choria-plugins / action-policy Goto Github PK

The action-policy plugin setup various configuration settings in the MCollective server, one of them being allow_unconfigured which defaults to 1 (enabled).

When this setting is enabled, actions on agents which do not have a corresponding policy files are accepted unconditionally.

However, the Choria documentation practically says the opposite:

Choria sets up the popular Action Policy based authorization and does so in a default deny mode which means by default, no-one can make any requests

This only affects agents without a policy file, and most (probably all) agents available ship with some policy. This problem was discovered while writing a site-specific custom agent, and failing to provide such a policy file.

Summary

Currently, the action policy framework only supports two kinds of caller ids: match anything (*) and exact matches (e.g. choria=rip.mcollective).

This is described in the Policy File Format section of action-policy which states:

Caller ID --- must be either * (always matches) or a space-separated list of caller ID strings (see below)

It would be very useful to be able to define more fine-grained wild cards to make it easier to define policies - for example glob or regex matches.

Reasoning

For example, when using the choria AAA service, users must have defined in the AAA service and given explicit access to resources using action policy, which adds overhead and makes the solution more fragile.
If action policy could match on caller id patterns, then usernames could be made to follow pattern (say username.aaasvc) and the policies could match on the .aaasvc suffix which would eliminate the need to update policies as users are added / removed from AAA.

Proposal

Note that both of the changes below are potentially breaking as far as I understand: they both entail interpreting caller ids that previously would have simply been string compared as something else.

Minimal option

In the interest of making a minimal change the matching logic could be changed to allow for glob patterns using File.fnmatch (ruby docs)

A policy might thus look like (using | instead of tabs for illustration only, tabs are hard to type ...)

policy default deny
allow | choria=ginkgo.mcollective| * | * | *
allow | up=puppetadmin.aaasvc | * | * | *
allow | *.admin.aaasvc | status enable disable | * | *
allow | *.staging.aaasvc *.dev.aaasvc | status | * | *

which would:

• allow ginkgo.mcollective and up=puppetadmin.aaasvc all actions with any class & fact,
• allow any .admin.aaasvc caller id the status, enable & disable actions
• allow any .staging.aaasvc or .dev.aaasvc caller id the status action only

More fully featured

Using a regular expression match would make the wildcarding even more flexible at the cost of making the syntax a bit more complex.

Perhaps something like this

policy default deny
allow | choria=ginkgo.mcollective| * | * | *
allow | up=puppetadmin.aaasvc | * | * | *
allow | /admin\.aaasvc$/ | status enable disable | * | *
allow | /staging\.aaasvc$/ /dev\.aaasvc$/ | status | * | *

which would have the same meaning as above