Module: Conjur::ActsAsRole
- Included in:
- ActsAsUser, Group, Layer
- Defined in:
- lib/conjur/acts_as_role.rb
Overview
This module provides methods for things that have an associated Role.
All high level Conjur assets (groups and users, for example) are composed of both a role and a resource. This allows these assets to have permissions on other assets, and for other assets to have permission on them.
The ActsAsRole module itself should be considered private, but it's methods are public when added to a Conjur asset class.
Instance Method Summary collapse
-
#can(privilege, resource, options = {})
Permit the asset to perform
privilege
onresource
. -
#cannot(privilege, resource, options = {}) ⇒ Object
Deny the asset's role the ability to perform
privilege
onresource
. -
#role ⇒ Object
Get a Role instance corresponding to the
role
associated with this asset. -
#role_kind ⇒ String
The
kind
of a role. -
#roleid ⇒ String
(also: #role_id)
The qualified identifier for the role associated with this asset.
Instance Method Details
#can(privilege, resource, options = {})
This method returns an undefined value.
Permit the asset to perform privilege
on resource
. You can also use this method to control whether the role
is able to grant the privilege on the resource to other roles by passing a :grant_option
option.
This method is primarily intended for use in the Conjur Policy DSL, and simply delegates to Resource#permit. For code clarity, you might consider using that method instead.
Permissions
To call this method, you must own the resource, or have the privilege on it with grant option set to true.
77 78 79 80 |
# File 'lib/conjur/acts_as_role.rb', line 77 def can(privilege, resource, = {}) require 'conjur/resource' Conjur::Resource.new(Conjur::Authz::API.host, self.)[Conjur::API.parse_resource_id(resource).join('/')].permit privilege, self.roleid, end |
#cannot(privilege, resource, options = {}) ⇒ Object
Deny the asset's role the ability to perform privilege
on resource
. This operation is the inverse of #can.
This method is primarily intended for use in the Conjur Policy DSL, and simply delegates to Resource#permit. For code clarity, you might consider using that method instead.
92 93 94 95 |
# File 'lib/conjur/acts_as_role.rb', line 92 def cannot(privilege, resource, = {}) require 'conjur/resource' Conjur::Resource.new(Conjur::Authz::API.host, self.)[Conjur::API.parse_resource_id(resource).join('/')].deny privilege, self.roleid end |
#role ⇒ Object
Get a Role instance corresponding to the role
associated with this asset.
54 55 56 57 |
# File 'lib/conjur/acts_as_role.rb', line 54 def role require 'conjur/role' Conjur::Role.new(Conjur::Authz::API.host, self.)[Conjur::API.parse_role_id(self.roleid).join('/')] end |
#role_kind ⇒ String
The kind
of a role. This may be any value, but standard ones correspond to various high level
Conjur assets, for example, 'user'
, 'group'
, or 'variable'
.
Note that this method derives the role kind from the asset's class name.
49 50 51 |
# File 'lib/conjur/acts_as_role.rb', line 49 def role_kind self.class.name.split('::')[-1].underscore end |
#roleid ⇒ String Also known as: role_id
The qualified identifier for the role associated with this asset. A qualified identifier
prepends the asset's account and kind, for example, a User with login 'bob'
in a
system with organizational account 'conjur'
would have a roleid
of 'conjur:user:bob'
38 39 40 |
# File 'lib/conjur/acts_as_role.rb', line 38 def roleid [ core_conjur_account, role_kind, id ].join(':') end |