Ben Roberts
233790ff54
This patch adds support for multiple callerids in the policy files, just
as the other fields (actions, facts, classes) can. Updated poliicy files
look like this:
```
policy default deny
allow uid=500 uid=600 * * *
```
This is useful because it allows bulk granting of permissions when using
mcollective::actionpolicy::rule from puppetlabs-mcollective:
```
$admin_users = ['foo','bar']
mcollective::actionpolicy {
'default':
default => 'deny';
'nrpe':
default => 'deny';
}
mcollective::actionpolicy::rule {
'admins-allow-all':
agent => 'default',
callerid => join(prefix($admin_users, 'cert='), ' ');
'admins-allow-all-nrpe':
agent => 'nrpe',
callerid => join(prefix($admin_users, 'cert='), ' ');
'nrpe-nagios':
agent => 'nrpe',
callerid => 'cert=nagios';
}
```
This is especially helpful when there are large numbers of admin users being
managed by puppet (say ~10) since any `mcollective::actionpolicy::rule` added
for an agent prevents the default policy being used and so the admins have to
be explicitly re-added for each agent, rapidly bloating the size of the
manifest and causing massive duplication of code.
Backward compatibility change:
* Certificates with spaces in the filename (if even supported) would be
broken by this change.
This commit also includes tests that verify both positive and negative lookups
in a policy file with multiple callerids.
21 KiB
21 KiB