-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use separate credentials for controller and invoker.
- Loading branch information
Showing
10 changed files
with
133 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one or more contributor | ||
# license agreements; and to You under the Apache License, Version 2.0. | ||
--- | ||
# Create all required users in _users-database | ||
# http://docs.couchdb.org/en/2.0.0/intro/security.html#users-documents | ||
|
||
- name: create required users | ||
uri: | ||
url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/_users/org.couchdb.user:{{ item.value.user }}" | ||
method: PUT | ||
status_code: 201,409 | ||
body_format: json | ||
body: | | ||
{ | ||
"name": "{{ item.value.user }}", | ||
"password": "{{ item.value.pass }}", | ||
"roles": [], | ||
"type": "user" | ||
} | ||
user: "{{ db.credentials.admin.user }}" | ||
password: "{{ db.credentials.admin.pass }}" | ||
force_basic_auth: yes | ||
with_dict: "{{ db.credentials }}" | ||
# Don't create the admin user again, if a component is using admin access. | ||
when: item.value.user != db.credentials.admin.user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one or more contributor | ||
# license agreements; and to You under the Apache License, Version 2.0. | ||
--- | ||
# Grant the specified users permissions to the specified database. | ||
# dbName - name of the database | ||
# admins - all users with admin access | ||
# readers - all users that have read access on the database | ||
# writers - all users that have write access on the database | ||
|
||
# If a component uses admin credentials, the admin user will not be added to the list (as it already has all access rights). | ||
- set_fact: | ||
readerList: "{{ readers | default([]) | difference([db.credentials.admin.user]) }}" | ||
writerList: "{{ writers | default([]) | difference([db.credentials.admin.user]) }}" | ||
adminList: "{{ admins | default([]) | difference([db.credentials.admin.user]) }}" | ||
|
||
# http://docs.couchdb.org/en/2.0.0/api/database/security.html | ||
- name: grant permissions for CouchDB | ||
uri: | ||
url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security" | ||
method: PUT | ||
status_code: 200 | ||
body_format: json | ||
body: | | ||
{ | ||
"admins": { | ||
"names": [ {{ adminList | join('", "') }} ], | ||
"roles": [] | ||
}, | ||
"members": { | ||
"names": [ "{{ readerList | union(writerList) | join('", "') }}" ], | ||
"roles": [] | ||
} | ||
} | ||
user: "{{ db.credentials.admin.user }}" | ||
password: "{{ db.credentials.admin.pass }}" | ||
force_basic_auth: yes | ||
when: db.provider == 'CouchDB' | ||
|
||
# https://console.bluemix.net/docs/services/Cloudant/api/authorization.html#authorization | ||
- name: grant permissions for Cloudant | ||
uri: | ||
url: "{{ db.protocol }}://{{ db.host }}:{{ db.port }}/{{ dbName }}/_security" | ||
method: PUT | ||
status_code: 200 | ||
body_format: json | ||
body: | | ||
{ | ||
"cloudant": { | ||
{% for item in readerList | union(writerList) | union(adminList) %}"{{ item }}": [ {% if item in readerList %}"_reader"{% if item in writerList %}, "_writer"{% if item in adminList %}, "_admin"{% endif %}{% endif %}{% endif %} ], {% endfor %} | ||
} | ||
} | ||
user: "{{ db.credentials.admin.user }}" | ||
password: "{{ db.credentials.admin.pass }}" | ||
force_basic_auth: yes | ||
when: db.provider == 'Cloudant' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters