choria-plugins / action-policy Goto Github PK
View Code? Open in Web Editor NEWAuthorization Plugin for the Choria Orchestrator
Home Page: https://choria.io
License: Apache License 2.0
Authorization Plugin for the Choria Orchestrator
Home Page: https://choria.io
License: Apache License 2.0
The action-policy plugin setup various configuration settings in the MCollective server, one of them being allow_unconfigured
which defaults to 1 (enabled).
When this setting is enabled, actions on agents which do not have a corresponding policy files are accepted unconditionally.
However, the Choria documentation practically says the opposite:
This only affects agents without a policy file, and most (probably all) agents available ship with some policy. This problem was discovered while writing a site-specific custom agent, and failing to provide such a policy file.
Currently, the action policy framework only supports two kinds of caller ids: match anything (*
) and exact matches (e.g. choria=rip.mcollective
).
This is described in the Policy File Format section of action-policy
which states:
Caller ID --- must be either * (always matches) or a space-separated list of caller ID strings (see below)
It would be very useful to be able to define more fine-grained wild cards to make it easier to define policies - for example glob or regex matches.
For example, when using the choria AAA service, users must have defined in the AAA service and given explicit access to resources using action policy, which adds overhead and makes the solution more fragile.
If action policy could match on caller id patterns, then usernames could be made to follow pattern (say username.aaasvc
) and the policies could match on the .aaasvc
suffix which would eliminate the need to update policies as users are added / removed from AAA.
Note that both of the changes below are potentially breaking as far as I understand: they both entail interpreting caller ids that previously would have simply been string compared as something else.
In the interest of making a minimal change the matching logic could be changed to allow for glob patterns using File.fnmatch
(ruby docs)
A policy might thus look like (using |
instead of tabs for illustration only, tabs are hard to type ...)
policy default deny
allow | choria=ginkgo.mcollective| * | * | *
allow | up=puppetadmin.aaasvc | * | * | *
allow | *.admin.aaasvc | status enable disable | * | *
allow | *.staging.aaasvc *.dev.aaasvc | status | * | *
which would:
ginkgo.mcollective
and up=puppetadmin.aaasvc
all actions with any class & fact,.admin.aaasvc
caller id the status, enable & disable actions.staging.aaasvc
or .dev.aaasvc
caller id the status action onlyUsing a regular expression match would make the wildcarding even more flexible at the cost of making the syntax a bit more complex.
Perhaps something like this
policy default deny
allow | choria=ginkgo.mcollective| * | * | *
allow | up=puppetadmin.aaasvc | * | * | *
allow | /admin\.aaasvc$/ | status enable disable | * | *
allow | /staging\.aaasvc$/ /dev\.aaasvc$/ | status | * | *
which would have the same meaning as above
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.