ben/mcollective-actionpolicy-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support multiple callerids in policy files

Browse Source 
This patch adds support for multiple callerids in the policy files, just
as the other fields (actions, facts, classes) can. Updated poliicy files
look like this:
```
policy default deny
allow	uid=500 uid=600	*	*		*
```

This is useful because it allows bulk granting of permissions when using
mcollective::actionpolicy::rule from puppetlabs-mcollective:
```
    $admin_users = ['foo','bar']
    mcollective::actionpolicy {
        'default':
            default => 'deny';
        'nrpe':
            default => 'deny';
    }
     mcollective::actionpolicy::rule {
        'admins-allow-all':
            agent    => 'default',
            callerid => join(prefix($admin_users, 'cert='), ' ');
        'admins-allow-all-nrpe':
            agent    => 'nrpe',
            callerid => join(prefix($admin_users, 'cert='), ' ');
        'nrpe-nagios':
            agent    => 'nrpe',
            callerid => 'cert=nagios';
    }
```

This is especially helpful when there are large numbers of admin users being
managed by puppet (say ~10) since any `mcollective::actionpolicy::rule` added
for an agent prevents the default policy being used and so the admins have to
be explicitly re-added for each agent, rapidly bloating the size of the
manifest and causing massive duplication of code.

Backward compatibility change:
* Certificates with spaces in the filename (if even supported) would be
    broken by this change.

This commit also includes tests that verify both positive and negative lookups
in a policy file with multiple callerids.
This commit is contained in:
Ben Roberts
2014-11-09 13:26:20 +00:00
parent 8ea8ed0162
commit 233790ff54
3 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
spec/actionpolicy/actionpolicy_spec.rb
View File

@@ -343,6 +343,20 @@ module MCollective
end
it 'should parse example16 correctly' do
# match uid in the list
request.stubs(:caller).returns('uid=600')
actionpolicy = ActionPolicy.new(request)
actionpolicy.parse_policy_file(File.join(@fixtures_dir, 'example16')).should be_true
# match uid not in the list
request.stubs(:caller).returns('uid=800')
actionpolicy = ActionPolicy.new(request)
expect{
actionpolicy.parse_policy_file(File.join(@fixtures_dir, 'example16'))
}.to raise_error RPCAborted
end
end
describe '#check_policy' do

3
spec/actionpolicy/fixtures/example16 Normal file
View File

@@ -0,0 +1,3 @@
policy default deny
allow uid=500 uid=600 uid=700 * * *