Skip to content
This repository has been archived by the owner on Jul 16, 2019. It is now read-only.

conjurdemos/enterprise-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

248 Commits
admin
admin
 
 
bin
bin
 
 
demos/ansible
demos/ansible
 
 
docker-ldap
docker-ldap
 
 
ldap
ldap
 
 
policy
policy
 
 
.gitignore
.gitignore
 
 
.project
.project
 
 
Dockerfile.admin
Dockerfile.admin
 
 
Dockerfile.cli
Dockerfile.cli
 
 
README.demo.md
README.demo.md
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
jenkins.sh
jenkins.sh
 
 
populate.sh
populate.sh
 
 
secrets.ci.yml
secrets.ci.yml
 
 
secrets.dev.yml
secrets.dev.yml
 
 

Repository files navigation

Enterprise Example Demo

This repository models an example enterprise using Conjur. It includes user groups for development, operations, QA, research, HR, etc, along with the related infrastructure systems such as Jenkins.

YouTube video walkthrough (5 minutes):

Video Walkthrough (YouTube)

Loading the demo policies

To run the demo, clone this repository and load the data using the populate script.

$ git clone https://github.com/conjurdemos/enterprise-example.git
$ cd enterprise-example
$ ./populate.sh

This assumes you have the Conjur CLI installed on your machine, and you've already run conjur init -h $HOSTNAME to point the CLI to your Conjur server. The script will also prompt to create a new security admin in which all demo records will be owned by.

System Components

Global organization

The organization groups are loaded from policy/groups.yml.

Some example groups:

  • employees a group of which every user is a member
  • operations-admin a group of HR administrators
  • operations a group of HR employees, which is administered by the hr-admin group.

The rest of the groups follow the same pattern, e.g. developers and developers-admin. The members of the "admin" group correspond to the team managers. They can add and remove members of the managed group.

Policies

The policy folder contains sub-folders, for example ci, prod. Each of these folders contains Conjur policies that are applied to the corresponding environment.

For example, the policy/ci folder contains policies which govern a Jenkins-based CI system.

Entitlements

The entitlements YAML assigns membership in application policy roles to groups from the global organization.

For example, each Layer automatically defines SSH roles admin_host and use_host. An "entitlement" grants membership in one of these roles to a group (or user) from the global organization.

LDAP (WIP)

The global organization groups and users can be provided by an LDAP directory. Conjur can be configured to sync this directory into Conjur Users and Groups. Conjur can also be configured to authenticate users via LDAP password. The combination of these two features makes Conjur an extension of the enterprise IAM system into infrastructure management.

References:

$ ruby policy/ldif.rb policy/users.yml docker-ldap/ldif/users.ldif
$ docker build -t enterprise-example-ldap docker-ldap
$ docker run --name ldap --rm -i -P enterprise-example-ldap
$ $port=$(docker port ldap 3897 | tail -c 6)
$ ldapsearch -h $DOCKER_HOST -p $port -x -b dc=example,dc=com
...
prints out lots of LDIF
...

About

An example enterprise application protected with Conjur

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

18 watching

Forks

8 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 11

Languages