ben/mcollective-actionpolicy-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: ben:master
Branches Tags
ben:master ben:multiple_callerids
ben:2.0.1
...
pull from: ben:multiple_callerids
Branches Tags
ben:multiple_callerids ben:master
ben:2.0.1

2 Commits
master ... multiple_c

Author SHA1 Message Date
Ben Roberts
e2e7fea992 Update documentation to reference multiple callerids 
Removes comments about only a single callerid being supported and add
explicit mention that multiple space-separated Caller IDs are permitted.
 2014-11-09 13:26:40 +00:00
Ben Roberts
233790ff54 Support multiple callerids in policy files 
This patch adds support for multiple callerids in the policy files, just
as the other fields (actions, facts, classes) can. Updated poliicy files
look like this:
```
policy default deny
allow	uid=500 uid=600	*	*		*
```

This is useful because it allows bulk granting of permissions when using
mcollective::actionpolicy::rule from puppetlabs-mcollective:
```
    $admin_users = ['foo','bar']
    mcollective::actionpolicy {
        'default':
            default => 'deny';
        'nrpe':
            default => 'deny';
    }
     mcollective::actionpolicy::rule {
        'admins-allow-all':
            agent    => 'default',
            callerid => join(prefix($admin_users, 'cert='), ' ');
        'admins-allow-all-nrpe':
            agent    => 'nrpe',
            callerid => join(prefix($admin_users, 'cert='), ' ');
        'nrpe-nagios':
            agent    => 'nrpe',
            callerid => 'cert=nagios';
    }
```

This is especially helpful when there are large numbers of admin users being
managed by puppet (say ~10) since any `mcollective::actionpolicy::rule` added
for an agent prevents the default policy being used and so the admins have to
be explicitly re-added for each agent, rapidly bloating the size of the
manifest and causing massive duplication of code.

Backward compatibility change:
* Certificates with spaces in the filename (if even supported) would be
    broken by this change.

This commit also includes tests that verify both positive and negative lookups
in a policy file with multiple callerids.
 2014-11-09 13:26:20 +00:00
4 changed files with 20 additions and 3 deletions
Expand all files Collapse all files

4
README.md
View File

@@ -73,7 +73,7 @@ Policy files must have the following format:
* A single `policy default deny` or `policy default allow` line is permitted; it can go anywhere in the file. This default policy will apply to any commands that don't match a specific rule. If you don't specify a default policy, the value of the `plugin.actionpolicy.allow_unconfigured` setting will be used as the default.
* Any number of _policy lines_ are permitted. These must be **tab delimited** lines with either four or five fields (the final field is optional) in the following order:
1. `allow` or `deny`
2. Caller ID --- must be either `*` (always matches) or **one** caller ID string (see below)
2. Caller ID --- must be either `*` (always matches) or a space-separated list of caller ID strings (see below)
3. Actions --- must be either `*` (always matches) or a space-separated list of actions
4. Facts --- may be either `*` (always matches), a space-separated list of `fact=value` pairs (matches if _every_ listed fact matches), or any valid [compound filter string][compound]
5. Classes --- may be completely absent (always matches), `*` (always matches), a space-separated list of class names (matches if _every_ listed class is present), or any valid [compound filter string][compound]
@@ -89,7 +89,7 @@ Policy files must have the following format:
### Caller ID
Caller ID strings are always of the form `<kind>=<value>`, but both the kind and the value of the ID will depend on your security plugin. See your security plugin's documentation or code for details.
Caller ID strings are always of the form `<kind>=<value>`, but both the kind and the value of the ID will depend on your security plugin. See your security plugin's documentation or code for details. Multiple Caller IDs separated by spaces are supported to allow grouping similar callers together.
* The recommended SSL security plugin sets caller IDs of `cert=<NAME>`, where `<NAME>` is the filename of the client's public key file (minus the `.pem` extension). So a request validated with the `puppet-admins.pem` public key file would be given a caller ID of `cert=puppet-admins`. This kind of caller ID is cryptographically authenticated.
* The PSK security plugin defaults to caller IDs of `uid=<UID>`, where `<UID>` is the local UID of the client process. [There are several other options available](https://github.com/puppetlabs/marionette-collective/blob/master/plugins/mcollective/security/psk.rb#L79), which can be configured with the `plugin.psk.callertype` setting. **None of PSK's caller IDs are authenticated,** and you should generally not be relying on authorization at all if you are using the PSK security plugin.

14
spec/actionpolicy/actionpolicy_spec.rb
View File

@@ -343,6 +343,20 @@ module MCollective
end
it 'should parse example16 correctly' do
# match uid in the list
request.stubs(:caller).returns('uid=600')
actionpolicy = ActionPolicy.new(request)
actionpolicy.parse_policy_file(File.join(@fixtures_dir, 'example16')).should be_true
# match uid not in the list
request.stubs(:caller).returns('uid=800')
actionpolicy = ActionPolicy.new(request)
expect{
actionpolicy.parse_policy_file(File.join(@fixtures_dir, 'example16'))
}.to raise_error RPCAborted
end
end
describe '#check_policy' do

3
spec/actionpolicy/fixtures/example16 Normal file
View File

@@ -0,0 +1,3 @@
policy default deny
allow uid=500 uid=600 uid=700 * * *

2
util/actionpolicy.rb
View File

@@ -67,7 +67,7 @@ module MCollective
def check_policy(rpccaller, actions, facts, classes)
# If we have a wildcard caller or the caller matches our policy line
# then continue else skip this policy line\
if (rpccaller != '*') && (rpccaller != @caller)
if (rpccaller != '*') && (! rpccaller || ! rpccaller.split.include?(@caller))
return false
end