Module: Conjur::ActsAsAsset

Includes:

ActsAsResource, Exists, HasAttributes, HasId, HasOwner

Included in:

Group, HostFactory, Layer, User, Variable

Defined in:

lib/conjur/acts_as_asset.rb

Overview

A mixin used by Conjur asset classes such as User and Group.

Instance Method Summary

• #add_member(role_name, member, options = {})

  Add an internal grant on this asset's resource.

• #remove_member(role_name, member)

  Remove a grant created with #add_member.

Methods included from HasAttributes

#attributes, #invalidate, #refresh, #save, #to_json

Methods included from ActsAsResource

#deny, #permit, #resource, #resource_kind, #resourceid

Methods included from HasOwner

#ownerid, #userid

Methods included from Exists

#exists?

Methods included from HasId

#id

Instance Method Details

#add_member(role_name, member, options = {})

This method returns an undefined value.

Add an internal grant on this asset's resource. This method allows you to grant permissions on all members of a container asset (for example, all hosts in a layer) to the given role. Currently this method is only useful for layer assets, and corresponds to the hosts permit CLI command. In particular, to permit 'update' on all hosts in a layer, role_name should be 'admin_host', and to permit 'execute' it should be 'use_host'.

Examples:

Allow group 'ops' to admin hosts in the 'dev/database' layer

ops = api.create_group 'ops'
dev_database = api.create_layer 'dev/database'

# Create and add a host to the databasees layer
host = api.create_host 'ec2/i-123ab23f'
dev_databases.add_host host

# Ops can't update the hosts
host.resource.permitted? 'update', acting_as: 'conjur:group:ops'
# => false

# Allow 'group:ops' to admin all hosts in the layer
layer.add_member 'admin_host', ops

# Now 'group:ops' is allowed to `'update'` the role.`
host.resource.permitted? 'update', acting_as: 'group:ops'
# => true

Parameters:

• role_name (String) —

  name of the internal role to grant (for layers, it must be 'use_host' or 'admin_host')

• member (String, #roleid) —

  the role to receive the grant

• options (Hash) (defaults to: {}) —

  Unused, included for backwards compatibility

# File 'lib/conjur/acts_as_asset.rb', line 60

def add_member(role_name, member, options = {})
  owned_role(role_name).grant_to member, options
end

#remove_member(role_name, member)

This method returns an undefined value.

Remove a grant created with #add_member. When an internal grant has been created on this asset's resource with #add_member, you can remove it with this method.

Parameters:

• role_name (String) —

  name of the internal grant role (for layers, it must be 'use_host' or 'admin_host').

• member (String, #roleid) —

  the role to remove

See Also:

• #add_member

# File 'lib/conjur/acts_as_asset.rb', line 71

def remove_member(role_name, member)
  owned_role(role_name).revoke_from member
end