Module: Conjur::ActsAsRole

Included in:

ActsAsUser, Group, Layer

Defined in:

lib/conjur/acts_as_role.rb

Overview

This module provides methods for things that have an associated Role.

All high level Conjur assets (groups and users, for example) are composed of both a role and a resource. This allows these assets to have permissions on other assets, and for other assets to have permission on them.

The ActsAsRole module itself should be considered private, but it's methods are public when added to a Conjur asset class.

Instance Method Summary

• #can(privilege, resource, options = {})

  Permit the asset to perform privilege on resource.

• #cannot(privilege, resource, options = {}) ⇒ Object

  Deny the asset's role the ability to perform privilege on resource.

• #role ⇒ Object

  Get a Role instance corresponding to the role associated with this asset.

• #role_kind ⇒ String

  The kind of a role.

• #roleid ⇒ String (also: #role_id)

  The qualified identifier for the role associated with this asset.

Instance Method Details

#can(privilege, resource, options = {})

This method returns an undefined value.

Permit the asset to perform privilege on resource. You can also use this method to control whether the role is able to grant the privilege on the resource to other roles by passing a :grant_option option.

This method is primarily intended for use in the Conjur Policy DSL, and simply delegates to Resource#permit. For code clarity, you might consider using that method instead.

Permissions

To call this method, you must own the resource, or have the privilege on it with grant option set to true.

Parameters:

• privilege (String) —

  the privilege to allow this role to perform, e.g. 'execute' or 'update'

• resource (Conjur::Resource, #resource_id, String) —

  the resource to grant privilege on.

• options (Hash) (defaults to: {}) —

  Options to pass through to RestClient::Resource#post

Options Hash (options):

• :grant_option (Boolean) —

  whether this role will be able to grant the privilege to other roles.

# File 'lib/conjur/acts_as_role.rb', line 77

def can(privilege, resource, options = {})
  require 'conjur/resource'
  Conjur::Resource.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_resource_id(resource).join('/')].permit privilege, self.roleid, options
end

#cannot(privilege, resource, options = {}) ⇒ Object

Deny the asset's role the ability to perform privilege on resource. This operation is the inverse of #can.

This method is primarily intended for use in the Conjur Policy DSL, and simply delegates to Resource#permit. For code clarity, you might consider using that method instead.

See Also:

• Resource#deny

# File 'lib/conjur/acts_as_role.rb', line 92

def cannot(privilege, resource, options = {})
  require 'conjur/resource'
  Conjur::Resource.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_resource_id(resource).join('/')].deny privilege, self.roleid
end

#role ⇒ Object

Get a Role instance corresponding to the role associated with this asset.

# File 'lib/conjur/acts_as_role.rb', line 54

def role
  require 'conjur/role'
  Conjur::Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(self.roleid).join('/')]
end

#role_kind ⇒ String

The kind of a role. This may be any value, but standard ones correspond to various high level Conjur assets, for example, 'user', 'group', or 'variable'.

Note that this method derives the role kind from the asset's class name.

Returns:

• (String) —

  the role kind

# File 'lib/conjur/acts_as_role.rb', line 49

def role_kind
  self.class.name.split('::')[-1].underscore
end

#roleid ⇒ String Also known as: role_id

The qualified identifier for the role associated with this asset. A qualified identifier prepends the asset's account and kind, for example, a User with login 'bob' in a system with organizational account 'conjur' would have a roleid of 'conjur:user:bob'

Returns:

• (String) —

  the qualified role id

# File 'lib/conjur/acts_as_role.rb', line 38

def roleid
  [ core_conjur_account, role_kind, id ].join(':')
end