adding initial RBAC management

StackStorm · Sep 25, 2015 · b9f2a12 · b9f2a12
1 parent 045ade3
commit b9f2a12
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.9.8 (Sept 25, 2015)
+* Add ability to manage StackStorm RBAC roles (*improvement*)
+
 ## 0.9.7 (Sept 22, 2015)
 * Restart mistral on init script update
 

diff --git a/manifests/rbac.pp b/manifests/rbac.pp
@@ -0,0 +1,49 @@
+# Definition: st2::rbac
+#
+# This defined type creates RBAC resources for users
+# This is an enterprise feature, and requires a license
+# to be used.
+#
+define st2::rbac (
+  $ensure      = 'present',
+  $user        = $name,
+  $description = "Created and managed by Puppet",
+  $roles       = [],
+) {
+  $_rbac_dir = '/opt/stackstorm/rbac'
+
+  ensure_resource('file', $_rbac_dir, {
+    'ensure'  => 'directory',
+    'owner'   => 'root',
+    'group'   => 'root',
+    'mode'    => '0755',
+    'require' => Class['::st2::profile::server'],
+  })
+  ensure_resource('file', "${_rbac_dir}/assignments", {
+    'ensure'  => 'directory',
+    'owner'   => 'root',
+    'group'   => 'root',
+    'mode'    => '0755',
+    'require' => Class['::st2::profile::server'],
+  })
+  ensure_resource('file', "${_rbac_dir}/assignments", {
+    'ensure'  => 'directory',
+    'owner'   => 'root',
+    'group'   => 'root',
+    'mode'    => '0755',
+    'require' => Class['::st2::profile::server'],
+  })
+  ensure_resource('exec', 'reload st2 rbac definitions', {
+    'cmd'         => 'st2-apply-rbac-definitions',
+    'refreshonly' => 'true',
+    'path'        => '/usr/sbin:/usr/bin:/sbin:/bin',
+  })
+  file { "${_rbac_dir}/assignments/${user}.yaml":
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('st2/rbac/assignments/user.yaml.erb'),
+    notify  => Exec['reload st2 rbac definitions'],
+  }
+}
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "stackstorm-st2",
-  "version": "0.9.7",
+  "version": "0.9.8",
   "author": "stackstorm",
   "summary": "Puppet module to manage/configure StackStorm",
   "license": "Apache 2.0",

diff --git a/templates/rbac/assignments/user.yaml.erb b/templates/rbac/assignments/user.yaml.erb
@@ -0,0 +1,8 @@
+---
+    username: "<%= @user %>"
+    description: "<%= @description %>"
+    enabled: <%= @_enabled_state %>
+    roles:
+<%- @roles.each do |role| -%>
+        - "<%= role %>"
+<%- end -%>