-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider a mechanism for running commands as a different user #38
Comments
Yes, I think we need some way to manage credentials that commands can run under. One question is should plugin commands be able to access a global collection of credentials or should PoshBot separate them by plugin and only allow commands to access credentials associated with that plugin? The latter is more secure but potentially more cumbersome to manage. You may have multiple plugins that you've authored for your company and if you want to use the same credentials across plugins, you'd have to specify it in the configuration multiple times. |
Hmm - good question it might make sense to allow both, similar to statefuldata commands? e.g.
For example:
|
oh! if this is up for grabs, would be happy to help! some quick thoughts: I see two general workflows:
Might be over the top, just thinking off the top of my head
Down the line, this could be used with data about a remote node to execute on, but IMHO it makes sense to keep that separate and let folks mix and match creds/remote details as needed. Or it could be combined. I see benefits / caveats to both... Cheers! |
We may be able to reuse (with some tweaks) the existing functionality in PoshBot that allows plugin authors to specify that a command parameter by dynamically resolved from the bot configuration. The existing logic could probably be extended for plugin authors to declare that a command be run (as a job) with specific credentials that are stored under the The way it currently worksPoshBot's PoshBot.psd1@{
###
# other bot properties omitted
###
PluginConfiguration = @{
MyModule = @{
Credential = (PSCredential "joeuser" "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000060ae863578849c4680a57d65f2994eff00000000020000000000106600000001000020000000cd8c90628fc9f7fd332869a0e30eec41cbje8c531618375f22bfa84a2a53e132000000000e80000000020000200000003b7027c1f5577bd36f7f9c87db7bb427f4808466758eb9a579e36be9bc49b3481000000092223e3261d78e6547ed0f799f5462eb400000008hpddfa3619fcc7b56bb2571b8cc9405740bf266e1fd8fc79b9nj1203ad9058d19a73eb75f5d977ef4478dc9f207f21e19c95affd1d44eca0b405f879e3c98nu")
}
}
} MyModule.psm1function Get-Foo {
[cmdletbinding()]
param(
[PoshBot.FromConfig()]
[parameter(mandatory)]
[string]$Credential
)
# Do something useful with $Credential
} How it could workThis would be a breaking change to how plugin configuration is currently stored but we could modify the structure to resemble: PoshBot.psd1
You would then reference these variables in your plugin command by using the function Get-Foo {
# Run this command as a job using the 'SharedCred2' value from
# the global plugin configuration scope
[PoshBot.BotCommand(
CommandName = 'foo',
RunAs = 'SharedCred2',
Scope = 'Global'
)]
[cmdletbinding()]
param(
# Go get the 'Credential1` value from the plugin scope of the bot configuration
# 'Scope = 'Plugin' would be implicit
[PoshBot.FromConfig('Credential1')]
[pscredential]$Credential
# Go get the 'SharedCred1' value from the global plugin configuration scope
[PoshBot.FromConfig(
'SharedCred1',
Scope = 'Global'
)]
[pscredential]$SharedCredential
)
} I like the idea of given the bot admin the ability to specify the credentials a command will run under without mucking with the plugin itself. PoshBot.psd1
Sorry for the super long response. I'm totally open to storing this data outside the main bot configuration if that makes sense as well. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Consider a mechanism for running commands as a different user
It may be helpful to include a mechansim to simplify running as a different user.
Currently, if you need to do something with privilege XYZ, there are a few common methods:
Potential alternative:
Provide some convention or handling for credentials, including an option to use them when starting a job.
Hypothetical, poorly-thought-out example:
Ahead of time, as the account running PoshBot:
Plugins and/or individual commands could be decorated to specify a credential to run with:
The last part is tricky. Depending on how PoshBot executes commands (iirc the plan was to use jobs for now?), PoshBot could check the command or plugin config, and if a credential is specified, read the poshbot configuration, deserialize the credential, and use it to launch a job.
Whew!
Does something like this make sense? I don't see it needed in the short term, I'm currently just relying on deserializing credentials with the poshbot plugin / commands themselves, biggest concern is that this makes it a bit tough to share them, and that not all commands offer an easy way to specify credentials (in which case I would need to spawn a job, use a JEA endpoint, or some other workaround)
Cheers!
The text was updated successfully, but these errors were encountered: