如何解决使用python脚本的AWS湖形成数据权限
我正在使用 excel 文件添加一些数据,用于授予和撤销湖泊形成的权限。此函数将使用参数撤销或授予权限。
def apply_lake_formation_permissions(profile="default",_database=None):
lake_formation = boto3.session.Session(profile_name=profile).client('lakeformation')
df = pd.read_excel(File,engine='openpyxl')
df.fillna("",inplace=True)
for index,_df in df.iterrows():
_Resource = {}
z = {}
for column_name in _df.keys():
if "_" in column_name and _df[column_name] != "" :
column_name_split_list = column_name.split("_")
k = column_name_split_list[0]
k = {column_name_split_list[1] : str(_df[column_name])}
z.update(k)
if "TableWithColumns" in column_name:
if 'Name' in z.keys() and z['Name'] == "ALL_TABLES":
z['Name'] = "ALL_TABLES.*"
_Resource['Table'] = {"DatabaseName": _df["TableWithColumns_DatabaseName"],'TableWildcard': {}}
z['ColumnWildcard'] = {}
_Resource['TableWithColumns'] = z
elif "table" == column_name_split_list[0].lower():
if 'Name' in z.keys() and z['Name'] == "ALL_TABLES":
del z['Name']
z['TableWildcard'] = {}
_Resource['Table'] = z
#_Resource['Table'] = {}
elif "database" == column_name_split_list[0].lower():
_Resource['Database'] = z
check_empty = not _Resource
if check_empty:
_Resource['Catalog'] = {}
if _df['Principal'] != 'IAM_ALLOWED_PRINCIPALS':
_Principal = {"DataLakePrincipalIdentifier": "arn:aws:iam::" + account_number + ":" +_df['Principal']}
else:
_Principal = {"DataLakePrincipalIdentifier": _df['Principal']}
_Permissions = [j for j in _df['Permissions'].split(',')]
if _df['PermissionsWithGrantOption'] == "" or 'TableWildcard' in z.keys() :
_PermissionsWithGrantOption = []
else:
_PermissionsWithGrantOption = [m for m in _df['PermissionsWithGrantOption'].split(',')]
if _df['Action'].lower() == "revoke":
print(f"Revoking.. {_Principal},{_Resource},{_Permissions},{_PermissionsWithGrantOption}")
print(_Principal.get('DataLakePrincipalIdentifier'))
response = lake_formation.batch_revoke_permissions(
Entries=
[
{
'Id': str(uuid.uuid4()),'Principal': _Principal,'Resource': _Resource,'Permissions': _Permissions,'PermissionsWithGrantOption': _PermissionsWithGrantOption
}
])
print(f"Access Revoked {response}")
elif _df['Action'].lower() == "grant":
cprint(f"Granting... {_Principal},{_PermissionsWithGrantOption}","green")
response = lake_formation.batch_grant_permissions(
Entries=
[
{
'Id': str(uuid.uuid4()),'PermissionsWithGrantOption': _PermissionsWithGrantOption
}
])
cprint(f"Access Granted {response}","blue")
else:
pass
以下是一个请求参数的示例:
response = lake_formation.batch_revoke_permissions(
Entries=
[
{
'Id': str(uuid.uuid4()),'Principal': {'DataLakePrincipalIdentifier': 'xxxxxxxxx'},'Resource': {'Table': {'CatalogId': 'xxxxxxxxxxx','DatabaseName': 'xxxxxxx','Name': 'xxxxxxxxx'},'Permissions': ['ALL'],'PermissionsWithGrantOption': []
}
])
对于上述请求,我收到以下错误。
Access Revoked {'Failures': [{'RequestEntry': {'Id': 'xxxxxxxxxxxxxx','Principal': {'DataLakePrincipalIdentifier': 'xxxxxxxxxx'},'Resource': {'Table': {'CatalogId': 'xxxxxxxxxx','DatabaseName': 'xxxxxxxxxx','Name': 'xxxxxxxxxxxxxxx'}},'PermissionsWithGrantOption': []},'Error': {'ErrorCode': 'AccessDeniedException','ErrorMessage': 'Insufficient glue permissions to access table xxxxxxxxxxxx'}}],'ResponseMetadata': {'RequestId': 'xxxxxxxxxxx','HTTPStatusCode': 200,'HTTPHeaders': {'date': 'Tue,29 Dec 2020 13:36:35 GMT','content-type': 'application/x-amz-json-1.1','content-length': '494','connection': 'keep-alive','x-amzn-requestid': 'xxxxxxxxxxxxxxx','cache-control': 'no-cache'},'RetryAttempts': 0}}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
