Initial Chef repository
This commit is contained in:
Greg Karékinian
20
cookbooks/rbac/providers/auth.rb
Normal file
20
cookbooks/rbac/providers/auth.rb
Normal file
@@ -0,0 +1,20 @@
|
||||
def load_current_resource
|
||||
@current_resource = Chef::Resource::RbacAuth.new(new_resource.name)
|
||||
@new_resource.definition = run_context.resource_collection.find(:rbac => @new_resource.auth)
|
||||
begin
|
||||
@new_resource.user_definition = run_context.resource_collection.find(:rbac_user => @new_resource.user)
|
||||
rescue Chef::Exceptions::ResourceNotFound
|
||||
end
|
||||
end
|
||||
|
||||
action :add do
|
||||
unless new_resource.user_definition
|
||||
new_resource.user_definition = rbac_user new_resource.user
|
||||
end
|
||||
|
||||
new_resource.add_auth new_resource.user, new_resource.auth
|
||||
|
||||
new_resource.updated_by_last_action(true)
|
||||
|
||||
new_resource.notifies(:apply, new_resource.user_definition, :delayed)
|
||||
end
|
||||
27
cookbooks/rbac/providers/default.rb
Normal file
27
cookbooks/rbac/providers/default.rb
Normal file
@@ -0,0 +1,27 @@
|
||||
|
||||
def load_current_resource
|
||||
@current_resource = Chef::Resource::Rbac.new(@new_resource.name)
|
||||
end
|
||||
|
||||
action :create do
|
||||
definition = new_resource.name
|
||||
|
||||
new_resource.updated_by_last_action(false)
|
||||
|
||||
manage_auth = "solaris.smf.manage.#{definition}:::Manage #{definition} Service States::"
|
||||
manage = execute "add RBAC #{definition} management to /etc/security/auth_attr" do
|
||||
command "echo \"#{manage_auth}\" >> /etc/security/auth_attr"
|
||||
not_if "grep \"#{manage_auth}\" /etc/security/auth_attr"
|
||||
end
|
||||
|
||||
# This additional permission allows the user to call svccfg -s service setprop
|
||||
# to set dynamic properties without having to re-run chef. This may be
|
||||
# moved into a separate LWRP in the future.
|
||||
value_auth = "solaris.smf.value.#{definition}:::Change value of #{definition} Service::"
|
||||
value = execute "add RBAC #{definition} value to /etc/security/auth_attr" do
|
||||
command "echo \"#{value_auth}\" >> /etc/security/auth_attr"
|
||||
not_if "grep \"#{value_auth}\" /etc/security/auth_attr"
|
||||
end
|
||||
|
||||
new_resource.updated_by_last_action(manage.updated_by_last_action? || value.updated_by_last_action?)
|
||||
end
|
||||
22
cookbooks/rbac/providers/user.rb
Normal file
22
cookbooks/rbac/providers/user.rb
Normal file
@@ -0,0 +1,22 @@
|
||||
# The rbac_user LWRP is an internal set of classes used by other LWRPs to
|
||||
# delay writing of user attributes until the end of the chef run. It should not be
|
||||
# manually run.
|
||||
|
||||
def load_current_resource
|
||||
@current_resource = Chef::Resource::Rbac::User.new(@new_resource.user)
|
||||
end
|
||||
|
||||
action :apply do
|
||||
username = new_resource.user
|
||||
|
||||
auths = RBAC.authorizations[username]
|
||||
permissions = auths.inject([]) do |auth, name|
|
||||
auth + ["solaris.smf.manage.#{name}", "solaris.smf.value.#{name}"]
|
||||
end.sort.uniq.join(',')
|
||||
|
||||
execute "Apply rbac authorizations to #{username}" do
|
||||
command "usermod -A #{permissions} #{username}"
|
||||
action :nothing
|
||||
not_if "grep #{username} /etc/user_attr | grep 'auths=#{permissions}'"
|
||||
end.run_action(:run)
|
||||
end
|
||||
Reference in New Issue
Block a user