Class: Conjur::Role
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Role
- Defined in:
- lib/conjur/role.rb
Overview
A Conjur Role represents an actor that can be granted or denied permissionto do various things to Conjur Resources. Roles are hierarchical: if role a is a member of role b, a is permitted to do everything b is permitted to do. This relationship is transitive, so if a is a member of b, b is a member of c, and c is a member of d, a has all of d's permissions.
This class represents a Role with a particular identifier. The actual Conjur role may or may not exist!
Instance Method Summary collapse
-
#all(options = {}) ⇒ Array<Conjur::Role>
(also: #memberships)
Find all roles of which this role is a member.
-
#grant_to(member, options = {})
Grant this role to another one.
-
#identifier ⇒ String
(also: #id)
The unqualified identifier for this role.
-
#member_of?(other_role) ⇒ Boolean
Check to see if this role is a member of another role.
-
#members ⇒ Array<Conjur::RoleGrant>
Fetch the members of this role.
-
#permitted?(resource, privilege, options = {}) ⇒ Boolean
Check to see if this role is allowed to perform
privilege
onresource
. -
#revoke_from(member, options = {})
Remove (revoke) a member from this role.
-
#roleid ⇒ String
(also: #role_id)
The qualified identifier for this role.
Methods included from PathBased
Methods included from Exists
Instance Method Details
#all(options = {}) ⇒ Array<Conjur::Role> Also known as: memberships
Find all roles of which this role is a member. This relationship is recursively expanded,
so if a
is a member of b
, and b
is a member of c
, a.all
will include c
.
Permissions
You must be a member of the role to call this method.
You can restrict the roles returned to one or more role ids. This feature is mainly useful for checking whether this role is a member of any of a set of roles.
99 100 101 102 103 104 105 106 107 108 109 110 |
# File 'lib/conjur/role.rb', line 99 def all( = {}) query_string = "?all" if filter = .delete(:filter) filter = [filter] unless filter.is_a?(Array) filter.map!{ |obj| cast(obj, :roleid) } (query_string << "&" << filter.to_query("filter")) unless filter.empty? end JSON.parse(self[query_string].get()).collect do |id| Role.new(Conjur::Authz::API.host, self.)[Conjur::API.parse_role_id(id).join('/')] end end |
#grant_to(member, options = {})
This method returns an undefined value.
Grant this role to another one. The role given by the member
argument will become
a member of this role, and have all of its permissions.
Permissions
You must have admin permissions on this role.
202 203 204 205 206 207 208 209 210 211 |
# File 'lib/conjur/role.rb', line 202 def grant_to(member, ={}) member = cast(member, :roleid) log do |logger| logger << "Granting role #{identifier} to #{member}" unless .blank? logger << " with options #{options.to_json}" end end self["?members&member=#{query_escape member}"].put() end |
#identifier ⇒ String Also known as: id
The unqualified identifier for this role.
43 44 45 |
# File 'lib/conjur/role.rb', line 43 def identifier match_path(3..-1) end |
#member_of?(other_role) ⇒ Boolean
Check to see if this role is a member of another role. Membership is transitive.
Permissions
You must be logged in as a member of this role in order to call this method. Note that if you pass a role of which you aren't a member to this method, it will return false rather than raising an exception.
138 139 140 141 |
# File 'lib/conjur/role.rb', line 138 def member_of?(other_role) other_role = cast(other_role, :roleid) not all(filter: other_role).empty? end |
#members ⇒ Array<Conjur::RoleGrant>
Fetch the members of this role. The results are not recursively expanded (in contrast to #memberships).
Permissions
You must be a member of the role to call this method.
311 312 313 314 315 |
# File 'lib/conjur/role.rb', line 311 def members JSON.parse(self["?members"].get()).collect do |json| RoleGrant.parse_from_json(json, self.) end end |
#permitted?(resource, privilege, options = {}) ⇒ Boolean
Check to see if this role is allowed to perform privilege
on resource
.
Permissions
Any authenticated role may call this method. However, instead of raising a 404 if a resource or role doesn't exist, it will return false. This is to prevent bad guys from finding out which roles and resources exist.
web_layer.role.permitted? mysql_uri, 'execute' # => true
293 294 295 296 297 298 299 300 |
# File 'lib/conjur/role.rb', line 293 def permitted?(resource, privilege, = {}) resource = cast(resource, :resourceid) # NOTE: in previous versions there was 'kind' passed separately. Now it is part of id self["?check&resource_id=#{query_escape resource}&privilege=#{query_escape privilege}"].get() true rescue RestClient::ResourceNotFound false end |
#revoke_from(member, options = {})
This method returns an undefined value.
Remove (revoke) a member from this role. This operation is the inverse of #grant_to
Permissions
You must have admin permissions on this role
242 243 244 245 246 247 248 249 250 251 |
# File 'lib/conjur/role.rb', line 242 def revoke_from(member, = {}) member = cast(member, :roleid) log do |logger| logger << "Revoking role #{identifier} from #{member}" unless .empty? logger << " with options #{options.to_json}" end end self["?members&member=#{query_escape member}"].delete() end |
#roleid ⇒ String Also known as: role_id
The qualified identifier for this role.
55 56 57 |
# File 'lib/conjur/role.rb', line 55 def roleid [ account, kind, identifier ].join(':') end |