Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support groups in policies #73

Open
ripienaar opened this issue Jan 12, 2017 · 4 comments
Open

Support groups in policies #73

ripienaar opened this issue Jan 12, 2017 · 4 comments

Comments

@ripienaar
Copy link
Member

Could have landed group support without improving the action policy plugin but decided on the https://github.com/puppetlabs/mcollective-actionpolicy-auth/pull/15 route instead, once this is released make sure its supported

@ZeroPointEnergy
Copy link

Updated link to above mentioned PR: choria-legacy/mcollective-actionpolicy-auth#15

It looks to me like the group feature was actually merged and it's also present in the action-policy plugin here: https://github.com/choria-plugins/action-policy

Would you be interested in a PR regarding the configuration of this feature in this module?

@ripienaar
Copy link
Member Author

At present the action-policy in ruby is just dead bytes. It's not called in the real execution paths anymore.

The current parallel implementation is https://github.com/choria-io/go-choria/blob/main/providers/agent/mcorpc/authz_actionpolicy.go and tbh you should probably rather use Open Policy Agent if you want this kind of stuff

@ripienaar
Copy link
Member Author

However it seems I do support groups in that new go one? Looks like it, in that case sure a contribution to make Puppet aware of it would be great

@smortex
Copy link
Member

smortex commented Jan 30, 2023

However it seems I do support groups in that new go one?

I think so, I am using it 😄, it is convenient for tiny organizations. Here is the code I am using right now in my control-repo:

class profile::choria::server {

  # [...]
  
    file { "${mcollective::configdir}/policies/groups":
      ensure  => file,
      content => @(POLICY),
        group1 choria=user1.mcollective choria=user2.mcollective
        group2 choria=user3.mcollective
        group3 choria=user4.mcollective
        group4 choria=user3.mcollective choria=user4.mcollective
        | POLICY
      notify  => Class['Choria::Service'],
    }

I guess a defined type for a group with the group name as namevar and an array of members would be great! @ZeroPointEnergy feel free to ping me when you open a PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants