d') 433 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 434 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 435 436 hash = hashlib.sha256() 437 438 hash.update(method_name.encode()) 439 hash.update(b'\n') 440 hash.update(request_bytes) 441 442 return base64.b64encode(hmac_digest(signing_key, hash.digest())) 443 444 def jitterSleep(self, iter): 445 dur_max = self.base_retry_delay * 2**iter 446 if (dur_max > self.max_retry_delay): 447 dur_max = self.max_retry_delay 448 # get a value between 0 and max 449 dur = random.random() * dur_max 450 time.sleep(dur) 451 452 def shouldRetry(self, iter, err): 453 if (iter >= self.max_retries - 1): 454 return False 455 if not isinstance(err, grpc.RpcError): 456 return True 457 porcelain_err = plumbing.convert_error_to_porcelain(err) 458 if (not self.expose_rate_limit_errors) and isinstance( 459 porcelain_err, errors.RateLimitError): 460 wait_until = porcelain_err.rate_limit.reset_at 461 now = datetime.datetime.now(datetime.timezone.utc) 462 sleep_for = (wait_until - now).total_seconds() 463 # If timezones or clock drift causes this calculation to fail, 464 # wait at most one minute. 465 if sleep_for < 0 or sleep_for > 60: 466 sleep_for = 60 467 time.sleep(sleep_for) 468 return True 469 return err.code() == grpc.StatusCode.INTERNAL or err.code( 470 ) == grpc.StatusCode.UNAVAILABLE 471 472 def snapshot_at(self, snapshot_datetime): 473 ''' 474 Constructs a read-only client that will provide historical data from the provided timestamp. 475 476 See `SnapshotClient`. 477 ''' 478 client = copy.copy(self) 479 client.snapshot_datetime = snapshot_datetime 480 client.access_requests = svc.AccessRequests(client.channel, client) 481 client.account_attachments = svc.AccountAttachments( 482 client.channel, client) 483 client.account_grants = svc.AccountGrants(client.channel, client) 484 client.account_permissions = svc.AccountPermissions( 485 client.channel, client) 486 client.account_resources = svc.AccountResources(client.channel, client) 487 client.accounts = svc.Accounts(client.channel, client) 488 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 489 client.channel, client) 490 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 491 client.channel, client) 492 client.approval_workflows = svc.ApprovalWorkflows( 493 client.channel, client) 494 client.nodes = svc.Nodes(client.channel, client) 495 client.remote_identities = svc.RemoteIdentities(client.channel, client) 496 client.remote_identity_groups = svc.RemoteIdentityGroups( 497 client.channel, client) 498 client.resources = svc.Resources(client.channel, client) 499 client.role_resources = svc.RoleResources(client.channel, client) 500 client.roles = svc.Roles(client.channel, client) 501 client.secret_stores = svc.SecretStores(client.channel, client) 502 client.workflow_approvers = svc.WorkflowApprovers( 503 client.channel, client) 504 client.workflow_assignments = svc.WorkflowAssignments( 505 client.channel, client) 506 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 507 client.workflows = svc.Workflows(client.channel, client) 508 return SnapshotClient(client)
Client interacts with the strongDM API.
42 def __init__(self, 43 api_access_key, 44 api_secret, 45 host='api.strongdm.com:443', 46 insecure=False, 47 retry_rate_limit_errors=True, 48 page_limit=50): 49 ''' 50 Create a new Client. 51 52 - api_access_key: the access key to authenticate with strongDM 53 - api_secret: the secret key to authenticate with strongDM 54 ''' 55 self.api_access_key = api_access_key.strip() 56 self.api_secret = base64.b64decode(api_secret.strip()) 57 self.max_retries = DEFAULT_MAX_RETRIES 58 self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY 59 self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY 60 self.expose_rate_limit_errors = (not retry_rate_limit_errors) 61 self.snapshot_datetime = None 62 self.page_limit = page_limit 63 64 try: 65 if insecure: 66 channel = grpc.insecure_channel(host) 67 else: 68 creds = grpc.ssl_channel_credentials() 69 channel = grpc.secure_channel(host, creds) 70 except Exception as e: 71 raise plumbing.convert_error_to_porcelain(e) from e 72 self.channel = channel 73 self.access_requests = svc.AccessRequests(channel, self) 74 ''' 75 AccessRequests are requests for access to a resource that may match a Workflow. 76 77 See `strongdm.svc.AccessRequests`. 78 ''' 79 self.access_request_events_history = svc.AccessRequestEventsHistory( 80 channel, self) 81 ''' 82 AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest. 83 84 See `strongdm.svc.AccessRequestEventsHistory`. 85 ''' 86 self.access_requests_history = svc.AccessRequestsHistory(channel, self) 87 ''' 88 AccessRequestsHistory provides records of all changes to the state of an AccessRequest. 89 90 See `strongdm.svc.AccessRequestsHistory`. 91 ''' 92 self.account_attachments = svc.AccountAttachments(channel, self) 93 ''' 94 AccountAttachments assign an account to a role. 95 96 See `strongdm.svc.AccountAttachments`. 97 ''' 98 self.account_attachments_history = svc.AccountAttachmentsHistory( 99 channel, self) 100 ''' 101 AccountAttachmentsHistory records all changes to the state of an AccountAttachment. 102 103 See `strongdm.svc.AccountAttachmentsHistory`. 104 ''' 105 self.account_grants = svc.AccountGrants(channel, self) 106 ''' 107 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 108 109 See `strongdm.svc.AccountGrants`. 110 ''' 111 self.account_grants_history = svc.AccountGrantsHistory(channel, self) 112 ''' 113 AccountGrantsHistory records all changes to the state of an AccountGrant. 114 115 See `strongdm.svc.AccountGrantsHistory`. 116 ''' 117 self.account_permissions = svc.AccountPermissions(channel, self) 118 ''' 119 AccountPermissions records the granular permissions accounts have, allowing them to execute 120 relevant commands via StrongDM's APIs. 121 122 See `strongdm.svc.AccountPermissions`. 123 ''' 124 self.account_resources = svc.AccountResources(channel, self) 125 ''' 126 AccountResources enumerates the resources to which accounts have access. 127 The AccountResources service is read-only. 128 129 See `strongdm.svc.AccountResources`. 130 ''' 131 self.account_resources_history = svc.AccountResourcesHistory( 132 channel, self) 133 ''' 134 AccountResourcesHistory records all changes to the state of a AccountResource. 135 136 See `strongdm.svc.AccountResourcesHistory`. 137 ''' 138 self.accounts = svc.Accounts(channel, self) 139 ''' 140 Accounts are users that have access to strongDM. There are two types of accounts: 141 1. **Users:** humans who are authenticated through username and password or SSO. 142 2. **Service Accounts:** machines that are authenticated using a service token. 143 3. **Tokens** are access keys with permissions that can be used for authentication. 144 145 See `strongdm.svc.Accounts`. 146 ''' 147 self.accounts_history = svc.AccountsHistory(channel, self) 148 ''' 149 AccountsHistory records all changes to the state of an Account. 150 151 See `strongdm.svc.AccountsHistory`. 152 ''' 153 self.activities = svc.Activities(channel, self) 154 ''' 155 An Activity is a record of an action taken against a strongDM deployment, e.g. 156 a user creation, resource deletion, sso configuration change, etc. The Activities 157 service is read-only. 158 159 See `strongdm.svc.Activities`. 160 ''' 161 self.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 162 channel, self) 163 ''' 164 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 165 166 See `strongdm.svc.ApprovalWorkflowApprovers`. 167 ''' 168 self.approval_workflow_approvers_history = svc.ApprovalWorkflowApproversHistory( 169 channel, self) 170 ''' 171 ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover. 172 173 See `strongdm.svc.ApprovalWorkflowApproversHistory`. 174 ''' 175 self.approval_workflow_steps = svc.ApprovalWorkflowSteps(channel, self) 176 ''' 177 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 178 179 See `strongdm.svc.ApprovalWorkflowSteps`. 180 ''' 181 self.approval_workflow_steps_history = svc.ApprovalWorkflowStepsHistory( 182 channel, self) 183 ''' 184 ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep. 185 186 See `strongdm.svc.ApprovalWorkflowStepsHistory`. 187 ''' 188 self.approval_workflows = svc.ApprovalWorkflows(channel, self) 189 ''' 190 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 191 approvers and be approved or denied. 192 193 See `strongdm.svc.ApprovalWorkflows`. 194 ''' 195 self.approval_workflows_history = svc.ApprovalWorkflowsHistory( 196 channel, self) 197 ''' 198 ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow. 199 200 See `strongdm.svc.ApprovalWorkflowsHistory`. 201 ''' 202 self.control_panel = svc.ControlPanel(channel, self) 203 ''' 204 ControlPanel contains all administrative controls. 205 206 See `strongdm.svc.ControlPanel`. 207 ''' 208 self.nodes = svc.Nodes(channel, self) 209 ''' 210 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 211 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 212 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 213 214 See `strongdm.svc.Nodes`. 215 ''' 216 self.nodes_history = svc.NodesHistory(channel, self) 217 ''' 218 NodesHistory records all changes to the state of a Node. 219 220 See `strongdm.svc.NodesHistory`. 221 ''' 222 self.organization_history = svc.OrganizationHistory(channel, self) 223 ''' 224 OrganizationHistory records all changes to the state of an Organization. 225 226 See `strongdm.svc.OrganizationHistory`. 227 ''' 228 self.peering_group_nodes = svc.PeeringGroupNodes(channel, self) 229 ''' 230 PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group. 231 232 See `strongdm.svc.PeeringGroupNodes`. 233 ''' 234 self.peering_group_peers = svc.PeeringGroupPeers(channel, self) 235 ''' 236 PeeringGroupPeers provides the building blocks necessary to link two peering groups. 237 238 See `strongdm.svc.PeeringGroupPeers`. 239 ''' 240 self.peering_group_resources = svc.PeeringGroupResources(channel, self) 241 ''' 242 PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group. 243 244 See `strongdm.svc.PeeringGroupResources`. 245 ''' 246 self.peering_groups = svc.PeeringGroups(channel, self) 247 ''' 248 PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing. 249 250 See `strongdm.svc.PeeringGroups`. 251 ''' 252 self.queries = svc.Queries(channel, self) 253 ''' 254 A Query is a record of a single client request to a resource, such as a SQL query. 255 Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. 256 The Queries service is read-only. 257 258 See `strongdm.svc.Queries`. 259 ''' 260 self.remote_identities = svc.RemoteIdentities(channel, self) 261 ''' 262 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 263 264 See `strongdm.svc.RemoteIdentities`. 265 ''' 266 self.remote_identities_history = svc.RemoteIdentitiesHistory( 267 channel, self) 268 ''' 269 RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity. 270 271 See `strongdm.svc.RemoteIdentitiesHistory`. 272 ''' 273 self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self) 274 ''' 275 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 276 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 277 278 See `strongdm.svc.RemoteIdentityGroups`. 279 ''' 280 self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory( 281 channel, self) 282 ''' 283 RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup. 284 285 See `strongdm.svc.RemoteIdentityGroupsHistory`. 286 ''' 287 self.replays = svc.Replays(channel, self) 288 ''' 289 A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session 290 (otherwise referred to as a query). The Replays service is read-only. 291 292 See `strongdm.svc.Replays`. 293 ''' 294 self.resources = svc.Resources(channel, self) 295 ''' 296 Resources are databases, servers, clusters, websites, or clouds that strongDM 297 delegates access to. 298 299 See `strongdm.svc.Resources`. 300 ''' 301 self.resources_history = svc.ResourcesHistory(channel, self) 302 ''' 303 ResourcesHistory records all changes to the state of a Resource. 304 305 See `strongdm.svc.ResourcesHistory`. 306 ''' 307 self.role_resources = svc.RoleResources(channel, self) 308 ''' 309 RoleResources enumerates the resources to which roles have access. 310 The RoleResources service is read-only. 311 312 See `strongdm.svc.RoleResources`. 313 ''' 314 self.role_resources_history = svc.RoleResourcesHistory(channel, self) 315 ''' 316 RoleResourcesHistory records all changes to the state of a RoleResource. 317 318 See `strongdm.svc.RoleResourcesHistory`. 319 ''' 320 self.roles = svc.Roles(channel, self) 321 ''' 322 A Role has a list of access rules which determine which Resources the members 323 of the Role have access to. An Account can be a member of multiple Roles via 324 AccountAttachments. 325 326 See `strongdm.svc.Roles`. 327 ''' 328 self.roles_history = svc.RolesHistory(channel, self) 329 ''' 330 RolesHistory records all changes to the state of a Role. 331 332 See `strongdm.svc.RolesHistory`. 333 ''' 334 self.secret_store_healths = svc.SecretStoreHealths(channel, self) 335 ''' 336 SecretStoreHealths exposes health states for secret stores. 337 338 See `strongdm.svc.SecretStoreHealths`. 339 ''' 340 self.secret_stores = svc.SecretStores(channel, self) 341 ''' 342 SecretStores are servers where resource secrets (passwords, keys) are stored. 343 344 See `strongdm.svc.SecretStores`. 345 ''' 346 self.secret_stores_history = svc.SecretStoresHistory(channel, self) 347 ''' 348 SecretStoresHistory records all changes to the state of a SecretStore. 349 350 See `strongdm.svc.SecretStoresHistory`. 351 ''' 352 self.workflow_approvers = svc.WorkflowApprovers(channel, self) 353 ''' 354 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 355 356 See `strongdm.svc.WorkflowApprovers`. 357 ''' 358 self.workflow_approvers_history = svc.WorkflowApproversHistory( 359 channel, self) 360 ''' 361 WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover. 362 363 See `strongdm.svc.WorkflowApproversHistory`. 364 ''' 365 self.workflow_assignments = svc.WorkflowAssignments(channel, self) 366 ''' 367 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 368 access to via the workflow. 369 370 See `strongdm.svc.WorkflowAssignments`. 371 ''' 372 self.workflow_assignments_history = svc.WorkflowAssignmentsHistory( 373 channel, self) 374 ''' 375 WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment. 376 377 See `strongdm.svc.WorkflowAssignmentsHistory`. 378 ''' 379 self.workflow_roles = svc.WorkflowRoles(channel, self) 380 ''' 381 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 382 to request access to a resource via the workflow. 383 384 See `strongdm.svc.WorkflowRoles`. 385 ''' 386 self.workflow_roles_history = svc.WorkflowRolesHistory(channel, self) 387 ''' 388 WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole 389 390 See `strongdm.svc.WorkflowRolesHistory`. 391 ''' 392 self.workflows = svc.Workflows(channel, self) 393 ''' 394 Workflows are the collection of rules that define the resources to which access can be requested, 395 the users that can request that access, and the mechanism for approving those requests which can either 396 be automatic approval or a set of users authorized to approve the requests. 397 398 See `strongdm.svc.Workflows`. 399 ''' 400 self.workflows_history = svc.WorkflowsHistory(channel, self) 401 ''' 402 WorkflowsHistory provides records of all changes to the state of a Workflow. 403 404 See `strongdm.svc.WorkflowsHistory`. 405 '''
Create a new Client.
- api_access_key: the access key to authenticate with strongDM
- api_secret: the secret key to authenticate with strongDM
AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest.
AccessRequestsHistory provides records of all changes to the state of an AccessRequest.
AccountAttachmentsHistory records all changes to the state of an AccountAttachment.
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.
AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.
AccountResourcesHistory records all changes to the state of a AccountResource.
Accounts are users that have access to strongDM. There are two types of accounts:
- Users: humans who are authenticated through username and password or SSO.
- Service Accounts: machines that are authenticated using a service token.
- Tokens are access keys with permissions that can be used for authentication.
An Activity is a record of an action taken against a strongDM deployment, e.g. a user creation, resource deletion, sso configuration change, etc. The Activities service is read-only.
ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover.
ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep.
ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.
ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow.
Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
- Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
- Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
See strongdm.svc.Nodes
.
PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group.
PeeringGroupPeers provides the building blocks necessary to link two peering groups.
PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group.
PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing.
A Query is a record of a single client request to a resource, such as a SQL query. Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. The Queries service is read-only.
See strongdm.svc.Queries
.
RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.
A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.
A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query). The Replays service is read-only.
See strongdm.svc.Replays
.
Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.
RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.
A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.
See strongdm.svc.Roles
.
WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover.
WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request access to via the workflow.
WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment.
WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.
WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole
Workflows are the collection of rules that define the resources to which access can be requested, the users that can request that access, and the mechanism for approving those requests which can either be automatic approval or a set of users authorized to approve the requests.
407 def close(self): 408 '''Closes this Client and releases all resources held by it. 409 410 Closing the Client will immediately terminate all RPCs active with the 411 Client and it is not valid to invoke new RPCs with the Client. 412 413 This method is idempotent. 414 ''' 415 self.channel.close()
Closes this Client and releases all resources held by it.
Closing the Client will immediately terminate all RPCs active with the Client and it is not valid to invoke new RPCs with the Client.
This method is idempotent.
426 def sign(self, method_name, request_bytes): 427 def hmac_digest(key, msg_byte_string): 428 return hmac.new(key, msg=msg_byte_string, 429 digestmod=hashlib.sha256).digest() 430 431 current_utc_date = datetime.datetime.now( 432 datetime.timezone.utc).strftime('%Y-%m-%d') 433 signing_key = hmac_digest(self.api_secret, current_utc_date.encode()) 434 signing_key = hmac_digest(signing_key, b'sdm_api_v1') 435 436 hash = hashlib.sha256() 437 438 hash.update(method_name.encode()) 439 hash.update(b'\n') 440 hash.update(request_bytes) 441 442 return base64.b64encode(hmac_digest(signing_key, hash.digest()))
452 def shouldRetry(self, iter, err): 453 if (iter >= self.max_retries - 1): 454 return False 455 if not isinstance(err, grpc.RpcError): 456 return True 457 porcelain_err = plumbing.convert_error_to_porcelain(err) 458 if (not self.expose_rate_limit_errors) and isinstance( 459 porcelain_err, errors.RateLimitError): 460 wait_until = porcelain_err.rate_limit.reset_at 461 now = datetime.datetime.now(datetime.timezone.utc) 462 sleep_for = (wait_until - now).total_seconds() 463 # If timezones or clock drift causes this calculation to fail, 464 # wait at most one minute. 465 if sleep_for < 0 or sleep_for > 60: 466 sleep_for = 60 467 time.sleep(sleep_for) 468 return True 469 return err.code() == grpc.StatusCode.INTERNAL or err.code( 470 ) == grpc.StatusCode.UNAVAILABLE
472 def snapshot_at(self, snapshot_datetime): 473 ''' 474 Constructs a read-only client that will provide historical data from the provided timestamp. 475 476 See `SnapshotClient`. 477 ''' 478 client = copy.copy(self) 479 client.snapshot_datetime = snapshot_datetime 480 client.access_requests = svc.AccessRequests(client.channel, client) 481 client.account_attachments = svc.AccountAttachments( 482 client.channel, client) 483 client.account_grants = svc.AccountGrants(client.channel, client) 484 client.account_permissions = svc.AccountPermissions( 485 client.channel, client) 486 client.account_resources = svc.AccountResources(client.channel, client) 487 client.accounts = svc.Accounts(client.channel, client) 488 client.approval_workflow_approvers = svc.ApprovalWorkflowApprovers( 489 client.channel, client) 490 client.approval_workflow_steps = svc.ApprovalWorkflowSteps( 491 client.channel, client) 492 client.approval_workflows = svc.ApprovalWorkflows( 493 client.channel, client) 494 client.nodes = svc.Nodes(client.channel, client) 495 client.remote_identities = svc.RemoteIdentities(client.channel, client) 496 client.remote_identity_groups = svc.RemoteIdentityGroups( 497 client.channel, client) 498 client.resources = svc.Resources(client.channel, client) 499 client.role_resources = svc.RoleResources(client.channel, client) 500 client.roles = svc.Roles(client.channel, client) 501 client.secret_stores = svc.SecretStores(client.channel, client) 502 client.workflow_approvers = svc.WorkflowApprovers( 503 client.channel, client) 504 client.workflow_assignments = svc.WorkflowAssignments( 505 client.channel, client) 506 client.workflow_roles = svc.WorkflowRoles(client.channel, client) 507 client.workflows = svc.Workflows(client.channel, client) 508 return SnapshotClient(client)
Constructs a read-only client that will provide historical data from the provided timestamp.
See SnapshotClient
.
511class SnapshotClient: 512 '''SnapshotClient exposes methods to query historical records at a provided timestamp.''' 513 def __init__(self, client): 514 self.access_requests = svc.SnapshotAccessRequests( 515 client.access_requests) 516 ''' 517 AccessRequests are requests for access to a resource that may match a Workflow. 518 519 See `strongdm.svc.SnapshotAccessRequests`. 520 ''' 521 self.account_attachments = svc.SnapshotAccountAttachments( 522 client.account_attachments) 523 ''' 524 AccountAttachments assign an account to a role. 525 526 See `strongdm.svc.SnapshotAccountAttachments`. 527 ''' 528 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 529 ''' 530 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 531 532 See `strongdm.svc.SnapshotAccountGrants`. 533 ''' 534 self.account_permissions = svc.SnapshotAccountPermissions( 535 client.account_permissions) 536 ''' 537 AccountPermissions records the granular permissions accounts have, allowing them to execute 538 relevant commands via StrongDM's APIs. 539 540 See `strongdm.svc.SnapshotAccountPermissions`. 541 ''' 542 self.account_resources = svc.SnapshotAccountResources( 543 client.account_resources) 544 ''' 545 AccountResources enumerates the resources to which accounts have access. 546 The AccountResources service is read-only. 547 548 See `strongdm.svc.SnapshotAccountResources`. 549 ''' 550 self.accounts = svc.SnapshotAccounts(client.accounts) 551 ''' 552 Accounts are users that have access to strongDM. There are two types of accounts: 553 1. **Users:** humans who are authenticated through username and password or SSO. 554 2. **Service Accounts:** machines that are authenticated using a service token. 555 3. **Tokens** are access keys with permissions that can be used for authentication. 556 557 See `strongdm.svc.SnapshotAccounts`. 558 ''' 559 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 560 client.approval_workflow_approvers) 561 ''' 562 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 563 564 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 565 ''' 566 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 567 client.approval_workflow_steps) 568 ''' 569 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 570 571 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 572 ''' 573 self.approval_workflows = svc.SnapshotApprovalWorkflows( 574 client.approval_workflows) 575 ''' 576 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 577 approvers and be approved or denied. 578 579 See `strongdm.svc.SnapshotApprovalWorkflows`. 580 ''' 581 self.nodes = svc.SnapshotNodes(client.nodes) 582 ''' 583 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 584 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 585 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 586 587 See `strongdm.svc.SnapshotNodes`. 588 ''' 589 self.remote_identities = svc.SnapshotRemoteIdentities( 590 client.remote_identities) 591 ''' 592 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 593 594 See `strongdm.svc.SnapshotRemoteIdentities`. 595 ''' 596 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 597 client.remote_identity_groups) 598 ''' 599 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 600 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 601 602 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 603 ''' 604 self.resources = svc.SnapshotResources(client.resources) 605 ''' 606 Resources are databases, servers, clusters, websites, or clouds that strongDM 607 delegates access to. 608 609 See `strongdm.svc.SnapshotResources`. 610 ''' 611 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 612 ''' 613 RoleResources enumerates the resources to which roles have access. 614 The RoleResources service is read-only. 615 616 See `strongdm.svc.SnapshotRoleResources`. 617 ''' 618 self.roles = svc.SnapshotRoles(client.roles) 619 ''' 620 A Role has a list of access rules which determine which Resources the members 621 of the Role have access to. An Account can be a member of multiple Roles via 622 AccountAttachments. 623 624 See `strongdm.svc.SnapshotRoles`. 625 ''' 626 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 627 ''' 628 SecretStores are servers where resource secrets (passwords, keys) are stored. 629 630 See `strongdm.svc.SnapshotSecretStores`. 631 ''' 632 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 633 client.workflow_approvers) 634 ''' 635 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 636 637 See `strongdm.svc.SnapshotWorkflowApprovers`. 638 ''' 639 self.workflow_assignments = svc.SnapshotWorkflowAssignments( 640 client.workflow_assignments) 641 ''' 642 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 643 access to via the workflow. 644 645 See `strongdm.svc.SnapshotWorkflowAssignments`. 646 ''' 647 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 648 ''' 649 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 650 to request access to a resource via the workflow. 651 652 See `strongdm.svc.SnapshotWorkflowRoles`. 653 ''' 654 self.workflows = svc.SnapshotWorkflows(client.workflows) 655 ''' 656 Workflows are the collection of rules that define the resources to which access can be requested, 657 the users that can request that access, and the mechanism for approving those requests which can either 658 be automatic approval or a set of users authorized to approve the requests. 659 660 See `strongdm.svc.SnapshotWorkflows`. 661 '''
SnapshotClient exposes methods to query historical records at a provided timestamp.
513 def __init__(self, client): 514 self.access_requests = svc.SnapshotAccessRequests( 515 client.access_requests) 516 ''' 517 AccessRequests are requests for access to a resource that may match a Workflow. 518 519 See `strongdm.svc.SnapshotAccessRequests`. 520 ''' 521 self.account_attachments = svc.SnapshotAccountAttachments( 522 client.account_attachments) 523 ''' 524 AccountAttachments assign an account to a role. 525 526 See `strongdm.svc.SnapshotAccountAttachments`. 527 ''' 528 self.account_grants = svc.SnapshotAccountGrants(client.account_grants) 529 ''' 530 AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource. 531 532 See `strongdm.svc.SnapshotAccountGrants`. 533 ''' 534 self.account_permissions = svc.SnapshotAccountPermissions( 535 client.account_permissions) 536 ''' 537 AccountPermissions records the granular permissions accounts have, allowing them to execute 538 relevant commands via StrongDM's APIs. 539 540 See `strongdm.svc.SnapshotAccountPermissions`. 541 ''' 542 self.account_resources = svc.SnapshotAccountResources( 543 client.account_resources) 544 ''' 545 AccountResources enumerates the resources to which accounts have access. 546 The AccountResources service is read-only. 547 548 See `strongdm.svc.SnapshotAccountResources`. 549 ''' 550 self.accounts = svc.SnapshotAccounts(client.accounts) 551 ''' 552 Accounts are users that have access to strongDM. There are two types of accounts: 553 1. **Users:** humans who are authenticated through username and password or SSO. 554 2. **Service Accounts:** machines that are authenticated using a service token. 555 3. **Tokens** are access keys with permissions that can be used for authentication. 556 557 See `strongdm.svc.SnapshotAccounts`. 558 ''' 559 self.approval_workflow_approvers = svc.SnapshotApprovalWorkflowApprovers( 560 client.approval_workflow_approvers) 561 ''' 562 ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep 563 564 See `strongdm.svc.SnapshotApprovalWorkflowApprovers`. 565 ''' 566 self.approval_workflow_steps = svc.SnapshotApprovalWorkflowSteps( 567 client.approval_workflow_steps) 568 ''' 569 ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow 570 571 See `strongdm.svc.SnapshotApprovalWorkflowSteps`. 572 ''' 573 self.approval_workflows = svc.SnapshotApprovalWorkflows( 574 client.approval_workflows) 575 ''' 576 ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized 577 approvers and be approved or denied. 578 579 See `strongdm.svc.SnapshotApprovalWorkflows`. 580 ''' 581 self.nodes = svc.SnapshotNodes(client.nodes) 582 ''' 583 Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes: 584 - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers. 585 - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. 586 587 See `strongdm.svc.SnapshotNodes`. 588 ''' 589 self.remote_identities = svc.SnapshotRemoteIdentities( 590 client.remote_identities) 591 ''' 592 RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource. 593 594 See `strongdm.svc.SnapshotRemoteIdentities`. 595 ''' 596 self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups( 597 client.remote_identity_groups) 598 ''' 599 A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. 600 An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects. 601 602 See `strongdm.svc.SnapshotRemoteIdentityGroups`. 603 ''' 604 self.resources = svc.SnapshotResources(client.resources) 605 ''' 606 Resources are databases, servers, clusters, websites, or clouds that strongDM 607 delegates access to. 608 609 See `strongdm.svc.SnapshotResources`. 610 ''' 611 self.role_resources = svc.SnapshotRoleResources(client.role_resources) 612 ''' 613 RoleResources enumerates the resources to which roles have access. 614 The RoleResources service is read-only. 615 616 See `strongdm.svc.SnapshotRoleResources`. 617 ''' 618 self.roles = svc.SnapshotRoles(client.roles) 619 ''' 620 A Role has a list of access rules which determine which Resources the members 621 of the Role have access to. An Account can be a member of multiple Roles via 622 AccountAttachments. 623 624 See `strongdm.svc.SnapshotRoles`. 625 ''' 626 self.secret_stores = svc.SnapshotSecretStores(client.secret_stores) 627 ''' 628 SecretStores are servers where resource secrets (passwords, keys) are stored. 629 630 See `strongdm.svc.SnapshotSecretStores`. 631 ''' 632 self.workflow_approvers = svc.SnapshotWorkflowApprovers( 633 client.workflow_approvers) 634 ''' 635 WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow. 636 637 See `strongdm.svc.SnapshotWorkflowApprovers`. 638 ''' 639 self.workflow_assignments = svc.SnapshotWorkflowAssignments( 640 client.workflow_assignments) 641 ''' 642 WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request 643 access to via the workflow. 644 645 See `strongdm.svc.SnapshotWorkflowAssignments`. 646 ''' 647 self.workflow_roles = svc.SnapshotWorkflowRoles(client.workflow_roles) 648 ''' 649 WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of 650 to request access to a resource via the workflow. 651 652 See `strongdm.svc.SnapshotWorkflowRoles`. 653 ''' 654 self.workflows = svc.SnapshotWorkflows(client.workflows) 655 ''' 656 Workflows are the collection of rules that define the resources to which access can be requested, 657 the users that can request that access, and the mechanism for approving those requests which can either 658 be automatic approval or a set of users authorized to approve the requests. 659 660 See `strongdm.svc.SnapshotWorkflows`. 661 '''
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.
AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.
Accounts are users that have access to strongDM. There are two types of accounts:
- Users: humans who are authenticated through username and password or SSO.
- Service Accounts: machines that are authenticated using a service token.
- Tokens are access keys with permissions that can be used for authentication.
ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep
ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.
Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
- Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
- Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.
RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.
A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.
WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.
WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request access to via the workflow.
WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.