Open ripienaar opened 7 years ago
ZeroPointEnergy
commented
1 year ago Updated link to above mentioned PR: https://github.com/choria-legacy/mcollective-actionpolicy-auth/pull/15
It looks to me like the group feature was actually merged and it's also present in the action-policy plugin here: https://github.com/choria-plugins/action-policy
Would you be interested in a PR regarding the configuration of this feature in this module?
ripienaar
commented
1 year ago At present the action-policy in ruby is just dead bytes. It's not called in the real execution paths anymore.
The current parallel implementation is https://github.com/choria-io/go-choria/blob/main/providers/agent/mcorpc/authz_actionpolicy.go and tbh you should probably rather use Open Policy Agent if you want this kind of stuff
ripienaar
commented
1 year ago However it seems I do support groups in that new go one? Looks like it, in that case sure a contribution to make Puppet aware of it would be great
smortex
commented
1 year ago However it seems I do support groups in that new go one?
I think so, I am using it :smile:, it is convenient for tiny organizations. Here is the code I am using right now in my control-repo:
class profile::choria::server {
# [...]
file { "${mcollective::configdir}/policies/groups":
ensure => file,
content => @(POLICY),
group1 choria=user1.mcollective choria=user2.mcollective
group2 choria=user3.mcollective
group3 choria=user4.mcollective
group4 choria=user3.mcollective choria=user4.mcollective
| POLICY
notify => Class['Choria::Service'],
}I guess a defined type for a group with the group name as namevar and an array of members would be great! @ZeroPointEnergy feel free to ping me when you open a PR!
Could have landed group support without improving the action policy plugin but decided on the https://github.com/puppetlabs/mcollective-actionpolicy-auth/pull/15 route instead, once this is released make sure its supported