Support multiple callerids in policy files
This patch adds support for multiple callerids in the policy files, just
as the other fields (actions, facts, classes) can. Updated poliicy files
look like this:
```
policy default deny
allow uid=500 uid=600 * * *
```
This is useful because it allows bulk granting of permissions when using
mcollective::actionpolicy::rule from puppetlabs-mcollective:
```
$admin_users = ['foo','bar']
mcollective::actionpolicy {
'default':
default => 'deny';
'nrpe':
default => 'deny';
}
mcollective::actionpolicy::rule {
'admins-allow-all':
agent => 'default',
callerid => join(prefix($admin_users, 'cert='), ' ');
'admins-allow-all-nrpe':
agent => 'nrpe',
callerid => join(prefix($admin_users, 'cert='), ' ');
'nrpe-nagios':
agent => 'nrpe',
callerid => 'cert=nagios';
}
```
This is especially helpful when there are large numbers of admin users being
managed by puppet (say ~10) since any `mcollective::actionpolicy::rule` added
for an agent prevents the default policy being used and so the admins have to
be explicitly re-added for each agent, rapidly bloating the size of the
manifest and causing massive duplication of code.
Backward compatibility change:
* Certificates with spaces in the filename (if even supported) would be
broken by this change.
This commit also includes tests that verify both positive and negative lookups
in a policy file with multiple callerids.
This commit is contained in:
@@ -67,7 +67,7 @@ module MCollective
|
||||
def check_policy(rpccaller, actions, facts, classes)
|
||||
# If we have a wildcard caller or the caller matches our policy line
|
||||
# then continue else skip this policy line\
|
||||
if (rpccaller != '*') && (rpccaller != @caller)
|
||||
if (rpccaller != '*') && (! rpccaller || ! rpccaller.split.include?(@caller))
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user