Introduction

This requires MCollective 0.4.5 or newer

From version 0.4.5 of MCollective SimpleRPC will support authorization plugins. This is a sample plugin that provides fine grained action level authorization for agents.

Details

Policies are defined in files like <configdir>/policies/<agent>.policy here's a sample for the AgentPuppetd agent:

policy default deny
allow   uid=500     *                       *                *
allow   uid=600     *                       customer=acme    acme::devserver
allow   uid=600     enable disable status   customer=acme    *

The above policy can be described as:

• allow unix user id 500 to do all actions on all servers.
• allow unix user id 600 to do all actions on machines with the fact customer=acme and the config class acme::devserver
• allow unix user id 600 to do enable, disable and status on all other machines with fact customer=acme
• Everything else gets denied

Like with actions you can space seperate facts and config classes too.

Installation

Get the source from GitHub and place the actionpolicy.rb file in the your libdir/mcollective/util/actionpolicy.rb.

You can now activate it in your agents:

module MCollective::Agent
    class Service<RPC::Agent
        authorized_by :action_policy
         
        # ...
    end
end