Class: Conjur::Role
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Role
- Defined in:
- lib/conjur/role.rb
Overview
A Conjur Role represents an actor that can be granted or denied permissionto do various things to Conjur Resources. Roles are hierarchical: if role a is a member of role b, a is permitted to do everything b is permitted to do. This relationship is transitive, so if a is a member of b, b is a member of c, and c is a member of d, a has all of d's permissions.
This class represents a Role with a particular identifier. The actual Conjur role may or may not exist!
Instance Method Summary collapse
-
#all(options = {}) ⇒ Array<Conjur::Role>
(also: #memberships)
Find all roles of which this role is a member.
-
#grant_to(member, options = {})
Grant this role to another one.
-
#identifier ⇒ String
(also: #id)
The unqualified identifier for this role.
-
#member_of?(other_role) ⇒ Boolean
Check to see if this role is a member of another role.
-
#members ⇒ Array<Conjur::RoleGrant>
Fetch the members of this role.
-
#permitted?(resource, privilege, options = {}) ⇒ Boolean
Check to see if this role is allowed to perform
privilege
onresource
. -
#revoke_from(member, options = {})
Remove (revoke) a member from this role.
-
#roleid ⇒ String
(also: #role_id)
The qualified identifier for this role.
Methods included from PathBased
Methods included from Exists
Instance Method Details
#all(options = {}) ⇒ Array<Conjur::Role> Also known as: memberships
Find all roles of which this role is a member. This relationship is recursively expanded,
so if a
is a member of b
, and b
is a member of c
, a.all
will include c
.
Permissions
You must be a member of the role to call this method (note that the admin
user is
a member of every role).
You can restrict the roles returned to one or more role ids. This feature is mainly useful for checking whether this role is a member of any of a set of roles.
100 101 102 103 104 105 106 107 108 109 110 111 |
# File 'lib/conjur/role.rb', line 100 def all( = {}) query_string = "?all" if filter = .delete(:filter) filter = [filter] unless filter.is_a?(Array) filter.map!{ |obj| cast(obj, :roleid) } (query_string << "&" << filter.to_query("filter")) unless filter.empty? end JSON.parse(self[query_string].get()).collect do |id| Role.new(Conjur::Authz::API.host, self.)[Conjur::API.parse_role_id(id).join('/')] end end |
#grant_to(member, options = {})
This method returns an undefined value.
Grant this role to another one. The role given by the member
argument will become
a member of this role, and have all of its permissions.
Permissions
You must have admin permissions on this role.
203 204 205 206 207 208 209 210 211 212 |
# File 'lib/conjur/role.rb', line 203 def grant_to(member, ={}) member = cast(member, :roleid) log do |logger| logger << "Granting role #{identifier} to #{member}" unless .blank? logger << " with options #{.to_json}" end end self["?members&member=#{query_escape member}"].put() end |
#identifier ⇒ String Also known as: id
The unqualified identifier for this role.
43 44 45 |
# File 'lib/conjur/role.rb', line 43 def identifier match_path(3..-1) end |
#member_of?(other_role) ⇒ Boolean
Check to see if this role is a member of another role. Membership is transitive.
Permissions
You must be logged in as a member of this role in order to call this method. Note that if you pass a role of which you aren't a member to this method, it will return false rather than raising an exception.
139 140 141 142 |
# File 'lib/conjur/role.rb', line 139 def member_of?(other_role) other_role = cast(other_role, :roleid) not all(filter: other_role).empty? end |
#members ⇒ Array<Conjur::RoleGrant>
Fetch the members of this role. The results are not recursively expanded (in contrast to #memberships).
Permissions
You must be a member of the role to call this method.
312 313 314 315 316 |
# File 'lib/conjur/role.rb', line 312 def members JSON.parse(self["?members"].get()).collect do |json| RoleGrant.parse_from_json(json, self.) end end |
#permitted?(resource, privilege, options = {}) ⇒ Boolean
Check to see if this role is allowed to perform privilege
on resource
.
Permissions
Any authenticated role may call this method. However, instead of raising a 404 if a resource or role doesn't exist, it will return false. This is to prevent bad guys from finding out which roles and resources exist.
web_layer.role.permitted? mysql_uri, 'execute' # => true
294 295 296 297 298 299 300 301 |
# File 'lib/conjur/role.rb', line 294 def permitted?(resource, privilege, = {}) resource = cast(resource, :resourceid) # NOTE: in previous versions there was 'kind' passed separately. Now it is part of id self["?check&resource_id=#{query_escape resource}&privilege=#{query_escape privilege}"].get() true rescue RestClient::ResourceNotFound false end |
#revoke_from(member, options = {})
This method returns an undefined value.
Remove (revoke) a member from this role. This operation is the inverse of #grant_to
Permissions
You must have admin permissions on this role
243 244 245 246 247 248 249 250 251 252 |
# File 'lib/conjur/role.rb', line 243 def revoke_from(member, = {}) member = cast(member, :roleid) log do |logger| logger << "Revoking role #{identifier} from #{member}" unless .empty? logger << " with options #{.to_json}" end end self["?members&member=#{query_escape member}"].delete() end |
#roleid ⇒ String Also known as: role_id
The qualified identifier for this role.
55 56 57 |
# File 'lib/conjur/role.rb', line 55 def roleid [ account, kind, identifier ].join(':') end |