Home Explore Help
Sign In
LiuFan
/
PrivacyScanData
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: bea9142d64
Branches Tags
PrivacyScanD...
/
Azure
/
validate_azure_dladmin_identity.py

validate_azure_dladmin_identity.py 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469 
  1. #!/usr/bin/env python3
    2. 

  2. ###
    3. 

  3. # CLOUDERA CDP Control (cdpctl)
    4. 

  4. #
    5. 

  5. # (C) Cloudera, Inc. 2021-2021
    6. 

  6. # All rights reserved.
    7. 

  7. #
    8. 

  8. # Applicable Open Source License: GNU AFFERO GENERAL PUBLIC LICENSE
    9. 

  9. #
    10. 

  10. # NOTE: Cloudera open source products are modular software products
    11. 

  11. # made up of hundreds of individual components, each of which was
    12. 

  12. # individually copyrighted.  Each Cloudera open source product is a
    13. 

  13. # collective work under U.S. Copyright Law. Your license to use the
    14. 

  14. # collective work is as provided in your written agreement with
    15. 

  15. # Cloudera.  Used apart from the collective work, this file is
    16. 

  16. # licensed for your use pursuant to the open source license
    17. 

  17. # identified above.
    18. 

  18. #
    19. 

  19. # This code is provided to you pursuant a written agreement with
    20. 

  20. # (i) Cloudera, Inc. or (ii) a third-party authorized to distribute
    21. 

  21. # this code. If you do not have a written agreement with Cloudera nor
    22. 

  22. # with an authorized and properly licensed third party, you do not
    23. 

  23. # have any rights to access nor to use this code.
    24. 

  24. #
    25. 

  25. # Absent a written agreement with Cloudera, Inc. (“Cloudera”) to the
    26. 

  26. # contrary, A) CLOUDERA PROVIDES THIS CODE TO YOU WITHOUT WARRANTIES OF ANY
    27. 

  27. # KIND; (B) CLOUDERA DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED
    28. 

  28. # WARRANTIES WITH RESPECT TO THIS CODE, INCLUDING BUT NOT LIMITED TO
    29. 

  29. # IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND
    30. 

  30. # FITNESS FOR A PARTICULAR PURPOSE; (C) CLOUDERA IS NOT LIABLE TO YOU,
    31. 

  31. # AND WILL NOT DEFEND, INDEMNIFY, NOR HOLD YOU HARMLESS FOR ANY CLAIMS
    32. 

  32. # ARISING FROM OR RELATED TO THE CODE; AND (D)WITH RESPECT TO YOUR EXERCISE
    33. 

  33. # OF ANY RIGHTS GRANTED TO YOU FOR THE CODE, CLOUDERA IS NOT LIABLE FOR ANY
    34. 

  34. # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR
    35. 

  35. # CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO, DAMAGES
    36. 

  36. # RELATED TO LOST REVENUE, LOST PROFITS, LOSS OF INCOME, LOSS OF
    37. 

  37. # BUSINESS ADVANTAGE OR UNAVAILABILITY, OR LOSS OR CORRUPTION OF
    38. 

  38. # DATA.
    39. 

  39. #
    40. 

  40. # Source File Name:  validate_azure_dladmin_identity.py
    41. 

  41. ###
    42. 

  42. """Validation of Azure Datalake Admin Identity."""
    43. 

  43. from typing import Any, Dict, List
    44. 

  44. 

  45. import pytest
    46. 

  46. from azure.mgmt.authorization import AuthorizationManagementClient
    47. 

  47. from azure.mgmt.resource import ResourceManagementClient
    48. 

  48. 

  49. from cdpctl.validation import fail, get_config_value
    50. 

  50. from cdpctl.validation.azure_utils import (
    51. 

  51.     check_for_actions,
    52. 

  52.     get_client,
    53. 

  53.     get_role_assignments,
    54. 

  54.     get_storage_container_scope,
    55. 

  55.     parse_adls_path,
    56. 

  56. )
    57. 

  57. from cdpctl.validation.infra.issues import (
    58. 

  58.     AZURE_IDENTITY_MISSING_ACTIONS_FOR_LOCATION,
    59. 

  59.     AZURE_IDENTITY_MISSING_DATA_ACTIONS_FOR_LOCATION,
    60. 

  60. )
    61. 

  61. 

  62. 

  63. @pytest.fixture(autouse=True, name="resource_client")
    64. 

  64. def resource_client_fixture(config: Dict[str, Any]) -> ResourceManagementClient:
    65. 

  65.     """Return an Azure Resource Client."""
    66. 

  66.     return get_client("resource", config)
    67. 

  67. 

  68. 

  69. @pytest.fixture(autouse=True, name="auth_client")
    70. 

  70. def auth_client_fixture(config: Dict[str, Any]) -> AuthorizationManagementClient:
    71. 

  71.     """Return an Azure Auth Client."""
    72. 

  72.     return get_client("auth", config)
    73. 

  73. 

  74. 

  75. @pytest.mark.azure
    76. 

  76. @pytest.mark.infra
    77. 

  77. def azure_dladmin_actions_for_logs_storage_validation(
    78. 

  78.     config: Dict[str, Any],
    79. 

  79.     auth_client: AuthorizationManagementClient,
    80. 

  80.     resource_client: ResourceManagementClient,
    81. 

  81.     azure_data_required_actions,
    82. 

  82. ) -> None:  # pragma: no cover
    83. 

  83.     """Datalake Admin Identity has required Actions on logs storage location."""  # noqa: D401,E501
    84. 

  84.     _azure_dladmin_logs_storage_actions_check(
    85. 

  85.         config=config,
    86. 

  86.         auth_client=auth_client,
    87. 

  87.         resource_client=resource_client,
    88. 

  88.         azure_data_required_actions=azure_data_required_actions,
    89. 

  89.     )
    90. 

  90. 

  91. 

  92. def _azure_dladmin_logs_storage_actions_check(
    93. 

  93.     config: Dict[str, Any],
    94. 

  94.     auth_client: AuthorizationManagementClient,
    95. 

  95.     resource_client: ResourceManagementClient,
    96. 

  96.     azure_data_required_actions: List[str],
    97. 

  97. ) -> None:  # pragma: no cover
    98. 

  98.     # noqa: D401,E501
    99. 

  99.     sub_id: str = get_config_value(config=config, key="infra:azure:subscription_id")
    100. 

  100.     rg_name: str = get_config_value(config=config, key="infra:azure:metagroup:name")
    101. 

  101.     storage_name: str = get_config_value(config=config, key="env:azure:storage:name")
    102. 

  102.     log_path: str = get_config_value(config=config, key="env:azure:storage:path:logs")
    103. 

  103.     datalake_admin: str = get_config_value(
    104. 

  104.         config=config, key="env:azure:role:name:datalake_admin"
    105. 

  105.     )
    106. 

  106. 

  107.     parsed_logger_path = parse_adls_path(log_path)
    108. 

  108.     container_name = parsed_logger_path[1]
    109. 

  109. 

  110.     role_assignments = get_role_assignments(
    111. 

  111.         auth_client=auth_client,
    112. 

  112.         resource_client=resource_client,
    113. 

  113.         identity_name=datalake_admin,
    114. 

  114.         subscription_id=sub_id,
    115. 

  115.         resource_group=rg_name,
    116. 

  116.     )
    117. 

  117. 

  118.     proper_scope = get_storage_container_scope(
    119. 

  119.         sub_id, rg_name, storage_name, container_name
    120. 

  120.     )
    121. 

  121. 

  122.     missing_actions, _ = check_for_actions(
    123. 

  123.         auth_client=auth_client,
    124. 

  124.         role_assigments=role_assignments,
    125. 

  125.         proper_scope=proper_scope,
    126. 

  126.         required_actions=azure_data_required_actions,
    127. 

  127.         required_data_actions=[],
    128. 

  128.     )
    129. 

  129. 

  130.     if missing_actions:
    131. 

  131.         fail(
    132. 

  132.             AZURE_IDENTITY_MISSING_ACTIONS_FOR_LOCATION,
    133. 

  133.             subjects=[
    134. 

  134.                 datalake_admin,
    135. 

  135.                 f"storageAccounts/{storage_name}/blobServices/default/containers/{container_name}",  # noqa: E501
    136. 

  136.             ],
    137. 

  137.             resources=missing_actions,
    138. 

  138.         )
    139. 

  139. 

  140. 

  141. @pytest.mark.azure
    142. 

  142. @pytest.mark.infra
    143. 

  143. def azure_dladmin_data_actions_for_logs_storage_validation(
    144. 

  144.     config: Dict[str, Any],
    145. 

  145.     auth_client: AuthorizationManagementClient,
    146. 

  146.     resource_client: ResourceManagementClient,
    147. 

  147.     azure_data_required_data_actions,
    148. 

  148. ) -> None:  # pragma: no cover
    149. 

  149.     """Datalake Admin Identity has required Data Actions on logs storage location."""  # noqa: D401,E501
    150. 

  150.     _azure_dladmin_logs_storage_data_actions_check(
    151. 

  151.         config=config,
    152. 

  152.         auth_client=auth_client,
    153. 

  153.         resource_client=resource_client,
    154. 

  154.         azure_data_required_data_actions=azure_data_required_data_actions,
    155. 

  155.     )
    156. 

  156. 

  157. 

  158. def _azure_dladmin_logs_storage_data_actions_check(
    159. 

  159.     config: Dict[str, Any],
    160. 

  160.     auth_client: AuthorizationManagementClient,
    161. 

  161.     resource_client: ResourceManagementClient,
    162. 

  162.     azure_data_required_data_actions: List[str],
    163. 

  163. ) -> None:  # pragma: no cover
    164. 

  164.     # noqa: D401,E501
    165. 

  165.     sub_id: str = get_config_value(config=config, key="infra:azure:subscription_id")
    166. 

  166.     rg_name: str = get_config_value(config=config, key="infra:azure:metagroup:name")
    167. 

  167.     storage_name: str = get_config_value(config=config, key="env:azure:storage:name")
    168. 

  168.     log_path: str = get_config_value(config=config, key="env:azure:storage:path:logs")
    169. 

  169.     datalake_admin: str = get_config_value(
    170. 

  170.         config=config, key="env:azure:role:name:datalake_admin"
    171. 

  171.     )
    172. 

  172. 

  173.     parsed_logger_path = parse_adls_path(log_path)
    174. 

  174.     container_name = parsed_logger_path[1]
    175. 

  175. 

  176.     role_assignments = get_role_assignments(
    177. 

  177.         auth_client=auth_client,
    178. 

  178.         resource_client=resource_client,
    179. 

  179.         identity_name=datalake_admin,
    180. 

  180.         subscription_id=sub_id,
    181. 

  181.         resource_group=rg_name,
    182. 

  182.     )
    183. 

  183. 

  184.     proper_scope = get_storage_container_scope(
    185. 

  185.         sub_id, rg_name, storage_name, container_name
    186. 

  186.     )
    187. 

  187. 

  188.     _, missing_data_actions = check_for_actions(
    189. 

  189.         auth_client=auth_client,
    190. 

  190.         role_assigments=role_assignments,
    191. 

  191.         proper_scope=proper_scope,
    192. 

  192.         required_actions=[],
    193. 

  193.         required_data_actions=azure_data_required_data_actions,
    194. 

  194.     )
    195. 

  195.     if missing_data_actions:
    196. 

  196.         fail(
    197. 

  197.             AZURE_IDENTITY_MISSING_DATA_ACTIONS_FOR_LOCATION,
    198. 

  198.             subjects=[
    199. 

  199.                 datalake_admin,
    200. 

  200.                 f"storageAccounts/{storage_name}/blobServices/default/containers/{container_name}",  # noqa: E501
    201. 

  201.             ],
    202. 

  202.             resources=missing_data_actions,
    203. 

  203.         )
    204. 

  204. 

  205. 

  206. @pytest.mark.azure
    207. 

  207. @pytest.mark.infra
    208. 

  208. def azure_dladmin_actions_for_data_storage_validation(
    209. 

  209.     config: Dict[str, Any],
    210. 

  210.     auth_client: AuthorizationManagementClient,
    211. 

  211.     resource_client: ResourceManagementClient,
    212. 

  212.     azure_data_required_actions,
    213. 

  213. ) -> None:  # pragma: no cover
    214. 

  214.     """Datalake Admin Identity has required Actions on data storage location."""  # noqa: D401,E501
    215. 

  215.     _azure_dladmin_data_storage_actions_check(
    216. 

  216.         config=config,
    217. 

  217.         auth_client=auth_client,
    218. 

  218.         resource_client=resource_client,
    219. 

  219.         azure_data_required_actions=azure_data_required_actions,
    220. 

  220.     )
    221. 

  221. 

  222. 

  223. def _azure_dladmin_data_storage_actions_check(
    224. 

  224.     config: Dict[str, Any],
    225. 

  225.     auth_client: AuthorizationManagementClient,
    226. 

  226.     resource_client: ResourceManagementClient,
    227. 

  227.     azure_data_required_actions: List[str],
    228. 

  228. ) -> None:  # pragma: no cover
    229. 

  229.     # noqa: D401,E501
    230. 

  230.     sub_id: str = get_config_value(config=config, key="infra:azure:subscription_id")
    231. 

  231.     rg_name: str = get_config_value(config=config, key="infra:azure:metagroup:name")
    232. 

  232.     storage_name: str = get_config_value(config=config, key="env:azure:storage:name")
    233. 

  233.     data_path: str = get_config_value(config=config, key="env:azure:storage:path:data")
    234. 

  234.     datalake_admin: str = get_config_value(
    235. 

  235.         config=config, key="env:azure:role:name:datalake_admin"
    236. 

  236.     )
    237. 

  237. 

  238.     parsed_data_path = parse_adls_path(data_path)
    239. 

  239.     container_name = parsed_data_path[1]
    240. 

  240. 

  241.     role_assignments = get_role_assignments(
    242. 

  242.         auth_client=auth_client,
    243. 

  243.         resource_client=resource_client,
    244. 

  244.         identity_name=datalake_admin,
    245. 

  245.         subscription_id=sub_id,
    246. 

  246.         resource_group=rg_name,
    247. 

  247.     )
    248. 

  248. 

  249.     proper_scope = get_storage_container_scope(
    250. 

  250.         sub_id, rg_name, storage_name, container_name
    251. 

  251.     )
    252. 

  252. 

  253.     missing_actions, _ = check_for_actions(
    254. 

  254.         auth_client=auth_client,
    255. 

  255.         role_assigments=role_assignments,
    256. 

  256.         proper_scope=proper_scope,
    257. 

  257.         required_actions=azure_data_required_actions,
    258. 

  258.         required_data_actions=[],
    259. 

  259.     )
    260. 

  260. 

  261.     if missing_actions:
    262. 

  262.         fail(
    263. 

  263.             AZURE_IDENTITY_MISSING_ACTIONS_FOR_LOCATION,
    264. 

  264.             subjects=[
    265. 

  265.                 datalake_admin,
    266. 

  266.                 f"storageAccounts/{storage_name}/blobServices/default/containers/{container_name}",  # noqa: E501
    267. 

  267.             ],
    268. 

  268.             resources=missing_actions,
    269. 

  269.         )
    270. 

  270. 

  271. 

  272. @pytest.mark.azure
    273. 

  273. @pytest.mark.infra
    274. 

  274. def azure_dladmin_data_actions_for_data_storage_validation(
    275. 

  275.     config: Dict[str, Any],
    276. 

  276.     auth_client: AuthorizationManagementClient,
    277. 

  277.     resource_client: ResourceManagementClient,
    278. 

  278.     azure_data_required_data_actions,
    279. 

  279. ) -> None:  # pragma: no cover
    280. 

  280.     """Datalake Admin Identity has required Data Actions on data storage location."""  # noqa: D401,E501
    281. 

  281.     _azure_dladmin_data_storage_data_actions_check(
    282. 

  282.         config=config,
    283. 

  283.         auth_client=auth_client,
    284. 

  284.         resource_client=resource_client,
    285. 

  285.         azure_data_required_data_actions=azure_data_required_data_actions,
    286. 

  286.     )
    287. 

  287. 

  288. 

  289. def _azure_dladmin_data_storage_data_actions_check(
    290. 

  290.     config: Dict[str, Any],
    291. 

  291.     auth_client: AuthorizationManagementClient,
    292. 

  292.     resource_client: ResourceManagementClient,
    293. 

  293.     azure_data_required_data_actions: List[str],
    294. 

  294. ) -> None:  # pragma: no cover
    295. 

  295.     # noqa: D401,E501
    296. 

  296.     sub_id: str = get_config_value(config=config, key="infra:azure:subscription_id")
    297. 

  297.     rg_name: str = get_config_value(config=config, key="infra:azure:metagroup:name")
    298. 

  298.     storage_name: str = get_config_value(config=config, key="env:azure:storage:name")
    299. 

  299.     data_path: str = get_config_value(config=config, key="env:azure:storage:path:data")
    300. 

  300.     datalake_admin: str = get_config_value(
    301. 

  301.         config=config, key="env:azure:role:name:datalake_admin"
    302. 

  302.     )
    303. 

  303. 

  304.     parsed_data_path = parse_adls_path(data_path)
    305. 

  305.     container_name = parsed_data_path[1]
    306. 

  306. 

  307.     role_assignments = get_role_assignments(
    308. 

  308.         auth_client=auth_client,
    309. 

  309.         resource_client=resource_client,
    310. 

  310.         identity_name=datalake_admin,
    311. 

  311.         subscription_id=sub_id,
    312. 

  312.         resource_group=rg_name,
    313. 

  313.     )
    314. 

  314. 

  315.     proper_scope = get_storage_container_scope(
    316. 

  316.         sub_id, rg_name, storage_name, container_name
    317. 

  317.     )
    318. 

  318. 

  319.     _, missing_data_actions = check_for_actions(
    320. 

  320.         auth_client=auth_client,
    321. 

  321.         role_assigments=role_assignments,
    322. 

  322.         proper_scope=proper_scope,
    323. 

  323.         required_actions=[],
    324. 

  324.         required_data_actions=azure_data_required_data_actions,
    325. 

  325.     )
    326. 

  326.     if missing_data_actions:
    327. 

  327.         fail(
    328. 

  328.             AZURE_IDENTITY_MISSING_DATA_ACTIONS_FOR_LOCATION,
    329. 

  329.             subjects=[
    330. 

  330.                 datalake_admin,
    331. 

  331.                 f"storageAccounts/{storage_name}/blobServices/default/containers/{container_name}",  # noqa: E501
    332. 

  332.             ],
    333. 

  333.             resources=missing_data_actions,
    334. 

  334.         )
    335. 

  335. 

  336. 

  337. @pytest.mark.azure
    338. 

  338. @pytest.mark.infra
    339. 

  339. def azure_dladmin_actions_for_backup_storage_validation(
    340. 

  340.     config: Dict[str, Any],
    341. 

  341.     auth_client: AuthorizationManagementClient,
    342. 

  342.     resource_client: ResourceManagementClient,
    343. 

  343.     azure_data_required_actions,
    344. 

  344. ) -> None:  # pragma: no cover
    345. 

  345.     """Datalake Admin Identity has required Actions on backup storage location."""  # noqa: D401,E501
    346. 

  346.     _azure_dladmin_backup_storage_actions_check(
    347. 

  347.         config=config,
    348. 

  348.         auth_client=auth_client,
    349. 

  349.         resource_client=resource_client,
    350. 

  350.         azure_data_required_actions=azure_data_required_actions,
    351. 

  351.     )
    352. 

  352. 

  353. 

  354. def _azure_dladmin_backup_storage_actions_check(
    355. 

  355.     config: Dict[str, Any],
    356. 

  356.     auth_client: AuthorizationManagementClient,
    357. 

  357.     resource_client: ResourceManagementClient,
    358. 

  358.     azure_data_required_actions: List[str],
    359. 

  359. ) -> None:  # pragma: no cover
    360. 

  360.     # noqa: D401,E501
    361. 

  361.     sub_id: str = get_config_value(config=config, key="infra:azure:subscription_id")
    362. 

  362.     rg_name: str = get_config_value(config=config, key="infra:azure:metagroup:name")
    363. 

  363.     storage_name: str = get_config_value(config=config, key="env:azure:storage:name")
    364. 

  364.     backup_path: str = get_config_value(
    365. 

  365.         config=config, key="env:azure:storage:path:backup"
    366. 

  366.     )
    367. 

  367.     datalake_admin: str = get_config_value(
    368. 

  368.         config=config, key="env:azure:role:name:datalake_admin"
    369. 

  369.     )
    370. 

  370. 

  371.     parsed_logger_path = parse_adls_path(backup_path)
    372. 

  372.     container_name = parsed_logger_path[1]
    373. 

  373. 

  374.     role_assignments = get_role_assignments(
    375. 

  375.         auth_client=auth_client,
    376. 

  376.         resource_client=resource_client,
    377. 

  377.         identity_name=datalake_admin,
    378. 

  378.         subscription_id=sub_id,
    379. 

  379.         resource_group=rg_name,
    380. 

  380.     )
    381. 

  381. 

  382.     proper_scope = get_storage_container_scope(
    383. 

  383.         sub_id, rg_name, storage_name, container_name
    384. 

  384.     )
    385. 

  385. 

  386.     missing_actions, _ = check_for_actions(
    387. 

  387.         auth_client=auth_client,
    388. 

  388.         role_assigments=role_assignments,
    389. 

  389.         proper_scope=proper_scope,
    390. 

  390.         required_actions=azure_data_required_actions,
    391. 

  391.         required_data_actions=[],
    392. 

  392.     )
    393. 

  393. 

  394.     if missing_actions:
    395. 

  395.         fail(
    396. 

  396.             AZURE_IDENTITY_MISSING_ACTIONS_FOR_LOCATION,
    397. 

  397.             subjects=[
    398. 

  398.                 datalake_admin,
    399. 

  399.                 f"storageAccounts/{storage_name}/blobServices/default/containers/{container_name}",  # noqa: E501
    400. 

  400.             ],
    401. 

  401.             resources=missing_actions,
    402. 

  402.         )
    403. 

  403. 

  404. 

  405. @pytest.mark.azure
    406. 

  406. @pytest.mark.infra
    407. 

  407. def azure_dladmin_data_actions_for_backup_storage_validation(
    408. 

  408.     config: Dict[str, Any],
    409. 

  409.     auth_client: AuthorizationManagementClient,
    410. 

  410.     resource_client: ResourceManagementClient,
    411. 

  411.     azure_data_required_data_actions,
    412. 

  412. ) -> None:  # pragma: no cover
    413. 

  413.     """Datalake Admin Identity has required Data Actions on backup storage location."""  # noqa: D401,E501
    414. 

  414.     _azure_dladmin_backup_storage_data_actions_check(
    415. 

  415.         config=config,
    416. 

  416.         auth_client=auth_client,
    417. 

  417.         resource_client=resource_client,
    418. 

  418.         azure_data_required_data_actions=azure_data_required_data_actions,
    419. 

  419.     )
    420. 

  420. 

  421. 

  422. def _azure_dladmin_backup_storage_data_actions_check(
    423. 

  423.     config: Dict[str, Any],
    424. 

  424.     auth_client: AuthorizationManagementClient,
    425. 

  425.     resource_client: ResourceManagementClient,
    426. 

  426.     azure_data_required_data_actions: List[str],
    427. 

  427. ) -> None:  # pragma: no cover
    428. 

  428.     # noqa: D401,E501
    429. 

  429.     sub_id: str = get_config_value(config=config, key="infra:azure:subscription_id")
    430. 

  430.     rg_name: str = get_config_value(config=config, key="infra:azure:metagroup:name")
    431. 

  431.     storage_name: str = get_config_value(config=config, key="env:azure:storage:name")
    432. 

  432.     backup_path: str = get_config_value(
    433. 

  433.         config=config, key="env:azure:storage:path:backup"
    434. 

  434.     )
    435. 

  435.     datalake_admin: str = get_config_value(
    436. 

  436.         config=config, key="env:azure:role:name:datalake_admin"
    437. 

  437.     )
    438. 

  438. 

  439.     parsed_logger_path = parse_adls_path(backup_path)
    440. 

  440.     container_name = parsed_logger_path[1]
    441. 

  441. 

  442.     role_assignments = get_role_assignments(
    443. 

  443.         auth_client=auth_client,
    444. 

  444.         resource_client=resource_client,
    445. 

  445.         identity_name=datalake_admin,
    446. 

  446.         subscription_id=sub_id,
    447. 

  447.         resource_group=rg_name,
    448. 

  448.     )
    449. 

  449. 

  450.     proper_scope = get_storage_container_scope(
    451. 

  451.         sub_id, rg_name, storage_name, container_name
    452. 

  452.     )
    453. 

  453. 

  454.     _, missing_data_actions = check_for_actions(
    455. 

  455.         auth_client=auth_client,
    456. 

  456.         role_assigments=role_assignments,
    457. 

  457.         proper_scope=proper_scope,
    458. 

  458.         required_actions=[],
    459. 

  459.         required_data_actions=azure_data_required_data_actions,
    460. 

  460.     )
    461. 

  461.     if missing_data_actions:
    462. 

  462.         fail(
    463. 

  463.             AZURE_IDENTITY_MISSING_DATA_ACTIONS_FOR_LOCATION,
    464. 

  464.             subjects=[
    465. 

  465.                 datalake_admin,
    466. 

  466.                 f"storageAccounts/{storage_name}/blobServices/default/containers/{container_name}",  # noqa: E501
    467. 

  467.             ],
    468. 

  468.             resources=missing_data_actions,
    469. 

  469.         )
    470.