{"id":1405,"date":"2010-04-11T12:11:12","date_gmt":"2010-04-11T11:11:12","guid":{"rendered":"http:\/\/www.devco.net\/?p=1405"},"modified":"2010-08-17T12:10:54","modified_gmt":"2010-08-17T11:10:54","slug":"authorization_plugins_for_mcollective_simplerpc","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2010\/04\/11\/authorization_plugins_for_mcollective_simplerpc.php","title":{"rendered":"Authorization plugins for MCollective SimpleRPC"},"content":{"rendered":"
Till now The Marionette Collective<\/a> has relied on your middleware to provide all authorization and authentication for requests. You’re able to restrict certain middleware users from certain agents<\/a>, but nothing more fine grained. <\/p>\n In many cases you want to provide much finer grain control over who can do what, some cases could be:<\/p>\n This kind of thing is required for large infrastructures with lots of admins all working in their own group of machines but perhaps a central NOC need to be able to work on all the machines, you need fine grain control over who can do what and we did not have this will now. It would also be needed if you wanted to give clients control over their own servers but not others.<\/p>\n Version 0.4.5 will have support for this kind of scheme for SimpleRPC agents. We wont provide a authorization plugin out of the box with the core distribution but I’ve made one which will be available as a plugin.<\/p>\n So how would you write an auth plugin, first a typical agent would be:<\/p>\n <\/code><\/p>\n The new authorized_by<\/i> keyword tells MCollective to use the class MCollective::Util::ActionPolicy<\/i> to do any authorization on this agent.<\/p>\n The ActionPolicy class can be pretty simple, if it raises any kind of exception the action will be denied.<\/p>\n <\/code><\/p>\n This simple check will deny all requests from anyone but Unix user id 500.<\/p>\n\n
<\/p>\n
\r\nmodule MCollective\r\n module Agent\r\n class Service
<\/p>\n
\r\nmodule MCollective\r\n module Util\r\n class ActionPolicy\r\n def self.authorize(request)\r\n unless request.caller == \"uid=500\"\r\n raise(\"You are not allow access to #{request.agent}::#{request.action}\")\r\n end\r\n end\r\n end\r\n end\r\nend\r\n<\/pre>\n