Open gchappel opened 2 weeks ago
Bump.
I see now from the release notes that this is a new feature in the 8.0.16
version of the CLI tool - does this need a particular release on the server side? I just accidentally loaded a policy over another policy because I had temporarily forgotten that dry-run
isn't working so I thought I'd check in.
Summary
We control Conjur via Git repositories, I'm looking to build a
pre-commit
style check to make sure what you're about to push to a PR for review is in fact a valid policy. We have issues sometimes where reviewing a policy looks good, but when it is merged there may be an issue in the policy which then blocks the policy from being loaded. My intention is that these issues can be caught earlier by using--dry-run
to validate the intended Conjur policy, but without actually loading it to Conjur. This flag is documented as:When testing this, I've found that even though I have
--dry-run
on my command line, my policy in Conjur is being affected and replaced.Steps to Reproduce
cyberark/tools/conjur-cli
)conjur policy replace --dry-run --file policy.yml --branch policy:my/namespace/gchappel-testing/dry-run-load
Expected Results
Since
--dry-run
was used, the policy should NOT be changed.Actual Results
The policy was entirely overridden with the file provided on the command line
Reproducible
Version/Tag number
Conjur CLI version 8.0.16-6f9eefb
Environment setup
13.3.2
(fromcurl https://conjur.company.com/info | jq -r '.release'
Additional Information
Original policy:
Before screenshot:
New policy:
After screenshot:
CLI demonstration: