• This repository has been archived on 18/Sep/2019
  • Stars
    star
    103
  • Rank 333,046 (Top 7 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Creating time bound IAM Conditions with ease and flair

👮‍♀ī¸ Gimme 👮‍♂ī¸

screenshot of the Gimme UI


Table of Contents

ℹī¸ About

Gimme's purpose is to allow you to move your organisation to a point where people only have the basic permissions they need to do their job. Using Gimme anyone can then grant others additional access to resources, for example during an incident or to help troubleshoot or debug an issue. Gimme leverages time bound IAM Conditions to ensure people only gain truly temporary extra privileges.

NOTE: In order to be able to use Gimme you'll need to have access to the private beta of the IAM Conditions Framework in Google Cloud Platform. You can sign up for it over here.

Gimme uses OAuth to authenticate users and obtain an access token, which it will then use for any action it takes. As such, the person attempting to grant someone else additional permissions needs to have the necessary rights on the target resource to do so. This normally means they need to be an owner or editor of the resource, or have been granted the capability to modify the IAM policy of the resource.

⚕ī¸ Current state

Gimme is in its very early stages. It currently only supports granting access to users (not groups or service accounts) and only supports a couple of roles it can grant. Additionally, it only supports time bound conditions and only on the project level, not for example on an individual bucket or BQ dataset.

None of these limitations are hard to lift, we just haven't gotten around to it yet.

⚡ Installation

Gimme is a Python 2.7 (b/c App Engine) application. Its dependencies are managed by pipenv. You can generate a requirements.txt with pipenv lock -r.

Though Gimme can be hosted on App Engine it does not rely on the App Engine SDK for Python. As such you can just pipenv install the app locally and don't have to deal with gcloud or the dev_appeserver.py.

  1. Clone the project
  2. pipenv shell --two to create/activate a virtualenv (you only need the --two the first time)
  3. pipenv install to install the app's dependencies (except for AppEngine stuff)

🔧 Configuration

Gimme doesn't have a lot of nobs worth tweaking and those that you can tweak are available as environment variables. It's generally configured to be as paranoid as possible when the production settings are loaded, and is a bit more lax when the development and testing settings are loaded.

  • GIMME_SETTINGS: path to a .py file with contents similar to one of the Config classes from settings.py. This gives you complete control over all settings and circumvents any safeguards we might have built-in when it comes to handling those. Use with caution.

Other important variables are:

  • GIMME_ALLOWED_GSUITE_DOMAINS=space separtaed list of domains: Enforces that the person trying to use the app is logged in with a Google account matching one of the listed domains. If that's not the case, access is denied and all they can do is logout. The domain(s) should be the part after the @ sign in the email address, so example.com for example, or 'example.com example.org'
  • GOOGLE_OAUTH_CLIENT_ID=<client id>
  • GOOGLE_OAUTH_CLIENT_SECRET=<client secret>

You can get those from the API & Services menu in the Google Cloud Console once you've set up an OAuth consent screen. You'll need to go to Credentials > Create Credentials > OAuth Client ID.

And when developing locally:

  • OAUTHLIB_RELAX_TOKEN_SCOPE=1
  • OAUTHLIB_INSECURE_TRANSPORT=1
  • GIMME_DEV=true
  • FLASK_ENV=development
  • FLASK_APP=autoapp.py

It's advisable to have a separate OAuth Client ID for development than you have for production, and configure a separate OAuth consent screen for it.

🚀 Deploying

This largely depends on how you prefer to deploy applications. You can install the code directly on a server and hook it into something like mod_python with Apache, or a uwsgi+nginx combination. You can also pack it up in a container with uwsgi.

Please note that you should absolutely not ever use the Flask provided webserver, which is only suited for development.

App Engine Standard

In order to deploy this app to App Engine you need to be a Google Cloud customer. We recommend creating a separate project for this application so it can live in its own, isolated environment.

First, you'll need to vendor the dependencies by executing:

$ pipenv run pip install -r <(pipenv lock -r) --target lib/

Collecting blinker==1.4 (from -r /dev/fd/63 (line 2))
Collecting certifi==2018.4.16 (from -r /dev/fd/63 (line 3))
  Using cached https://files.pythonhosted.org/packages/7c/e6/92ad559b7192d846975fc916b65f667c7b8c3a32bea7372340bfe9a15fa5/certifi-2018.4.16-py2.py3-none-any.whl
...
Installing collected packages: blinker, certifi, chardet, click, decorator, markupsafe, jinja2, itsdangerous, werkzeug, flask, oauthlib, urllib3, idna, requests, requests-oauthlib, six, lazy, urlobject, flask-dance, wtforms, flask-wtf, validators
Successfully installed blinker-1.4 certifi-2018.4.16 chardet-3.0.4 click-6.7 decorator-4.3.0 flask-1.0.2 flask-dance-1.0.0 flask-wtf-0.14.2 idna-2.7 itsdangerous-0.24 jinja2-2.10 lazy-1.3 markupsafe-1.0 oauthlib-2.1.0 requests-2.19.1 requests-oauthlib-1.0.0 six-1.11.0 urllib3-1.23 urlobject-2.4.3 validators-0.12.2 werkzeug-0.14.1 wtforms-2.2.1

The vendored dependencies in lib/ will automatically get picked up on due to the configuration in appengine_config.py.

Once that's done you can run a gcloud --project=<YOUR PROJECT> app deploy app.yaml to deploy the application. Once that's done a gcloud --project=<YOUR PROJECT> app browse will open up a browser for you present you with your deployed application.

For further information on how to deploy to App Engine, how to use the preview environment, do rolling deploys etc. please review the gcloud app help and documentation.

Container

A sample Dockerfile is included which builds an Alpine based image hosting Gimme on uWSGI. You can check the Dockerfile for the configuration options passed to uWSGI. If they are not to your liking you can inherit from this Dockerfile and override the CMD instruction.

In order to build it a requirements.txt needs to be generated first, and then the image can be built as usual:

$ pipenv lock -r > requirements.txt

$ docker build . -t gimme:<version>
[..]
Step 16/16 : CMD [ "/usr/sbin/uwsgi", ...]
 ---> Running in aaaaaaaaaaa
Removing intermediate container aaaaaaaaaaa
 ---> bbbbbbbbbbbbb
Successfully built bbbbbbbbbbbbb
Successfully tagged gimme:<version>

You can now start the container:

$ docker run -p 5000:5000 -e "GOOGLE_OAUTH_CLIENT_ID=<CLIENT_ID>" -e "GOOGLE_OAUTH_CLIENT_SECRET=<CLIENT_SECRET>" gimme:<version>

*** Starting uWSGI 2.0.17 (64bit) on [Wed Jul  4 11:57:47 2018] ***
[..]
*** Operational MODE: preforking ***
WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0x7f03ca146740 pid: 1 (default app)
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 1)
spawned uWSGI worker 1 (pid: 8, cores: 1)
spawned uWSGI worker 2 (pid: 9, cores: 1)
spawned uWSGI worker 3 (pid: 10, cores: 1)
spawned uWSGI worker 4 (pid: 11, cores: 1)
spawned uWSGI http 1 (pid: 12)

At this point trying to access the application will probably give you an error related to the OAuth redirect URL not matching what you've configured.

You'll need to put this behind a load balancer (or at the very least a proxy) and ensure the Host, X-Real-IP, X-Forwarded-For and X-Forwarded-Proto are passed on correctly. Here's an nginx sample:

server {
  listen 443;
  server_name gimme.example.com;

  ...
  location / {
      proxy_pass         http://<EXTERNAL_CONTAINER_IP>:5000/;
      proxy_redirect     off;

      proxy_set_header   Host                 $host;
      proxy_set_header   X-Real-IP            $remote_addr;
      proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Proto    $scheme;
  }
}

This should ensure Flask will now generate URLs with a base of https://gimme.example.com which you can now properly whitelist.

🚧 Development

Once you've set the necessary configuration variables in your environment as detailed in the Configuration section, you can start the app with:

$ flask run
 * Serving Flask app "autoapp.py" (lazy loading)
 * Environment: development
 * Debug mode: on
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: XXX-YYY-ZZZ

At this point you can open your browser, point it at http://127.0.0.1:5000 and you should be greeted by a Google login screen.

💉 Testing

Gimme comes with a suite of unit tests powered by pytest. We additionally check and enforce a number of things through flake8 and a few of its plugins.

In order to run the tests you can:

$ pytest --verbose -x --flake8 --cov=gimme --cov-report=term tests/

============================ test session starts ============================
[..]
plugins: freezegun-0.2.0, flake8-1.0.1, cov-2.5.1

[..]
---------- coverage: platform linux2, python 2.7.14-final-0 ----------
Name                Stmts   Miss Branch BrPart  Cover
-----------------------------------------------------
gimme/forms.py         10      0      0      0   100%
gimme/helpers.py       67      0     23      0   100%
gimme/settings.py      29      0      2      0   100%
gimme/views.py         20      0      2      0   100%
-----------------------------------------------------
TOTAL                 126      0     27      0   100%



==================== 37 passed, 5 skipped in 1.12 seconds ====================

🤸 Contributing

We will gladly accept contributions. As with all Spotify projects, participation is governed by the Open Code of Conduct and you are expected to honor this code.

For any contributions to the Python parts of the code base tests are required. We will not accept contributions that are not covered by tests or that decrease the current test coverage. If you're unfamiliar with testing, please take a look at the code in the tests/ directory first. Should you need further help feel free to ask for it when you raise a Pull Request.

📝 License

Copyright 2018 Spotify AB.

Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

More Repositories

1

luigi

Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.
Python
17,796
star
2

annoy

Approximate Nearest Neighbors in C++/Python optimized for memory usage and loading/saving to disk
C++
13,197
star
3

pedalboard

🎛 🔊 A Python library for audio.
C++
5,147
star
4

docker-gc

INACTIVE: Docker garbage collection of containers and images
Shell
5,068
star
5

chartify

Python library that makes it easy for data scientists to create charts.
Python
3,510
star
6

basic-pitch

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection
Python
3,184
star
7

dockerfile-maven

MATURE: A set of Maven tools for dealing with Dockerfiles
Java
2,756
star
8

docker-maven-plugin

INACTIVE: A maven plugin for Docker
Java
2,652
star
9

scio

A Scala API for Apache Beam and Google Cloud Dataflow.
Scala
2,485
star
10

helios

Docker container orchestration platform
Java
2,097
star
11

web-api-examples

Basic examples to authenticate and fetch data using the Spotify Web API
HTML
1,889
star
12

HubFramework

DEPRECATED – Spotify’s component-driven UI framework for iOS
Objective-C
1,861
star
13

apollo

Java libraries for writing composable microservices
Java
1,648
star
14

dh-virtualenv

Python virtualenvs in Debian packages
Python
1,614
star
15

docker-client

INACTIVE: A simple docker client for the JVM
Java
1,431
star
16

docker-kafka

Kafka (and Zookeeper) in Docker
Shell
1,399
star
17

SPTPersistentCache

Everyone tries to implement a cache at some point in their iOS app’s lifecycle, and this is ours.
Objective-C
1,243
star
18

voyager

🛰ī¸ An approximate nearest-neighbor search library for Python and Java with a focus on ease of use, simplicity, and deployability.
C++
1,242
star
19

mobius

A functional reactive framework for managing state evolution and side-effects.
Java
1,223
star
20

sparkey

Simple constant key/value storage library, for read-heavy systems with infrequent large bulk inserts.
C
1,178
star
21

ruler

Gradle plugin which helps you analyze the size of your Android apps.
Kotlin
1,130
star
22

XCMetrics

XCMetrics is the easiest way to collect Xcode build metrics and improve developer productivity.
Swift
1,102
star
23

web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API ➡ī¸ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
RAML
981
star
24

echoprint-codegen

Codegen for Echoprint
C++
948
star
25

snakebite

A pure python HDFS client
Python
856
star
26

heroic

The Heroic Time Series Database
Java
843
star
27

klio

Smarter data pipelines for audio.
Python
836
star
28

XCRemoteCache

Swift
830
star
29

ios-sdk

Spotify SDK for iOS
Objective-C
643
star
30

SPTDataLoader

The HTTP library used by the Spotify iOS client
Objective-C
630
star
31

apps-tutorial

A Spotify App that contains working examples of the use of Spotify Apps API
627
star
32

JniHelpers

Tools for writing great JNI code
C++
593
star
33

postgresql-metrics

Tool that extracts and provides metrics on your PostgreSQL database
Python
590
star
34

Mobius.swift

A functional reactive framework for managing state evolution and side-effects [Swift implementation]
Swift
557
star
35

reactochart

📈 React chart component library 📉
JavaScript
552
star
36

dockerfile-mode

An emacs mode for handling Dockerfiles
Emacs Lisp
535
star
37

threaddump-analyzer

A JVM threaddump analyzer
JavaScript
488
star
38

featran

A Scala feature transformation library for data science and machine learning
Scala
467
star
39

android-sdk

Spotify SDK for Android
HTML
457
star
40

echoprint-server

Server for the Echoprint audio fingerprint system
Java
395
star
41

completable-futures

Utilities for working with futures in Java 8
Java
393
star
42

web-scripts

DEPRECATED: A collection of base configs and CLI wrappers used to speed up development @ Spotify.
TypeScript
383
star
43

spotify-web-api-ts-sdk

A Typescript SDK for the Spotify Web API with types for returned data.
TypeScript
356
star
44

SpotifyLogin

Swift framework for authenticating with the Spotify API
Swift
347
star
45

ratatool

A tool for data sampling, data generation, and data diffing
Scala
338
star
46

fmt-maven-plugin

Opinionated Maven Plugin that formats your Java code.
Java
324
star
47

coordinator

A visual interface for turning an SVG into XY coÃļrdinates.
HTML
288
star
48

big-data-rosetta-code

Code snippets for solving common big data problems in various platforms. Inspired by Rosetta Code
Scala
287
star
49

trickle

A small library for composing asynchronous code
Java
285
star
50

pythonflow

🐍 Dataflow programming for python.
Python
285
star
51

styx

"The path to execution", Styx is a service that schedules batch data processing jobs in Docker containers on Kubernetes.
Java
266
star
52

cstar

Apache Cassandra cluster orchestration tool for the command line
Python
254
star
53

confidence

Python
254
star
54

netty-zmtp

A Netty implementation of ZMTP, the ZeroMQ Message Transport Protocol.
Java
243
star
55

ios-style

Guidelines for iOS development in use at Spotify
243
star
56

cassandra-reaper

Software to run automated repairs of cassandra
235
star
57

docker-cassandra

Cassandra in Docker with fast startup
Shell
220
star
58

basic-pitch-ts

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection.
TypeScript
216
star
59

terraform-gke-kubeflow-cluster

Terraform module for creating GKE clusters to run Kubeflow
HCL
213
star
60

linux

Spotify's Linux kernel for Debian-based systems
C
208
star
61

dns-java

DNS wrapper library that provides SRV lookup functionality
Java
206
star
62

git-test

test your commits
Shell
203
star
63

SPStackedNav

[DEPRECATED] Navigation controller which represents its content in stacks of panes, rather than one at a time
Objective-C
195
star
64

spotify-json

Fast and nice to use C++ JSON library.
C++
194
star
65

quickstart

A CommonJS module resolver, loader and compiler for node.js and browsers.
JavaScript
193
star
66

dbeam

DBeam exports SQL tables into Avro files using JDBC and Apache Beam
Java
189
star
67

flink-on-k8s-operator

Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
185
star
68

bazel-tools

Tools for dealing with very large Bazel-managed repositories
Java
166
star
69

magnolify

A collection of Magnolia add-on modules
Scala
163
star
70

dataenum

Algebraic data types in Java.
Java
163
star
71

lingon

A user friendly tool for building single-page JavaScript applications
JavaScript
162
star
72

async-google-pubsub-client

[SUNSET] Async Google Pubsub Client
Java
158
star
73

gcp-audit

A tool for auditing security properties of GCP projects.
Python
157
star
74

spark-bigquery

Google BigQuery support for Spark, SQL, and DataFrames
Scala
155
star
75

should-up

Remove most of the "should" noise from your tests
JavaScript
153
star
76

folsom

An asynchronous memcache client for Java
Java
147
star
77

missinglink

Build time tool for detecting link problems in java projects
Java
146
star
78

flo

A lightweight workflow definition library
Java
146
star
79

spotify-web-playback-sdk-example

React based example app that creates a new player in Spotify Connect to play music from in the browse using Spotify Web Playback SDK.
JavaScript
144
star
80

android-auth

Spotify authentication and authorization for Android. Part of the Spotify Android SDK.
HTML
143
star
81

proto-registry

An implementation of the Protobuf Registry API
TypeScript
141
star
82

futures-extra

Java library for working with Guava futures
Java
138
star
83

zoltar

Common library for serving TensorFlow, XGBoost and scikit-learn models in production.
Java
138
star
84

annoy-java

Approximate nearest neighbors in Java
Java
138
star
85

spydra

Ephemeral Hadoop clusters using Google Compute Platform
Java
134
star
86

github-java-client

A Java client to Github API
Java
129
star
87

docker-stress

Simple docker stress test and monitoring tools
Python
125
star
88

spotify-tensorflow

Provides Spotify-specific TensorFlow helpers
Python
124
star
89

crtauth

a public key backed client/server authentication system
Python
118
star
90

sparkey-java

Java implementation of the Sparkey key value store
Java
118
star
91

redux-location-state

Utilities for reading & writing Redux store state to & from the URL
JavaScript
118
star
92

realbook

Easier audio-based machine learning with TensorFlow.
Python
112
star
93

rspec-dns

Easily test your DNS with RSpec
Ruby
107
star
94

web-playback-sdk

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web Playback SDK ➡ī¸ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
107
star
95

ffwd-ruby

An event and metrics fast-forwarding agent.
Ruby
105
star
96

super-smash-brogp

Sends and withdraws BGP prefixes for fun.
Python
98
star
97

spotify.github.io

Showcase site for hand-picked open-source projects by Spotify
HTML
96
star
98

lighthouse-audit-service

TypeScript
95
star
99

python-graphwalker

Python re-implementation of the graphwalker testing tool
Python
93
star
100

noether

Scala Aggregators used for ML Model metrics monitoring
Scala
91
star