knife-acl 0.0.12 → 1.0.0.beta.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.md +318 -115
- data/lib/chef/knife/acl_add.rb +16 -27
- data/lib/chef/knife/acl_base.rb +104 -21
- data/lib/chef/knife/acl_bulk_add.rb +73 -0
- data/lib/chef/knife/acl_bulk_remove.rb +78 -0
- data/lib/chef/knife/acl_remove.rb +22 -28
- data/lib/chef/knife/acl_show.rb +1 -1
- data/lib/chef/knife/group_add.rb +51 -0
- data/lib/chef/knife/group_create.rb +14 -9
- data/lib/chef/knife/group_destroy.rb +17 -7
- data/lib/chef/knife/group_list.rb +8 -10
- data/lib/chef/knife/group_remove.rb +51 -0
- data/lib/chef/knife/group_show.rb +13 -25
- data/lib/chef/knife/user_list.rb +3 -3
- data/lib/knife-acl/version.rb +1 -1
- metadata +17 -17
- data/lib/chef/knife/actor_map.rb +0 -57
- data/lib/chef/knife/group_add_actor.rb +0 -89
- data/lib/chef/knife/group_remove_actor.rb +0 -86
data/lib/chef/knife/acl_base.rb
CHANGED
@@ -1,6 +1,7 @@
|
|
1
1
|
#
|
2
2
|
# Author:: Steven Danna (steve@opscode.com)
|
3
|
-
#
|
3
|
+
# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
|
4
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
4
5
|
# License:: Apache License, Version 2.0
|
5
6
|
#
|
6
7
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
@@ -20,8 +21,8 @@ module OpscodeAcl
|
|
20
21
|
module AclBase
|
21
22
|
|
22
23
|
PERM_TYPES = %w(create read update delete grant)
|
23
|
-
|
24
|
-
OBJECT_TYPES = %w(clients
|
24
|
+
MEMBER_TYPES = %w(client group user)
|
25
|
+
OBJECT_TYPES = %w(clients containers cookbooks data environments groups nodes roles)
|
25
26
|
OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/
|
26
27
|
|
27
28
|
def validate_object_type!(type)
|
@@ -38,35 +39,41 @@ module OpscodeAcl
|
|
38
39
|
end
|
39
40
|
end
|
40
41
|
|
41
|
-
def
|
42
|
-
if !
|
43
|
-
ui.fatal "Unknown
|
42
|
+
def validate_member_type!(type)
|
43
|
+
if ! MEMBER_TYPES.include?(type)
|
44
|
+
ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(', ')}"
|
44
45
|
exit 1
|
45
46
|
end
|
46
47
|
end
|
47
48
|
|
48
|
-
def
|
49
|
-
# Same rules apply to
|
49
|
+
def validate_member_name!(name)
|
50
|
+
# Same rules apply to objects and members
|
50
51
|
validate_object_name!(name)
|
51
52
|
end
|
52
53
|
|
53
|
-
def validate_perm_type!(
|
54
|
-
|
55
|
-
|
56
|
-
|
54
|
+
def validate_perm_type!(perms)
|
55
|
+
perms.split(',').each do |perm|
|
56
|
+
if ! PERM_TYPES.include?(perm)
|
57
|
+
ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(',')}"
|
58
|
+
exit 1
|
59
|
+
end
|
57
60
|
end
|
61
|
+
end
|
58
62
|
|
63
|
+
def validate_member_exists!(member_type, member_name)
|
64
|
+
begin
|
65
|
+
true if rest.get_rest("#{member_type}s/#{member_name}")
|
66
|
+
rescue NameError
|
67
|
+
# ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client
|
68
|
+
true
|
69
|
+
rescue
|
70
|
+
ui.fatal "#{member_type} '#{member_name}' does not exist"
|
71
|
+
exit 1
|
72
|
+
end
|
59
73
|
end
|
60
74
|
|
61
|
-
def
|
62
|
-
|
63
|
-
# This assumes including class has the necessary accessors
|
64
|
-
# We the validation to ensure we can give the user more helpful error messages.
|
65
|
-
validate_perm_type!(perm)
|
66
|
-
validate_actor_type!(actor_type)
|
67
|
-
validate_actor_name!(actor_name)
|
68
|
-
validate_object_name!(object_name)
|
69
|
-
validate_object_type!(object_type)
|
75
|
+
def is_usag?(gname)
|
76
|
+
gname.length == 32 && gname =~ /^[0-9a-f]+$/
|
70
77
|
end
|
71
78
|
|
72
79
|
def get_acl(object_type, object_name)
|
@@ -77,9 +84,85 @@ module OpscodeAcl
|
|
77
84
|
get_acl(object_type, object_name)[perm]
|
78
85
|
end
|
79
86
|
|
87
|
+
def add_to_acl!(member_type, member_name, object_type, object_name, perms)
|
88
|
+
acl = get_acl(object_type, object_name)
|
89
|
+
perms.split(',').each do |perm|
|
90
|
+
ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'"
|
91
|
+
ace = acl[perm]
|
92
|
+
|
93
|
+
case member_type
|
94
|
+
when "client", "user"
|
95
|
+
next if ace['actors'].include?(member_name)
|
96
|
+
ace['actors'] << member_name
|
97
|
+
when "group"
|
98
|
+
next if ace['groups'].include?(member_name)
|
99
|
+
ace['groups'] << member_name
|
100
|
+
end
|
101
|
+
|
102
|
+
update_ace!(object_type, object_name, perm, ace)
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
106
|
+
def remove_from_acl!(member_type, member_name, object_type, object_name, perms)
|
107
|
+
acl = get_acl(object_type, object_name)
|
108
|
+
perms.split(',').each do |perm|
|
109
|
+
ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'"
|
110
|
+
ace = acl[perm]
|
111
|
+
|
112
|
+
case member_type
|
113
|
+
when "client", "user"
|
114
|
+
next unless ace['actors'].include?(member_name)
|
115
|
+
ace['actors'].delete(member_name)
|
116
|
+
when "group"
|
117
|
+
next unless ace['groups'].include?(member_name)
|
118
|
+
ace['groups'].delete(member_name)
|
119
|
+
end
|
120
|
+
|
121
|
+
update_ace!(object_type, object_name, perm, ace)
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
80
125
|
def update_ace!(object_type, object_name, ace_type, ace)
|
81
126
|
rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace)
|
82
127
|
end
|
83
128
|
|
129
|
+
def add_to_group!(member_type, member_name, group_name)
|
130
|
+
validate_member_exists!(member_type, member_name)
|
131
|
+
existing_group = rest.get_rest("groups/#{group_name}")
|
132
|
+
ui.msg "Adding '#{member_name}' to '#{group_name}' group"
|
133
|
+
if !existing_group["#{member_type}s"].include?(member_name)
|
134
|
+
existing_group["#{member_type}s"] << member_name
|
135
|
+
new_group = {
|
136
|
+
"groupname" => existing_group["groupname"],
|
137
|
+
"orgname" => existing_group["orgname"],
|
138
|
+
"actors" => {
|
139
|
+
"users" => existing_group["users"],
|
140
|
+
"clients" => existing_group["clients"],
|
141
|
+
"groups" => existing_group["groups"]
|
142
|
+
}
|
143
|
+
}
|
144
|
+
rest.put_rest("groups/#{group_name}", new_group)
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
def remove_from_group!(member_type, member_name, group_name)
|
149
|
+
validate_member_exists!(member_type, member_name)
|
150
|
+
existing_group = rest.get_rest("groups/#{group_name}")
|
151
|
+
ui.msg "Removing '#{member_name}' from '#{group_name}' group"
|
152
|
+
if existing_group["#{member_type}s"].include?(member_name)
|
153
|
+
existing_group["#{member_type}s"].delete(member_name)
|
154
|
+
new_group = {
|
155
|
+
"groupname" => existing_group["groupname"],
|
156
|
+
"orgname" => existing_group["orgname"],
|
157
|
+
"actors" => {
|
158
|
+
"users" => existing_group["users"],
|
159
|
+
"clients" => existing_group["clients"],
|
160
|
+
"groups" => existing_group["groups"]
|
161
|
+
}
|
162
|
+
}
|
163
|
+
rest.put_rest("groups/#{group_name}", new_group)
|
164
|
+
end
|
165
|
+
end
|
166
|
+
|
84
167
|
end
|
85
168
|
end
|
@@ -0,0 +1,73 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Jeremiah Snapp (jeremiah@chef.io)
|
3
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
module OpscodeAcl
|
20
|
+
class AclBulkAdd < Chef::Knife
|
21
|
+
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
22
|
+
banner "knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
|
23
|
+
|
24
|
+
deps do
|
25
|
+
include OpscodeAcl::AclBase
|
26
|
+
end
|
27
|
+
|
28
|
+
def run
|
29
|
+
member_type, member_name, object_type, regex, perms = name_args
|
30
|
+
object_name_matcher = /#{regex}/
|
31
|
+
|
32
|
+
if name_args.length != 5
|
33
|
+
show_usage
|
34
|
+
ui.fatal "You must specify the member type [group], member name, object type, object name REGEX and perms"
|
35
|
+
exit 1
|
36
|
+
end
|
37
|
+
|
38
|
+
unless member_type == 'group'
|
39
|
+
ui.fatal "ERROR: To enforce best practice, knife-acl can only add a group to an ACL."
|
40
|
+
ui.fatal " See the knife-acl README for more information."
|
41
|
+
exit 1
|
42
|
+
end
|
43
|
+
validate_perm_type!(perms)
|
44
|
+
validate_member_name!(member_name)
|
45
|
+
validate_object_type!(object_type)
|
46
|
+
validate_member_exists!(member_type, member_name)
|
47
|
+
|
48
|
+
if %w(containers groups).include?(object_type)
|
49
|
+
ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
|
50
|
+
exit 1
|
51
|
+
end
|
52
|
+
|
53
|
+
objects_to_modify = []
|
54
|
+
all_objects = rest.get_rest(object_type)
|
55
|
+
objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher }
|
56
|
+
|
57
|
+
if objects_to_modify.empty?
|
58
|
+
ui.info "No #{object_type} match the expression /#{regex}/"
|
59
|
+
exit 0
|
60
|
+
end
|
61
|
+
|
62
|
+
ui.msg("The ACL of the following #{object_type} will be modified:")
|
63
|
+
ui.msg("")
|
64
|
+
ui.msg(ui.list(objects_to_modify.sort, :columns_down))
|
65
|
+
ui.msg("")
|
66
|
+
ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?")
|
67
|
+
|
68
|
+
objects_to_modify.each do |object_name|
|
69
|
+
add_to_acl!(member_type, member_name, object_type, object_name, perms)
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Jeremiah Snapp (jeremiah@chef.io)
|
3
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
module OpscodeAcl
|
20
|
+
class AclBulkRemove < Chef::Knife
|
21
|
+
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
22
|
+
banner "knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
|
23
|
+
|
24
|
+
deps do
|
25
|
+
include OpscodeAcl::AclBase
|
26
|
+
end
|
27
|
+
|
28
|
+
def run
|
29
|
+
member_type, member_name, object_type, regex, perms = name_args
|
30
|
+
object_name_matcher = /#{regex}/
|
31
|
+
|
32
|
+
if name_args.length != 5
|
33
|
+
show_usage
|
34
|
+
ui.fatal "You must specify the member type [client|group|user], member name, object type, object name REGEX and perms"
|
35
|
+
exit 1
|
36
|
+
end
|
37
|
+
|
38
|
+
if member_name == 'pivotal' && %w(client user).include?(member_type)
|
39
|
+
ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL."
|
40
|
+
exit 1
|
41
|
+
end
|
42
|
+
if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant')
|
43
|
+
ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE."
|
44
|
+
ui.fatal " Removal could prevent future attempts to modify permissions."
|
45
|
+
exit 1
|
46
|
+
end
|
47
|
+
validate_perm_type!(perms)
|
48
|
+
validate_member_type!(member_type)
|
49
|
+
validate_member_name!(member_name)
|
50
|
+
validate_object_type!(object_type)
|
51
|
+
validate_member_exists!(member_type, member_name)
|
52
|
+
|
53
|
+
if %w(containers groups).include?(object_type)
|
54
|
+
ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
|
55
|
+
exit 1
|
56
|
+
end
|
57
|
+
|
58
|
+
objects_to_modify = []
|
59
|
+
all_objects = rest.get_rest(object_type)
|
60
|
+
objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher }
|
61
|
+
|
62
|
+
if objects_to_modify.empty?
|
63
|
+
ui.info "No #{object_type} match the expression /#{regex}/"
|
64
|
+
exit 0
|
65
|
+
end
|
66
|
+
|
67
|
+
ui.msg("The ACL of the following #{object_type} will be modified:")
|
68
|
+
ui.msg("")
|
69
|
+
ui.msg(ui.list(objects_to_modify.sort, :columns_down))
|
70
|
+
ui.msg("")
|
71
|
+
ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?")
|
72
|
+
|
73
|
+
objects_to_modify.each do |object_name|
|
74
|
+
remove_from_acl!(member_type, member_name, object_type, object_name, perms)
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -1,6 +1,7 @@
|
|
1
1
|
#
|
2
2
|
# Author:: Steven Danna (steve@opscode.com)
|
3
|
-
#
|
3
|
+
# Author:: Jeremiah Snapp (jeremiah@chef.io)
|
4
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
4
5
|
# License:: Apache License, Version 2.0
|
5
6
|
#
|
6
7
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
@@ -19,45 +20,38 @@
|
|
19
20
|
module OpscodeAcl
|
20
21
|
class AclRemove < Chef::Knife
|
21
22
|
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
22
|
-
banner "knife acl remove OBJECT_TYPE OBJECT_NAME
|
23
|
-
|
24
|
-
attr_reader :object_type, :object_name, :perm, :actor_type, :actor_name
|
23
|
+
banner "knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS"
|
25
24
|
|
26
25
|
deps do
|
27
26
|
include OpscodeAcl::AclBase
|
28
27
|
end
|
29
28
|
|
30
29
|
def run
|
31
|
-
|
30
|
+
member_type, member_name, object_type, object_name, perms = name_args
|
32
31
|
|
33
|
-
if name_args.length
|
32
|
+
if name_args.length != 5
|
34
33
|
show_usage
|
35
|
-
ui.fatal "You must specify the
|
34
|
+
ui.fatal "You must specify the member type [client|group|user], member name, object type, object name and perms"
|
36
35
|
exit 1
|
37
36
|
end
|
38
37
|
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
case actor_type
|
43
|
-
when "client"
|
44
|
-
remove_actor_from_ace!(actor_name, ace)
|
45
|
-
when "group"
|
46
|
-
remove_group_from_ace!(actor_name, ace)
|
47
|
-
when "users"
|
48
|
-
# Not Implemented yet, we shouldn't get here.
|
38
|
+
if member_name == 'pivotal' && %w(client user).include?(member_type)
|
39
|
+
ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL."
|
40
|
+
exit 1
|
49
41
|
end
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
42
|
+
if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant')
|
43
|
+
ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE."
|
44
|
+
ui.fatal " Removal could prevent future attempts to modify permissions."
|
45
|
+
exit 1
|
46
|
+
end
|
47
|
+
validate_perm_type!(perms)
|
48
|
+
validate_member_type!(member_type)
|
49
|
+
validate_member_name!(member_name)
|
50
|
+
validate_object_name!(object_name)
|
51
|
+
validate_object_type!(object_type)
|
52
|
+
validate_member_exists!(member_type, member_name)
|
53
|
+
|
54
|
+
remove_from_acl!(member_type, member_name, object_type, object_name, perms)
|
60
55
|
end
|
61
|
-
|
62
56
|
end
|
63
57
|
end
|
data/lib/chef/knife/acl_show.rb
CHANGED
@@ -0,0 +1,51 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Seth Falcon (<seth@chef.io>)
|
3
|
+
# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
|
4
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
5
|
+
# License:: Apache License, Version 2.0
|
6
|
+
#
|
7
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
8
|
+
# you may not use this file except in compliance with the License.
|
9
|
+
# You may obtain a copy of the License at
|
10
|
+
#
|
11
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
12
|
+
#
|
13
|
+
# Unless required by applicable law or agreed to in writing, software
|
14
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
15
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
16
|
+
# See the License for the specific language governing permissions and
|
17
|
+
# limitations under the License.
|
18
|
+
#
|
19
|
+
|
20
|
+
module OpscodeAcl
|
21
|
+
class GroupAdd < Chef::Knife
|
22
|
+
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
23
|
+
banner "knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME"
|
24
|
+
|
25
|
+
deps do
|
26
|
+
include OpscodeAcl::AclBase
|
27
|
+
end
|
28
|
+
|
29
|
+
def run
|
30
|
+
member_type, member_name, group_name = name_args
|
31
|
+
|
32
|
+
if name_args.length != 3
|
33
|
+
show_usage
|
34
|
+
ui.fatal "You must specify member type [client|group|user], member name and group name"
|
35
|
+
exit 1
|
36
|
+
end
|
37
|
+
|
38
|
+
validate_member_name!(group_name)
|
39
|
+
validate_member_type!(member_type)
|
40
|
+
validate_member_name!(member_name)
|
41
|
+
|
42
|
+
if group_name.downcase == "users"
|
43
|
+
ui.fatal "knife-acl can not manage members of the Users group"
|
44
|
+
ui.fatal "please read knife-acl's README.md for more information"
|
45
|
+
exit 1
|
46
|
+
end
|
47
|
+
|
48
|
+
add_to_group!(member_type, member_name, group_name)
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
@@ -1,6 +1,7 @@
|
|
1
1
|
#
|
2
2
|
# Author:: Seth Falcon (<seth@opscode.com>)
|
3
|
-
#
|
3
|
+
# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
|
4
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
4
5
|
# License:: Apache License, Version 2.0
|
5
6
|
#
|
6
7
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
@@ -19,21 +20,25 @@
|
|
19
20
|
module OpscodeAcl
|
20
21
|
class GroupCreate < Chef::Knife
|
21
22
|
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
22
|
-
banner "knife group create
|
23
|
-
|
23
|
+
banner "knife group create GROUP_NAME"
|
24
|
+
|
24
25
|
deps do
|
25
|
-
|
26
|
+
include OpscodeAcl::AclBase
|
26
27
|
end
|
27
28
|
|
28
29
|
def run
|
29
30
|
group_name = name_args[0]
|
30
|
-
|
31
|
-
|
31
|
+
|
32
|
+
if name_args.length != 1
|
33
|
+
show_usage
|
34
|
+
ui.fatal "You must specify group name"
|
32
35
|
exit 1
|
33
36
|
end
|
34
|
-
|
35
|
-
|
37
|
+
|
38
|
+
validate_member_name!(group_name)
|
39
|
+
|
40
|
+
ui.msg "Creating '#{group_name}' group"
|
41
|
+
rest.post_rest("groups", {:groupname => group_name})
|
36
42
|
end
|
37
43
|
end
|
38
44
|
end
|
39
|
-
|
@@ -1,6 +1,7 @@
|
|
1
1
|
#
|
2
2
|
# Author:: Christopher Maier (<cm@opscode.com>)
|
3
|
-
#
|
3
|
+
# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
|
4
|
+
# Copyright:: Copyright 2015 Opscode, Inc.
|
4
5
|
# License:: Apache License, Version 2.0
|
5
6
|
#
|
6
7
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
@@ -19,20 +20,29 @@
|
|
19
20
|
module OpscodeAcl
|
20
21
|
class GroupDestroy < Chef::Knife
|
21
22
|
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
22
|
-
banner "knife group destroy
|
23
|
+
banner "knife group destroy GROUP_NAME"
|
23
24
|
|
24
25
|
deps do
|
25
|
-
|
26
|
+
include OpscodeAcl::AclBase
|
26
27
|
end
|
27
28
|
|
28
29
|
def run
|
29
30
|
group_name = name_args[0]
|
30
|
-
|
31
|
-
|
31
|
+
|
32
|
+
if name_args.length != 1
|
33
|
+
show_usage
|
34
|
+
ui.fatal "You must specify group name"
|
35
|
+
exit 1
|
36
|
+
end
|
37
|
+
|
38
|
+
validate_member_name!(group_name)
|
39
|
+
|
40
|
+
if %w(admins billing-admins clients users).include?(group_name.downcase)
|
41
|
+
ui.fatal "the '#{group_name}' group is a special group that should not be destroyed"
|
32
42
|
exit 1
|
33
43
|
end
|
34
|
-
|
35
|
-
|
44
|
+
ui.msg "Destroying '#{group_name}' group"
|
45
|
+
rest.delete_rest("groups/#{group_name}")
|
36
46
|
end
|
37
47
|
end
|
38
48
|
end
|
@@ -1,6 +1,7 @@
|
|
1
1
|
#
|
2
2
|
# Author:: Seth Falcon (<seth@opscode.com>)
|
3
|
-
#
|
3
|
+
# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
|
4
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
4
5
|
# License:: Apache License, Version 2.0
|
5
6
|
#
|
6
7
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
@@ -20,21 +21,18 @@ module OpscodeAcl
|
|
20
21
|
class GroupList < Chef::Knife
|
21
22
|
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
22
23
|
banner "knife group list"
|
23
|
-
|
24
|
+
|
25
|
+
deps do
|
26
|
+
include OpscodeAcl::AclBase
|
27
|
+
end
|
28
|
+
|
24
29
|
def run
|
25
|
-
|
26
|
-
groups = chef_rest.get_rest("groups").keys.sort
|
27
|
-
|
30
|
+
groups = rest.get_rest("groups").keys.sort
|
28
31
|
ui.output(remove_usags(groups))
|
29
32
|
end
|
30
33
|
|
31
34
|
def remove_usags(groups)
|
32
35
|
groups.select { |gname| !is_usag?(gname) }
|
33
36
|
end
|
34
|
-
|
35
|
-
def is_usag?(gname)
|
36
|
-
gname.length == 32 && gname =~ /^[0-9a-f]+$/
|
37
|
-
end
|
38
37
|
end
|
39
38
|
end
|
40
|
-
|
@@ -0,0 +1,51 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Seth Falcon (<seth@chef.io>)
|
3
|
+
# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
|
4
|
+
# Copyright:: Copyright 2011--2015 Chef Software, Inc.
|
5
|
+
# License:: Apache License, Version 2.0
|
6
|
+
#
|
7
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
8
|
+
# you may not use this file except in compliance with the License.
|
9
|
+
# You may obtain a copy of the License at
|
10
|
+
#
|
11
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
12
|
+
#
|
13
|
+
# Unless required by applicable law or agreed to in writing, software
|
14
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
15
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
16
|
+
# See the License for the specific language governing permissions and
|
17
|
+
# limitations under the License.
|
18
|
+
#
|
19
|
+
|
20
|
+
module OpscodeAcl
|
21
|
+
class GroupRemove < Chef::Knife
|
22
|
+
category "OPSCODE HOSTED CHEF ACCESS CONTROL"
|
23
|
+
banner "knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME"
|
24
|
+
|
25
|
+
deps do
|
26
|
+
include OpscodeAcl::AclBase
|
27
|
+
end
|
28
|
+
|
29
|
+
def run
|
30
|
+
member_type, member_name, group_name = name_args
|
31
|
+
|
32
|
+
if name_args.length != 3
|
33
|
+
show_usage
|
34
|
+
ui.fatal "You must specify member type [client|group|user], member name and group name"
|
35
|
+
exit 1
|
36
|
+
end
|
37
|
+
|
38
|
+
validate_member_name!(group_name)
|
39
|
+
validate_member_type!(member_type)
|
40
|
+
validate_member_name!(member_name)
|
41
|
+
|
42
|
+
if group_name.downcase == "users"
|
43
|
+
ui.fatal "knife-acl can not manage members of the Users group"
|
44
|
+
ui.fatal "please read knife-acl's README.md for more information"
|
45
|
+
exit 1
|
46
|
+
end
|
47
|
+
|
48
|
+
remove_from_group!(member_type, member_name, group_name)
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|