{"id":1405,"date":"2010-04-11T12:11:12","date_gmt":"2010-04-11T11:11:12","guid":{"rendered":"http:\/\/www.devco.net\/?p=1405"},"modified":"2010-08-17T12:10:54","modified_gmt":"2010-08-17T11:10:54","slug":"authorization_plugins_for_mcollective_simplerpc","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2010\/04\/11\/authorization_plugins_for_mcollective_simplerpc.php","title":{"rendered":"Authorization plugins for MCollective SimpleRPC"},"content":{"rendered":"<p>Till now <a href=\"http:\/\/marionette-collective.org\/\">The Marionette Collective<\/a> has relied on your middleware to provide all authorization and authentication for requests.  You&#8217;re able to <a href=\"http:\/\/marionette-collective.org\/reference\/integration\/activemq_security.html\">restrict certain middleware users from certain agents<\/a>, but nothing more fine grained.  <\/p>\n<p>In many cases you want to provide much finer grain control over who can do what, some cases could be:<\/p>\n<ul>\n<li>A certain user can only request service restarts on machines with a fact <i>customer=acme<\/i><\/li>\n<li>A user can do any service restart but only on machines that has a certain configuration management class<\/li>\n<li>You want to deny all users except root from being able to stop services, others can still restart and start them<\/li>\n<\/ul>\n<p>This kind of thing is required for large infrastructures with lots of admins all working in their own group of machines but perhaps a central NOC need to be able to work on all the machines, you need fine grain control over who can do what and we did not have this will now.  It would also be needed if you wanted to give clients control over their own servers but not others.<\/p>\n<p>Version 0.4.5 will have support for this kind of scheme for SimpleRPC agents.  We wont provide a authorization plugin out of the box with the core distribution but I&#8217;ve made one which will be available as a plugin.<\/p>\n<p>So how would you write an auth plugin, first a typical agent would be:<\/p>\n<p><code><\/p>\n<pre lang=\"ruby\">\r\nmodule MCollective\r\n    module Agent\r\n         class Service<RPC::Agent\r\n             authorized_by :action_policy\r\n         \r\n             # ....\r\n         end\r\n    end\r\nend\r\n<\/pre>\n<p><\/code><\/p>\n<p>The new <i>authorized_by<\/i> keyword tells MCollective to use the class <i>MCollective::Util::ActionPolicy<\/i> to do any authorization on this agent.<\/p>\n<p>The ActionPolicy class can be pretty simple, if it raises any kind of exception the action will be denied.<\/p>\n<p><code><\/p>\n<pre lang=\"ruby\">\r\nmodule MCollective\r\n    module Util\r\n         class ActionPolicy\r\n              def self.authorize(request)\r\n                  unless request.caller == \"uid=500\"\r\n                      raise(\"You are not allow access to #{request.agent}::#{request.action}\")\r\n                  end\r\n              end\r\n         end\r\n    end\r\nend\r\n<\/pre>\n<p><\/code><\/p>\n<p>This simple check will deny all requests from anyone but Unix user id 500.<\/p>\n<p>It's pretty simple to come up with your own schemes, <a href=\"http:\/\/code.google.com\/p\/mcollective-plugins\/wiki\/ActionPolicy\">I wrote one<\/a> that allows you to make policy files like the one below for the <i>service<\/i> agent:<\/p>\n<p><code><\/p>\n<pre lang=\"text\">\r\npolicy default deny\r\nallow   uid=500 *                    *                *\r\nallow   uid=502 status               *                *\r\nallow   uid=600 *                    customer=acme    acme::devserver\r\n<\/pre>\n<p><\/code><\/p>\n<p>This will allow user 500 to do everything with the service agent.  User 502 can get the status of any service on any node.  User 600 will be able to do any actions on machines with the fact <i>customer=acme<\/i> that also has the configuration management class <i>acme::devserver<\/i> on them.  Everything else will be denied.<\/p>\n<p>You can do multiple facts and multiple classes in a simple space separated list.  The entire plugin to implement such policy controls was only <a href=\"http:\/\/code.google.com\/p\/mcollective-plugins\/source\/browse\/trunk\/simplerpc_authorization\/action_policy\/actionpolicy.rb\">120 - heavy commented - lines of code<\/a>.  <\/p>\n<p>I think this is a elegant and easy to use layer that provides a lot of functionality.  We might in future pass more information about the caller to the nodes.  There's some limitations, specifically about the source of the caller information being essentially user provided so you need to keep that mind.<\/p>\n<p>As mentioned this will be in MCollective 0.4.5.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Till now The Marionette Collective has relied on your middleware to provide all authorization and authentication for requests. You&#8217;re able to restrict certain middleware users from certain agents, but nothing more fine grained. In many cases you want to provide much finer grain control over who can do what, some cases could be: A certain [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[7],"tags":[121,85,78,13],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1405"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=1405"}],"version-history":[{"count":15,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1405\/revisions"}],"predecessor-version":[{"id":1700,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1405\/revisions\/1700"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=1405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=1405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=1405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}