|
| 1 | +#!/usr/bin/env python |
| 2 | +# |
| 3 | +# Make sure all users are members of the Secure Operations team. |
| 4 | +# |
| 5 | +# As of when this script was written, there is only one team for |
| 6 | +# all Secure users. Newly-created users that land in the default |
| 7 | +# team for Monitor (such as those created via the API) will |
| 8 | +# therefore not be in the Secure Operations team. If you have an |
| 9 | +# environment where you want all users to have both Monitor and |
| 10 | +# Secure access by default, you could run this script periodically |
| 11 | +# (e.g. as a cron job) to make sure any such users are made part |
| 12 | +# of the Secure Operations team as well. |
| 13 | +# |
| 14 | + |
| 15 | +import os |
| 16 | +import sys |
| 17 | +import json |
| 18 | +import logging |
| 19 | +sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..')) |
| 20 | +from sdcclient import SdcClient |
| 21 | + |
| 22 | +# |
| 23 | +# Parse arguments |
| 24 | +# |
| 25 | +if len(sys.argv) != 2: |
| 26 | + print 'usage: %s <sysdig-token>' % sys.argv[0] |
| 27 | + print 'You can find your token at https://app.sysdigcloud.com/#/settings/user' |
| 28 | + sys.exit(1) |
| 29 | + |
| 30 | +sdc_token = sys.argv[1] |
| 31 | + |
| 32 | +SECURE_TEAM_NAME = 'Secure Operations' |
| 33 | + |
| 34 | +# |
| 35 | +# As of when this script was written, the Secure Operations team does |
| 36 | +# not have the concepts of RBAC roles like "Read User" vs. "Edit User". |
| 37 | +# Rather, all members of the Secure team have full visibility within |
| 38 | +# Secure, which is associated with ROLE_TEAM_EDIT. |
| 39 | +# |
| 40 | +SECURE_TEAM_ROLE = 'ROLE_TEAM_EDIT' |
| 41 | + |
| 42 | +# |
| 43 | +# Instantiate the SDC client |
| 44 | +# |
| 45 | +sdclient = SdcClient(sdc_token, sdc_url='https://app.sysdigcloud.com') |
| 46 | + |
| 47 | +res = sdclient.get_teams(SECURE_TEAM_NAME) |
| 48 | + |
| 49 | +if res[0] == False: |
| 50 | + print 'Unable to get teams: ', res[1] |
| 51 | + sys.exit(1) |
| 52 | +memberships = {} |
| 53 | +for secure_team_user in res[1][0]['userRoles']: |
| 54 | + memberships[secure_team_user['userId']] = secure_team_user['role'] |
| 55 | + |
| 56 | +res = sdclient.get_users() |
| 57 | + |
| 58 | +if res[0] == False: |
| 59 | + print 'Unable to get users: ', res[1] |
| 60 | + sys.exit(1) |
| 61 | +all_users = res[1] |
| 62 | + |
| 63 | +# |
| 64 | +# The memberships passed into edit_team() are based on username |
| 65 | +# rather than ID, so convert the IDs. |
| 66 | +# |
| 67 | +for user in all_users: |
| 68 | + if user['id'] in memberships: |
| 69 | + print 'Will preserve existing membership for: ' + user['username'] |
| 70 | + memberships[user['username']] = memberships.pop(user['id']) |
| 71 | + else: |
| 72 | + print 'Will add new member: ' + user['username'] |
| 73 | + memberships[user['username']] = SECURE_TEAM_ROLE |
| 74 | + |
| 75 | +res = sdclient.edit_team(SECURE_TEAM_NAME, memberships=memberships) |
| 76 | +if res[0] == False: |
| 77 | + print 'Could not edit team:', res[1], '. Exiting.' |
| 78 | + sys.exit(1) |
| 79 | +else: |
| 80 | + print 'Finished syncing memberships of "' + SECURE_TEAM_NAME + '" team' |
| 81 | + |
| 82 | +sys.exit(0) |
0 commit comments