Class: Conjur::Layer

Inherits:

RestClient::Resource

• Object
• RestClient::Resource
• Conjur::Layer

Includes:

ActsAsAsset, ActsAsRole

Defined in:

lib/conjur/layer.rb

Overview

A Conjur Layer represents a collection of Conjur Hosts with the ssame permissions on other Conjur resources.

Examples:

Allow hosts in the layer dev/database to access a dev/database_uri secret

# Create the layer and add a couple of EC2 hosts
layer = api.create_layer 'dev/database'
hosts = ['ec2-iac5ed', 'ec2-iadc31'].map{ |hostid| api.create_host id: hostid }
hosts.each{ |host| layer.add_host host }

# A Variable representing the database uri secret
database_uri  = api.variable 'dev/database_uri'

# Currently none of the hosts can access it:
hosts.any?{ |host| host.role.permitted? database_uri, 'execute' } # => false

# Grant permission on the layer
database_uri.resource.permit 'execute', layer

# Now all hosts in the layer have the execute permission on the secret through the layer
hosts.all?{ |host| host.role.permitted? database_uri, 'execute' } # => true

Instance Method Summary

• #add_host(hostid)

  Add a host to this layer.

• #hosts ⇒ Array<Conjur::Host>

  Return all hosts in the layer.

• #hosts_members(role_name) ⇒ Conjur::RoleGrant

  Lists the roles that have been granted access to the host's owned roles.

• #remove_host(hostid)

  Remove a host from this layer.

Methods included from ActsAsRole

#can, #cannot, #role, #role_kind, #roleid

Methods included from ActsAsAsset

#add_member, #remove_member

Methods included from HasAttributes

#attributes, #invalidate, #refresh, #save, #to_json

Methods included from ActsAsResource

#deny, #permit, #resource, #resource_kind, #resourceid

Methods included from HasOwner

#ownerid, #userid

Methods included from Exists

#exists?

Methods included from HasId

#id

Instance Method Details

#add_host(hostid)

This method returns an undefined value.

Add a host to this layer. The host's role will become a member of the layer's role, and have all privileges of the layer.

Parameters:

• hostid (String, Conjur::Host) —

  A qualified Conjur id for the host, or a Host instance.

# File 'lib/conjur/layer.rb', line 35

def add_host(hostid)
  hostid = cast(hostid, :roleid)
  log do |logger|
    logger << "Adding host #{hostid} to layer #{id}"
  end
  invalidate do
    RestClient::Resource.new(self['hosts'].url, options).post(hostid: hostid) 
  end
end

#hosts ⇒ Array<Conjur::Host>

Return all hosts in the layer.

Returns:

• (Array<Conjur::Host>) —

  the hosts in the layer.

# File 'lib/conjur/layer.rb', line 78

def hosts
  self.attributes['hosts'].collect do |id|
    Conjur::Host.new(Conjur::API.core_asset_host, options)["hosts/#{fully_escape id.split(':', 3)[-1]}"]
  end
end

#hosts_members(role_name) ⇒ Conjur::RoleGrant

Lists the roles that have been granted access to the host's owned roles.

role_name can be either admin_host or use_host. This method corresponds to ActsAsAsset#add_member in that members added with that method will be returned by this method.

Parameters:

• role_name (String) —

  Either use_host or admin_host

Returns:

• (Conjur::RoleGrant) —

  the grants associated with this host (the return type is identical to that of Role#members).

See Also:

• ActsAsAsset#add_member

# File 'lib/conjur/layer.rb', line 70

def hosts_members(role_name)
  owned_role(role_name).members
end

#remove_host(hostid)

This method returns an undefined value.

Remove a host from this layer. The host will lose all privileges it had through this layer.

Parameters:

• hostid (String, Conjur::Host) —

  A qualified Conjur id for the host, or a Host instance.

# File 'lib/conjur/layer.rb', line 50

def remove_host(hostid)
  hostid = cast(hostid, :roleid)
  log do |logger|
    logger << "Removing host #{hostid} from layer #{id}"
  end
  invalidate do
    RestClient::Resource.new(self["hosts/#{fully_escape hostid}"].url, options).delete
  end
end