diff --git a/policies/rudder-commons/src/lib.rs b/policies/rudder-commons/src/lib.rs
index 4031f549c59..cd976e13c66 100644
--- a/policies/rudder-commons/src/lib.rs
+++ b/policies/rudder-commons/src/lib.rs
@@ -309,7 +309,7 @@ impl PolicyMode {
String::deserialize(deserializer).and_then(|string| match string.as_ref() {
"enforce" => Ok(Some(PolicyMode::Enforce)),
"audit" => Ok(Some(PolicyMode::Audit)),
- "default" => Ok(None),
+ "none" => Ok(None),
_ => Err(Error::custom(format!(
"Could not parse policy mode '{}'",
string
diff --git a/policies/rudderc/docs/src/syntax.md b/policies/rudderc/docs/src/syntax.md
index 7249456618c..c81784d6f40 100644
--- a/policies/rudderc/docs/src/syntax.md
+++ b/policies/rudderc/docs/src/syntax.md
@@ -109,10 +109,10 @@ Blocks contains:
* `tags` (optional): Optional key-value tags.
* `items`: A list of items (block or method call). Cannot be empty.
* `condition` (optional): A condition expression for the whole block. `true` is an always defined (default), `false` is never defined.
-* `policy_mode` (optional):
- * `default`(default): Inherit policy mode from parent container
- * `enforce`: Force the policy mode of all items within the block in enforce mode.
- * `audit`: Force the policy mode of all items within the block in audit mode.
+* `policy_mode_override` (optional):
+ * `none`(default): Use the policy mode from parent container (or directive if no override)
+ * `enforce`: Force the policy mode of all items within the block to enforce mode.
+ * `audit`: Force the policy mode of all items within the block to audit mode.
* `reporting` (optional):
* `mode`
* `weighted` (default)
@@ -122,6 +122,15 @@ Blocks contains:
* `disabled`: No reporting
* `id` (required with `focus` mode): id of the method to focus reporting on.
+
+Setting policy_mode_override
to enforce
will bypass the audit mode, so it must only be used
+for actions that do not modify the system and are required for proper audit mode operation (e.g.
+writing a temporary file to compare its content with the system).
+
+
+Policy mode effective value will always be the most closest override layer, meanning that an overridden policy mode on a method call
+will always prevail over directives and blocks values.
+
```yaml
items:
- name: "Ensure telnet-server absence"
@@ -135,9 +144,6 @@ items:
- ...
```
-Policy mode effective value will always be taken from the latest override layer. Meaning that a forced policy mode on a method call
-will always prevail over directives and blocks ones.
-
## Methods
Methods contains:
@@ -148,8 +154,8 @@ Methods contains:
* `tags` (optional): Optional key-value tags.
* `params`: Key-Value dictionary of parameters for the method.
* `condition` (optional): A condition expression for the method. `true` is an always defined (default), `false` is never defined.
-* `policy_mode` (optional):
- * `default`(default): Inherit policy mode from parent container
+* `policy_mode_override` (optional):
+ * `none` (default): Inherit policy mode from parent container (ore directive if no override)
* `enforce`: Force the policy mode to enforce mode.
* `audit`: Force the policy mode to audit mode.
* `reporting` (optional)
@@ -157,6 +163,12 @@ Methods contains:
* `enabled` (default): Normal reporting
* `disabled`: No reporting
+
+Setting policy_mode_override
to enforce
will bypass the audit mode, so it must only be used
+for actions that do not modify the system and are required for proper audit mode operation (e.g.
+writing a temporary file to compare its content with the system).
+
+
The methods are documented in the next section of this documentation, sorted by category.
Example:
diff --git a/policies/rudderc/src/backends/unix.rs b/policies/rudderc/src/backends/unix.rs
index 43455b380b4..551770af7f9 100644
--- a/policies/rudderc/src/backends/unix.rs
+++ b/policies/rudderc/src/backends/unix.rs
@@ -83,7 +83,7 @@ impl Backend for Unix {
ItemKind::Block(r) => {
let mut calls: Vec<(Promise, Option)> = vec![];
if let Some(x) = dry_run_mode::push_policy_mode(
- r.policy_mode,
+ r.policy_mode_override,
format!("push_policy_mode_for_block_{}", r.id),
) {
calls.push((x, None))
@@ -96,7 +96,7 @@ impl Backend for Unix {
)?);
}
if let Some(x) = dry_run_mode::pop_policy_mode(
- r.policy_mode,
+ r.policy_mode_override,
format!("pop_policy_mode_for_block_{}", r.id),
) {
calls.push((x, None))
diff --git a/policies/rudderc/src/backends/unix/ncf/method_call.rs b/policies/rudderc/src/backends/unix/ncf/method_call.rs
index 4fa3cd4468b..b55e0450c6c 100644
--- a/policies/rudderc/src/backends/unix/ncf/method_call.rs
+++ b/policies/rudderc/src/backends/unix/ncf/method_call.rs
@@ -106,8 +106,8 @@ pub fn method_call(
info.bundle_name
);
- let push_policy_mode = dry_run_mode::push_policy_mode(m.policy_mode, unique.clone());
- let pop_policy_mode = dry_run_mode::pop_policy_mode(m.policy_mode, unique.clone());
+ let push_policy_mode = dry_run_mode::push_policy_mode(m.policy_mode_override, unique.clone());
+ let pop_policy_mode = dry_run_mode::pop_policy_mode(m.policy_mode_override, unique.clone());
let incall_condition = "${method_call_condition}".to_string();
let mut promises = match (&condition, is_supported) {
diff --git a/policies/rudderc/src/backends/windows.rs b/policies/rudderc/src/backends/windows.rs
index eeb5ee0a5d3..6fa99eec993 100644
--- a/policies/rudderc/src/backends/windows.rs
+++ b/policies/rudderc/src/backends/windows.rs
@@ -157,7 +157,7 @@ struct WindowsMethod {
args: Vec<(String, String, Escaping)>,
name: String,
is_supported: bool,
- policy_mode: Option,
+ policy_mode_override: Option,
}
fn method_call(
@@ -211,14 +211,14 @@ fn method_call(
args,
name: filters::dsc_case(&m.info.as_ref().unwrap().bundle_name).unwrap(),
is_supported,
- policy_mode: if let Some(x) = policy_mode_context {
- if m.policy_mode.is_none() {
+ policy_mode_override: if let Some(x) = policy_mode_context {
+ if m.policy_mode_override.is_none() {
Some(x)
} else {
- m.policy_mode
+ m.policy_mode_override
}
} else {
- m.policy_mode
+ m.policy_mode_override
},
})
}
@@ -246,7 +246,7 @@ impl Windows {
calls.extend(resolve_module(
inner,
context.and(&r.condition),
- r.policy_mode,
+ r.policy_mode_override,
)?);
}
Ok(calls)
diff --git a/policies/rudderc/src/ir/technique.rs b/policies/rudderc/src/ir/technique.rs
index 800faa2f795..e9e451c5318 100644
--- a/policies/rudderc/src/ir/technique.rs
+++ b/policies/rudderc/src/ir/technique.rs
@@ -325,7 +325,7 @@ pub struct DeserItem {
pub module: Option,
#[serde(deserialize_with = "PolicyMode::from_string")]
#[serde(default)]
- pub policy_mode: Option,
+ pub policy_mode_override: Option,
}
// Variant of Technique for first level of deserialization
@@ -390,7 +390,7 @@ impl DeserItem {
&self.name, &self.id
))?,
info: None,
- policy_mode: self.policy_mode,
+ policy_mode_override: self.policy_mode_override,
})),
(true, false, _, false) => {
bail!("Method {} ({}) requires params", self.name, self.id)
@@ -406,7 +406,7 @@ impl DeserItem {
"Module {} ({}) has an unexpected reporting mode",
self.name, self.id
))?,
- policy_mode: self.policy_mode,
+ policy_mode_override: self.policy_mode_override,
})),
(false, true, _, false) => {
bail!("Module {} ({}) requires params", self.name, self.id)
@@ -426,7 +426,7 @@ impl DeserItem {
.into_iter()
.map(|i| i.into_kind().unwrap())
.collect(),
- policy_mode: self.policy_mode,
+ policy_mode_override: self.policy_mode_override,
})),
(false, false, false, false) => {
bail!("Block {} ({}) requires items", self.name, self.id)
@@ -473,7 +473,7 @@ pub struct Block {
pub reporting: BlockReporting,
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
- pub policy_mode: Option,
+ pub policy_mode_override: Option,
}
#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
@@ -493,7 +493,7 @@ pub struct Module {
pub reporting: LeafReporting,
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
- pub policy_mode: Option,
+ pub policy_mode_override: Option,
}
#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
@@ -516,7 +516,7 @@ pub struct Method {
pub info: Option<&'static MethodInfo>,
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
- pub policy_mode: Option,
+ pub policy_mode_override: Option,
}
#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
diff --git a/policies/rudderc/src/technique.schema.json b/policies/rudderc/src/technique.schema.json
index a6a6cd63375..6a3c168499e 100644
--- a/policies/rudderc/src/technique.schema.json
+++ b/policies/rudderc/src/technique.schema.json
@@ -281,7 +281,7 @@
"enum": [
"audit",
"enforce",
- "default"
+ "none"
]
},
"methodReportingMode": {
@@ -386,7 +386,7 @@
"title": "method call tags",
"$ref": "#/$defs/tags"
},
- "policy_mode": {
+ "policy_mode_override": {
"title": "method call policy mode override",
"$ref": "#/$defs/policyMode"
},
@@ -455,7 +455,7 @@
"title": "block call tags",
"$ref": "#/$defs/tags"
},
- "policy_mode": {
+ "policy_mode_override": {
"title": "block call policy mode",
"$ref": "#/$defs/policyMode"
},
@@ -495,4 +495,4 @@
]
}
}
-}
+}
\ No newline at end of file
diff --git a/policies/rudderc/templates/technique.ps1.askama b/policies/rudderc/templates/technique.ps1.askama
index 23ed7a0e656..7f42e9b3aa5 100644
--- a/policies/rudderc/templates/technique.ps1.askama
+++ b/policies/rudderc/templates/technique.ps1.askama
@@ -32,7 +32,7 @@ function {{ id|dsc_case }} {
ClassPrefix = ([Rudder.Condition]::canonify(("{{ m.class_prefix }}_" + $componentKey)))
ComponentKey = $componentKey
ComponentName = "{{ m.component_name|escape_double_quotes }}"
- PolicyMode = {{ m.policy_mode|policy_mode_fmt }}
+ PolicyMode = {{ m.policy_mode_override|policy_mode_fmt }}
ReportId = $reportId
DisableReporting = ${{ m.disable_reporting }}
TechniqueName = $techniqueName
@@ -47,7 +47,7 @@ function {{ id|dsc_case }} {
{{- arg.0 }} = {{ arg|parameter_fmt }}
{% endfor %}
}
- $call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode|policy_mode_fmt }}
+ $call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode_override|policy_mode_fmt }}
$methodContext = Compute-Method-Call @reportParams -MethodCall $call
$localContext.merge($methodContext)
} else {
@@ -59,7 +59,7 @@ function {{ id|dsc_case }} {
{{- arg.0 }} = {{ arg|parameter_fmt }}
{% endfor %}
}
- $call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode|policy_mode_fmt }}
+ $call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode_override|policy_mode_fmt }}
$methodContext = Compute-Method-Call @reportParams -MethodCall $call
$localContext.merge($methodContext)
{% endmatch %}
diff --git a/policies/rudderc/tests/cases/general/policy_mode/technique.yml b/policies/rudderc/tests/cases/general/policy_mode/technique.yml
index 4dfecef189d..0892a951c78 100644
--- a/policies/rudderc/tests/cases/general/policy_mode/technique.yml
+++ b/policies/rudderc/tests/cases/general/policy_mode/technique.yml
@@ -10,7 +10,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: audit
+ policy_mode_override: audit
- id: 1eedce7b-3441-4251-bdd6-706fda3ec7a8
name: 'In omit mode'
method: file_content
@@ -25,7 +25,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: enforce
+ policy_mode_override: enforce
- id: 1d809592-808e-4177-8351-8b7b7769af69
name: 'In default mode'
method: file_content
@@ -33,10 +33,10 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: default
+ policy_mode_override: none
- id: 57f54359-2b2e-49f9-ab61-a77705615302
name: "A block in audit mode"
- policy_mode: audit
+ policy_mode_override: audit
items:
- id: ea274579-40fc-4545-b384-8d5576a7c69b
name: 'Resolve to audit'
@@ -45,7 +45,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: audit
+ policy_mode_override: audit
- id: 85659b7e-968c-458c-b566-c90108c50833
name: 'Resolve to enforce'
method: file_content
@@ -53,7 +53,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: enforce
+ policy_mode_override: enforce
- id: d8def455-cd43-441f-8dba-1ebae3a29389
name: 'Resolve to audit'
method: file_content
@@ -61,10 +61,10 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: default
+ policy_mode_override: none
- id: 1ff82fc2-38fc-4324-92ab-3de5fafcdc14
name: "A block in enforce mode"
- policy_mode: enforce
+ policy_mode_override: enforce
items:
- id: f9417d97-3a18-4db6-85c3-72e28618bff1
name: 'Resolve to audit'
@@ -73,7 +73,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: audit
+ policy_mode_override: audit
- id: c4b4faa1-85e5-4922-b713-c198bf99226e
name: 'Resolve to enforce'
method: file_content
@@ -81,7 +81,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: enforce
+ policy_mode_override: enforce
- id: cce62a59-bd17-4858-ba06-6ae41f39b15a
name: 'Resolve to enforce'
method: file_content
@@ -89,14 +89,14 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: default
+ policy_mode_override: none
- id: 7def389a-78d2-4104-b6fc-19c74f14fe93
name: "An audit block"
- policy_mode: enforce
+ policy_mode_override: enforce
items:
- id: 9fca6ca8-ccaa-4688-a5fc-e2a0d9d60165
name: 'A nested block in audit'
- policy_mode: audit
+ policy_mode_override: audit
items:
- id: 0a4299dd-0902-48b2-85ee-13dfe6fc3af6
name: 'Resolve to audit'
@@ -105,7 +105,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: default
+ policy_mode_override: none
- id: 3b8352df-1329-4956-a019-bb9c072bc830
name: 'Resolve to enforce'
method: file_content
@@ -113,4 +113,4 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
- policy_mode: default
+ policy_mode_override: none
diff --git a/webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/ncf/yaml/YamlTechnique.scala b/webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/ncf/yaml/YamlTechnique.scala
index fdc3e37e92c..af60baeab29 100644
--- a/webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/ncf/yaml/YamlTechnique.scala
+++ b/webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/ncf/yaml/YamlTechnique.scala
@@ -71,17 +71,17 @@ case class Technique(
case class MethodItem(
// Common fields
- id: String,
- name: String,
- reporting: Option[Reporting],
- condition: Option[String],
- tags: Option[Map[String, String]],
+ id: String,
+ name: String,
+ reporting: Option[Reporting],
+ condition: Option[String],
+ tags: Option[Map[String, String]],
// Call specific fields
- method: Option[String],
- params: Option[Map[ParameterId, String]],
+ method: Option[String],
+ params: Option[Map[ParameterId, String]],
// Block specific fields
- items: Option[List[MethodItem]],
- policy_mode: Option[PolicyMode]
+ items: Option[List[MethodItem]],
+ policy_mode_override: Option[PolicyMode]
)
case class Reporting(
@@ -169,7 +169,7 @@ object YamlTechniqueSerializer {
reporting,
item.condition.getOrElse(""),
items,
- item.policy_mode
+ item.policy_mode_override
)
}
case None =>
@@ -184,7 +184,7 @@ object YamlTechniqueSerializer {
item.name,
// boolean for "disableReporting"
item.reporting.map(_.mode == "disabled").getOrElse(false),
- item.policy_mode
+ item.policy_mode_override
)
)
case None => Left(Consistancy("error"))
diff --git a/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_any/1.0/technique.yml b/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_any/1.0/technique.yml
index aaab334f60b..dec7e878430 100644
--- a/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_any/1.0/technique.yml
+++ b/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_any/1.0/technique.yml
@@ -18,4 +18,4 @@ items:
params:
package_name: ${node.properties[apache_package_name]}
package_version: 2.2.11
- policy_mode: audit
+ policy_mode_override: audit
diff --git a/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_by_Rudder/1.0/technique.yml b/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_by_Rudder/1.0/technique.yml
index 1f9fade7025..4fe9a71fa45 100644
--- a/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_by_Rudder/1.0/technique.yml
+++ b/webapp/sources/rudder/rudder-core/src/test/resources/configuration-repository/techniques/ncf_techniques/technique_by_Rudder/1.0/technique.yml
@@ -32,15 +32,15 @@ items:
method: command_execution
params:
command: Write-Host "testing special characters ` è &é 'à é "
- policy_mode: enforce
- policy_mode: audit
+ policy_mode_override: enforce
+ policy_mode_override: audit
- id: id3
name: Customized component
condition: package_install_version_${node.properties[apache_package_name]}_repaired
method: service_start
params:
service_name: ${node.properties[apache_package_name]}
- policy_mode: audit
+ policy_mode_override: audit
- id: id4
name: Package install
condition: redhat
@@ -53,7 +53,7 @@ items:
method: command_execution
params:
command: /bin/echo "testing special characters ` è &é 'à é "\
- policy_mode: audit
+ policy_mode_override: audit
- id: id6
name: Package state windows
condition: dsc
diff --git a/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewBlock.elm b/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewBlock.elm
index 99933ec4f9b..68b89aba719 100644
--- a/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewBlock.elm
+++ b/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewBlock.elm
@@ -432,7 +432,7 @@ blockBody model parentId block ui techniqueUi =
Opened -> element "div"
|> addClass ("gm-labels ")
|> appendChild
- ( element "div" |> addClass "gm-label rudder-label gm-label-label" |> appendText "Policy mode:")
+ ( element "div" |> addClass "gm-label rudder-label gm-label-label" |> appendText "Policy mode override:")
|> appendChild
( element "div"
|> addClass "btn-group"
@@ -441,7 +441,7 @@ blockBody model parentId block ui techniqueUi =
|> addClass ("btn dropdown-toggle rudder-label gm-label " ++ policyModeLabel)
|> addAttribute (attribute "data-bs-toggle" "dropdown")
|> appendText (case block.policyMode of
- Nothing -> "Default"
+ Nothing -> "None"
Just Enforce -> " "
Just Audit -> " "
)
@@ -453,7 +453,7 @@ blockBody model parentId block ui techniqueUi =
(element "a"
|> addAction ("click", MethodCallModified (Block parentId {block | policyMode = Nothing }) )
|> addClass "dropdown-item"
- |> appendText "Default"
+ |> appendText "None"
)
, element "li"
|> appendChild
diff --git a/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewMethod.elm b/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewMethod.elm
index 9484c80a79b..2afd13dcba8 100644
--- a/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewMethod.elm
+++ b/webapp/sources/rudder/rudder-web/src/main/elm/sources/Editor/ViewMethod.elm
@@ -546,7 +546,7 @@ callBody model ui techniqueUi call pid =
Opened -> element "div"
|> addClass ("gm-labels " ++ methodNameLabelClass)
|> appendChild
- ( element "div" |> addClass "gm-label rudder-label gm-label-label" |> appendText "Policy mode:")
+ ( element "div" |> addClass "gm-label rudder-label gm-label-label" |> appendText "Policy mode override:")
|> appendChild
( element "div"
|> addClass "btn-group"
@@ -555,7 +555,7 @@ callBody model ui techniqueUi call pid =
|> addClass ("btn dropdown-toggle rudder-label gm-label " ++ policyModeLabel)
|> addAttribute (attribute "data-bs-toggle" "dropdown")
|> appendText (case call.policyMode of
- Nothing -> "Default"
+ Nothing -> "None"
Just Enforce -> " "
Just Audit -> " "
)
@@ -567,7 +567,7 @@ callBody model ui techniqueUi call pid =
(element "a"
|> addAction ("click", MethodCallModified (Call pid {call | policyMode = Nothing }) )
|> addClass "dropdown-item"
- |> appendText "Default"
+ |> appendText "None"
)
, element "li"
|> appendChild