Paul Durivage angstwad
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export PATH="$HOME/.local/bin:$HOME/Projects/go/bin:$PATH" | |
| export HISTSIZE=25000 | |
| export HISTCONTROL=ignoreboth | |
| export CLICOLOR=1 | |
| export LSCOLORS=exfxcxdxbxexexabagacad | |
| export PROMPT_COMMAND='history -a' | |
| export GOPATH=$HOME/Projects/go | |
| alias ls='ls -G' | |
| alias ll='ls -lahG' |
angstwad
/ set_cover_1.py
Created
March 25, 2020 14:37
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| from googleapiclient import discovery | |
| # Fetch most up to date role list and role descriptions from API | |
| iam = discovery.build('iam', 'v1') | |
| raw_role_data = {} | |
| # Build initial request |
angstwad
/ set_cover_2.json
Created
March 25, 2020 14:39
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "roles/accessapproval.approver": { | |
| "name": "roles/accessapproval.approver", | |
| "title": "Access Approval Approver", | |
| "description": "Ability to view or act...", | |
| "includedPermissions": [ | |
| "accessapproval.requests.approve", | |
| "accessapproval.requests.dismiss", | |
| "accessapproval.requests.get", | |
| "Accessapproval.requests.list", |
angstwad
/ set_cover_3.py
Created
March 25, 2020 14:42
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import collections | |
| roles_to_perms = collections.defaultdict(set) | |
| perms_to_roles = collections.defaultdict(set) | |
| perms_counts = collections.defaultdict(int) | |
| unique_perms = set() | |
| for role_name, role_data in raw_role_data.items(): | |
| for perm in role_data.get('includedPermissions', tuple()): | |
| roles_to_perms[role_name].add(perm) |
angstwad
/ set_cover_4.py
Created
March 25, 2020 14:44
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| roles_sorted_by_perms_asc = sorted(perms_counts.items(), | |
| key=lambda x: x[1]) |
angstwad
/ set_cover_5.py
Created
March 25, 2020 14:45
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| subset_roles = set() | |
| for this_role, _ in roles_sorted_by_perms_asc: | |
| for other_role, other_perms in roles_to_perms.items(): | |
| if this_role == other_role: | |
| continue | |
| this_perms = roles_to_perms[this_role] | |
| if this_perms.issubset(other_perms): | |
| subset_roles.add(this_role) |
angstwad
/ set_cover_6.py
Created
March 25, 2020 15:21
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| role_with_most_perms = roles_sorted_by_perms_asc[-1][0] |
angstwad
/ set_cover_7.py
Created
March 25, 2020 15:29
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| selected_roles = {role_with_most_perms,} |
angstwad
/ set_cover_8.py
Created
March 25, 2020 15:30
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remaining = unique_perms - roles_to_perms['roles/owner'] |
angstwad
/ set_cover_9.py
Created
March 25, 2020 15:31
Snippets for Blog: Solving a Set Cover Problem in Cloud IAM on GCP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| while remaining: | |
| for perm in remaining: | |
| # get set of roles which contain permission | |
| satisfy = perms_to_roles[perm] | |
| # sort roles by the number of permissions they contain, select role | |
| # with the most | |
| sorted_roles = sorted((role, perms_counts[role]) | |
| for role in satisfy) | |
| selected = sorted_roles[-1][0] |