pe_rbac 0.1.3 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +9 -0
- data/exe/pe_rbac +98 -6
- data/lib/pe_rbac/version.rb +1 -1
- data/lib/pe_rbac.rb +36 -26
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e8e46eabe4fa453dae8cef44b5ae0f7371d9a2bb
|
|
4
|
+
data.tar.gz: d89e915974bd3bd5b7edb4bbc45e4736411905c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0033af434edc4f964d0e442e66dca216551052d1e39c424648841d312949bcf3aabb1e82c0c7afbe8e74a15b1cb28a663e87728b5636958d06cc6cd319dad960
|
|
7
|
+
data.tar.gz: 3a13fd98d0dfd3aaac65e6609fb412bc090183d45bb01a145971e42538047f569e4bd7a53a1038bf39d9533cd6077d1809721ca6ac61fd58738f1638f01b6136
|
data/README.md
CHANGED
|
@@ -34,6 +34,15 @@ pe_rbac code_manager --password t0ps3cret
|
|
|
34
34
|
Right now, the command line just provides a means to setup code manager. If you
|
|
35
35
|
want to do more then this, you must use the Ruby API
|
|
36
36
|
|
|
37
|
+
### Generating a token to use for ro/rw access to PuppetDB API
|
|
38
|
+
```
|
|
39
|
+
# read-only access
|
|
40
|
+
pe_rbac puppetdb --password t0ps3cret
|
|
41
|
+
|
|
42
|
+
# read-write access
|
|
43
|
+
pe_rbac puppetdb --allow-write --password t0ps3cret
|
|
44
|
+
```
|
|
45
|
+
|
|
37
46
|
### Ruby API
|
|
38
47
|
An *IN FLUX* Ruby API exists, see code for more info. This WILL change (well it
|
|
39
48
|
will if I do any more development work on this...) - expect module names,
|
data/exe/pe_rbac
CHANGED
|
@@ -13,18 +13,27 @@ Escort::App.create do |app|
|
|
|
13
13
|
command.action do |options, arguments|
|
|
14
14
|
role = 'Code Deployers'
|
|
15
15
|
cmd = :code_manager # FIXME obtain this automatically
|
|
16
|
+
description = options[:global][:commands][cmd][:options][:description]
|
|
16
17
|
lifetime = options[:global][:commands][cmd][:options][:lifetime]
|
|
17
18
|
username = options[:global][:commands][cmd][:options][:username]
|
|
18
19
|
password = options[:global][:commands][cmd][:options][:password]
|
|
19
20
|
email = options[:global][:commands][cmd][:options][:email]
|
|
21
|
+
|
|
20
22
|
role_ids = PeRbac::get_role_ids(role)
|
|
21
23
|
|
|
22
|
-
perms = {
|
|
23
|
-
"
|
|
24
|
-
"action"
|
|
25
|
-
"instance"
|
|
26
|
-
}
|
|
27
|
-
|
|
24
|
+
perms = [{
|
|
25
|
+
"object_type" => "tokens",
|
|
26
|
+
"action" => "override_lifetime",
|
|
27
|
+
"instance" => "*",
|
|
28
|
+
}]
|
|
29
|
+
|
|
30
|
+
# only need to update the role since its built-in
|
|
31
|
+
PeRbac::update_role(
|
|
32
|
+
role,
|
|
33
|
+
nil,
|
|
34
|
+
perms,
|
|
35
|
+
)
|
|
36
|
+
|
|
28
37
|
PeRbac::ensure_user(username, email, username, password, role_ids)
|
|
29
38
|
PeRbac::login(username, password, lifetime)
|
|
30
39
|
end
|
|
@@ -52,4 +61,87 @@ Escort::App.create do |app|
|
|
|
52
61
|
end
|
|
53
62
|
end
|
|
54
63
|
|
|
64
|
+
app.command :puppetdb do |command|
|
|
65
|
+
command.summary "Access to PuppetDB"
|
|
66
|
+
command.description "Create a user and token to access PuppetDB"
|
|
67
|
+
command.action do |options, arguments|
|
|
68
|
+
role = 'PuppetDB Readers'
|
|
69
|
+
cmd = :puppetdb # FIXME obtain this automatically
|
|
70
|
+
description = options[:global][:commands][cmd][:options][:description]
|
|
71
|
+
lifetime = options[:global][:commands][cmd][:options][:lifetime]
|
|
72
|
+
username = options[:global][:commands][cmd][:options][:username]
|
|
73
|
+
password = options[:global][:commands][cmd][:options][:password]
|
|
74
|
+
email = options[:global][:commands][cmd][:options][:email]
|
|
75
|
+
allow_write = options[:global][:commands][cmd][:options][:allow_write]
|
|
76
|
+
perms = [
|
|
77
|
+
{
|
|
78
|
+
"object_type" => "tokens",
|
|
79
|
+
"action" => "override_lifetime",
|
|
80
|
+
"instance" => "*",
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
"object_type" => "nodes",
|
|
84
|
+
"action" => "view_data",
|
|
85
|
+
"instance" => "*",
|
|
86
|
+
}
|
|
87
|
+
]
|
|
88
|
+
if allow_write
|
|
89
|
+
perms.push({
|
|
90
|
+
"object_type" => "nodes",
|
|
91
|
+
"action" => "edit_data",
|
|
92
|
+
"instance" => "*",
|
|
93
|
+
})
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
# create/update the role
|
|
97
|
+
PeRbac::ensure_role(
|
|
98
|
+
role,
|
|
99
|
+
description,
|
|
100
|
+
perms
|
|
101
|
+
)
|
|
102
|
+
|
|
103
|
+
# get the ID of the newly created role
|
|
104
|
+
role_ids = PeRbac::get_role_ids(role)
|
|
105
|
+
|
|
106
|
+
# join a user to the role
|
|
107
|
+
PeRbac::ensure_user(username, email, username, password, role_ids)
|
|
108
|
+
|
|
109
|
+
# Generate and output the token
|
|
110
|
+
token = PeRbac::token(username, password, lifetime)
|
|
111
|
+
Escort::Logger.output.puts token
|
|
112
|
+
end
|
|
113
|
+
command.options do |opts|
|
|
114
|
+
opts.opt(:username,
|
|
115
|
+
'Username for puppetdb user',
|
|
116
|
+
:long => '--username',
|
|
117
|
+
:default => 'puppetdb_read'
|
|
118
|
+
)
|
|
119
|
+
opts.opt(:password,
|
|
120
|
+
'Initial password for deploy user',
|
|
121
|
+
:long => '--password',
|
|
122
|
+
:default => 'changeme'
|
|
123
|
+
)
|
|
124
|
+
opts.opt(:email,
|
|
125
|
+
'Email address',
|
|
126
|
+
:long => '--email',
|
|
127
|
+
:default => 'root@localhost'
|
|
128
|
+
)
|
|
129
|
+
opts.opt(:lifetime,
|
|
130
|
+
'Token validity length',
|
|
131
|
+
:long => '--lifetime',
|
|
132
|
+
:default => '10y'
|
|
133
|
+
)
|
|
134
|
+
opts.opt(:allow_write,
|
|
135
|
+
'Allow WRITING to PuppetDB?',
|
|
136
|
+
:long => '--allow-write',
|
|
137
|
+
:type => :boolean,
|
|
138
|
+
:default => false
|
|
139
|
+
)
|
|
140
|
+
opts.opt(:description,
|
|
141
|
+
'Custommise the role description',
|
|
142
|
+
:long => '--description',
|
|
143
|
+
:default => 'Token access to PuppetDB'
|
|
144
|
+
)
|
|
145
|
+
end
|
|
146
|
+
end
|
|
55
147
|
end
|
data/lib/pe_rbac/version.rb
CHANGED
data/lib/pe_rbac.rb
CHANGED
|
@@ -149,30 +149,33 @@ module PeRbac
|
|
|
149
149
|
ids = []
|
|
150
150
|
display_names.each { |display_name|
|
|
151
151
|
found=get_role_id(display_name)
|
|
152
|
-
if !found
|
|
153
|
-
|
|
152
|
+
#if !found
|
|
153
|
+
# raise("RBAC role '#{display_name}' not found")
|
|
154
|
+
#end
|
|
155
|
+
if found
|
|
156
|
+
ids.push(found)
|
|
154
157
|
end
|
|
155
|
-
ids.push(found)
|
|
156
158
|
}
|
|
157
159
|
ids
|
|
158
160
|
end
|
|
159
161
|
|
|
160
162
|
# CREATE
|
|
161
|
-
def self.ensure_role(display_name, description, permissions=[],
|
|
163
|
+
def self.ensure_role(display_name, description, permissions=[], user_ids=[])
|
|
162
164
|
if get_role_id(display_name)
|
|
163
|
-
update_role(display_name, description, permissions,
|
|
165
|
+
update_role(display_name, description, permissions, user_ids)
|
|
164
166
|
else
|
|
165
|
-
create_role(display_name, description, permissions,
|
|
167
|
+
create_role(display_name, description, permissions, user_ids)
|
|
166
168
|
end
|
|
167
169
|
end
|
|
168
|
-
|
|
169
|
-
|
|
170
|
+
|
|
171
|
+
# https://docs.puppet.com/pe/latest/rbac_roles_v1.html#post-roles
|
|
172
|
+
def self.create_role(display_name, description=display_name, permissions=[], user_ids=[], group_ids=[])
|
|
170
173
|
role = {
|
|
174
|
+
"permissions" => permissions,
|
|
175
|
+
"user_ids" => user_ids,
|
|
176
|
+
"group_ids" => group_ids,
|
|
171
177
|
"display_name" => display_name,
|
|
172
178
|
"description" => description,
|
|
173
|
-
"permissions" => permissions,
|
|
174
|
-
"user_ids" => users,
|
|
175
|
-
"group_ids" => [], # doesn't seem to be used yet
|
|
176
179
|
}
|
|
177
180
|
_request(:post, '/roles', role)
|
|
178
181
|
end
|
|
@@ -181,11 +184,11 @@ module PeRbac
|
|
|
181
184
|
role_id = get_role_id(display_name)
|
|
182
185
|
if role_id
|
|
183
186
|
role = get_role(role_id)
|
|
184
|
-
role['display_name']
|
|
185
|
-
role['description']
|
|
186
|
-
role['permissions']
|
|
187
|
-
role['user_ids']
|
|
188
|
-
role['group_ids']
|
|
187
|
+
role['display_name'] = display_name ? display_name : role['display_name']
|
|
188
|
+
role['description'] = description ? display_name : role['description']
|
|
189
|
+
role['permissions'] = permissions ? permissions : role['permissions']
|
|
190
|
+
role['user_ids'] = user_ids ? user_ids : role['user_ids']
|
|
191
|
+
role['group_ids'] = group_ids ? group_ids : role['group_ids']
|
|
189
192
|
|
|
190
193
|
_request(:put, "/roles/#{role_id}", role)
|
|
191
194
|
else
|
|
@@ -242,16 +245,23 @@ module PeRbac
|
|
|
242
245
|
else
|
|
243
246
|
_payload=nil
|
|
244
247
|
end
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
248
|
+
begin
|
|
249
|
+
RestClient::Request.execute(
|
|
250
|
+
method: method,
|
|
251
|
+
url: url,
|
|
252
|
+
ssl_ca_file: CONF[:cacert],
|
|
253
|
+
ssl_client_cert: OpenSSL::X509::Certificate.new(File.read(CONF[:cert])),
|
|
254
|
+
ssl_client_key: OpenSSL::PKey::RSA.new(File.read(CONF[:key])),
|
|
255
|
+
ssl_version: :TLSv1,
|
|
256
|
+
headers: {:content_type => :json, :accept => :json},
|
|
257
|
+
payload: _payload,
|
|
258
|
+
)
|
|
259
|
+
rescue RestClient::ExceptionWithResponse => e
|
|
260
|
+
Escort::Logger.error.error url
|
|
261
|
+
Escort::Logger.error.error _payload
|
|
262
|
+
Escort::Logger.error.error e.response
|
|
263
|
+
raise "API Error"
|
|
264
|
+
end
|
|
255
265
|
end
|
|
256
266
|
|
|
257
267
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pe_rbac
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Geoff Williams
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-11-
|
|
11
|
+
date: 2016-11-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|