From 04bcef0b83f77db94325529b24608df2e32d16ee Mon Sep 17 00:00:00 2001 From: gautier Date: Tue, 17 Nov 2020 15:01:01 +0100 Subject: [PATCH] [HOPSWORKS.AI-DOC] add permission restriction for Azure --- .../aws/restrictive_permissions.md | 4 +- docs/hopsworksai/azure/getting_started.md | 2 +- .../azure/restrictive_permissions.md | 62 +++++++++++++++++++ mkdocs.yml | 4 +- 4 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 docs/hopsworksai/azure/restrictive_permissions.md diff --git a/docs/hopsworksai/aws/restrictive_permissions.md b/docs/hopsworksai/aws/restrictive_permissions.md index 5382f1d4da..554518a0f8 100644 --- a/docs/hopsworksai/aws/restrictive_permissions.md +++ b/docs/hopsworksai/aws/restrictive_permissions.md @@ -4,7 +4,7 @@ Hopsworks.ai requires a set of permissions to be able to manage resources in the By default, these permissions are set to easily allow a wide range of different configurations and allow us to automate as many steps as possible. While we ensure to never access resources we shouldn’t, we do understand that this might not be enough for your organization or security policy. -This guide explains how to lock down AWS permissions following the IT security policy principal of least privilege allowing +This guide explains how to lock down AWS permissions following the IT security policy principle of least privilege allowing Hopsworks.ai to only access resources in a specific VPC. ## Step 1: Create a VPC @@ -29,7 +29,7 @@ Take note of the ARN of the role you just created. ## Step 3: Set permissions of the cross-account role During the account setup for Hopsworks.ai, you were asked to create and provide a cross-account role. -If you don’t remember which role you used then you can find it Settings/Account Settings in Hopsworks.ai. +If you don’t remember which role you used then you can find it in Settings/Account Settings in Hopsworks.ai. Edit this role in the AWS Management Console and overwrite the existing inline policy with the following policy. Note that you have to replace `[INSTANCE_PROFILE_NAME]` and `[VPC_ID]` for multiple occurrences in the given policy. diff --git a/docs/hopsworksai/azure/getting_started.md b/docs/hopsworksai/azure/getting_started.md index 23eb99cb0c..b7415c31dd 100644 --- a/docs/hopsworksai/azure/getting_started.md +++ b/docs/hopsworksai/azure/getting_started.md @@ -272,7 +272,7 @@ Click on *Create*, name your storage account, select the Location you want to us ### Step 2.3: Give the Managed Identity access to the storage Proceed to the Storage Account you just created and click on *Access Control (IAM)* (1). Click on *Add* (2), then click on *Add role assignment* (3). -In *Role* select *Storage Blob Data Owner* (4). In *Assign access to* select *User assigned managed identity* (5). Select the identity you created in step 2.1 (6). +In *Role* select *Storage Blob Data Contributor* (4). In *Assign access to* select *User assigned managed identity* (5). Select the identity you created in step 2.1 (6). Click on *Save* (7).

diff --git a/docs/hopsworksai/azure/restrictive_permissions.md b/docs/hopsworksai/azure/restrictive_permissions.md new file mode 100644 index 0000000000..1ab4096ee9 --- /dev/null +++ b/docs/hopsworksai/azure/restrictive_permissions.md @@ -0,0 +1,62 @@ +# Limiting Azure permissions + +Hopsworks.ai requires a set of permissions to be able to manage resources in the user’s Azure resource group. +By default, these permissions are set to easily allow a wide range of different configurations and allow +us to automate as many steps as possible. While we ensure to never access resources we shouldn’t, +we do understand that this might not be enough for your organization or security policy. +This guide explains how to lock down access permissions following the IT security policy principle of least privilege. + +## Step 1: Create a virtual network and subnet + +To restrict Hopsworks.ai from having write and delete access on virtual networks and subnet you need to create them manually. +This can be achieved in the Azure portal following this guide: [Create a virtual network](https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal). +Make sure to use the resource group and location in which you intend to deploy your Hopsworks cluster. For the remaining of the configuration, the default options proposed by the portal should work out of the box. +Note the names of the virtual network and subnet you want to use for the following steps. + +## Step 2: Create a network security group + +To restrict Hopsworks.ai from having write and delete access on network security groups you need to create it manually. +This can be achieved in the Azure portal following this guide: [Create a network security group](https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#create-a-network-security-group). +Make sure to use the resource group and location in which you intend to deploy your Hopsworks cluster. + +For Hopsworks.ai to create the SSL certificates the network security group needs to allow inbound traffic on port 80. +For this, you need to add an inbound security rule to your network security group. +This can be achieved in the Azure portal following this guide: [Create a security rule](https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#create-a-security-rule>). +Setting the destination port ranges to 80 and letting the default values for the other fields should work out of the box. + +!!! note + If you intend to use the managed users option on your Hopsworks cluster you should also add a rule to open port 443. + +## Step 3: Set permissions of the cross-account role +During the account setup for Hopsworks.ai, you were asked to create create a custom role for your resource group. +Edit this role in the Azure portal by going to your resource group, clicking on *Access control (IAM)*, opening the tab *Roles*, searching for the role you created, clicking on the three dots at the end of the role line and clicking on edit. +You can then navigate to the JSON tab and overwrite the "action" field with the following: + +```json +"actions": [ + "Microsoft.Compute/virtualMachines/*", + "Microsoft.Compute/disks/write", + "Microsoft.Compute/disks/delete", + "Microsoft.Network/locations/*", + "Microsoft.Network/networkInterfaces/*", + "Microsoft.Network/networkSecurityGroups/read", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", + "Microsoft.Network/networkSecurityGroups/securityRules/read", + "Microsoft.Network/publicIPAddresses/join/action", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/publicIPAddresses/write", + "Microsoft.Network/publicIPAddresses/delete", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Compute/sshPublicKeys/read", + "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", + "Microsoft.ManagedIdentity/userAssignedIdentities/read" + ] +``` + +## Step 4: Create your Hopsworks instance + +You can now create a new Hopsworks instance in Hopsworks.ai by selecting the virtual network, subnet, and network security group during the instance configuration. diff --git a/mkdocs.yml b/mkdocs.yml index a23ee425f0..a481e4d5dd 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,9 @@ nav: - Getting Started: - AWS: hopsworksai/aws/getting_started.md - Azure: hopsworksai/azure/getting_started.md - - Limiting AWS Permissions: hopsworksai/aws/restrictive_permissions.md + - Limiting Permissions: + - AWS: hopsworksai/aws/restrictive_permissions.md + - Azure: hopsworksai/azure/restrictive_permissions.md # - Databricks Quickstart: # - AWS: hopsworksai/aws/databricks_quickstart.md # - Azure: hopsworksai/azure/databricks_quickstart.md