├── VERSION ├── .gitignore ├── lib ├── knife-acl │ └── version.rb └── chef │ └── knife │ ├── user_invite_list.rb │ ├── user_list.rb │ ├── group_list.rb │ ├── user_invite_add.rb │ ├── user_dissociate.rb │ ├── group_show.rb │ ├── group_create.rb │ ├── user_show.rb │ ├── group_destroy.rb │ ├── acl_show.rb │ ├── group_add.rb │ ├── group_remove.rb │ ├── acl_add.rb │ ├── user_invite_recind.rb │ ├── acl_remove.rb │ ├── acl_bulk_add.rb │ ├── acl_bulk_remove.rb │ └── helpers │ └── acl_base.rb ├── .rubocop.yml ├── .github ├── CODEOWNERS └── ISSUE_TEMPLATE │ ├── SUPPORT_QUESTION.md │ ├── BUG_TEMPLATE.md │ ├── ENHANCEMENT_REQUEST_TEMPLATE.md │ └── DESIGN_PROPOSAL.md ├── Gemfile ├── .expeditor ├── update_version.sh ├── verify.pipeline.yml ├── run_linux_tests.sh └── config.yml ├── knife-acl.gemspec ├── Rakefile ├── CHANGELOG.md ├── LICENSE └── README.md /VERSION: -------------------------------------------------------------------------------- 1 | 1.0.8 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | pkg 2 | -------------------------------------------------------------------------------- /lib/knife-acl/version.rb: -------------------------------------------------------------------------------- 1 | module KnifeACL 2 | VERSION = "1.0.8".freeze 3 | end 4 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | Lint/UselessAssignment: 2 | Exclude: 3 | - 'lib/chef/knife/acl_bulk_add.rb' 4 | - 'lib/chef/knife/acl_bulk_remove.rb' 5 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Order is important. The last matching pattern has the most precedence. 2 | 3 | * @chef/msys-developers 4 | .expeditor/ @chef/jex-team 5 | *.md @chef/docs-team 6 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source "https://rubygems.org" 2 | 3 | # Specify your gem's dependencies in knife-cloud.gemspec 4 | gemspec 5 | 6 | group :docs do 7 | gem "yard" 8 | gem "redcarpet" 9 | gem "github-markup" 10 | end 11 | 12 | group :test do 13 | gem "rake" 14 | gem "rspec" 15 | gem "chefstyle" 16 | gem "chef", ">= 15.0" 17 | end 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/SUPPORT_QUESTION.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: 🤗 Support Question 3 | about: If you have a question 💬, please check out our Slack! 4 | --- 5 | 6 | We use GitHub issues to track bugs and feature requests. If you need help please post to our Mailing List or join the Chef Community Slack. 7 | 8 | * Chef Community Slack at 9 | * Chef Mailing List 10 | 11 | Support issues opened here will be closed and redirected to Slack or Discourse. 12 | -------------------------------------------------------------------------------- /.expeditor/update_version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # After a PR merge, Chef Expeditor will bump the PATCH version in the VERSION file. 4 | # It then executes this file to update any other files/components with that new version. 5 | # 6 | 7 | set -evx 8 | 9 | sed -i -r "s/^(\s*)VERSION = \".+\"/\1VERSION = \"$(cat VERSION)\"/" lib/knife-acl/version.rb 10 | 11 | # Once Expeditor finishes executing this script, it will commit the changes and push 12 | # the commit as a new tag corresponding to the value in the VERSION file. 13 | -------------------------------------------------------------------------------- /knife-acl.gemspec: -------------------------------------------------------------------------------- 1 | $:.unshift(File.dirname(__FILE__) + "/lib") 2 | require "knife-acl/version" 3 | 4 | Gem::Specification.new do |s| 5 | s.name = "knife-acl" 6 | s.version = KnifeACL::VERSION 7 | s.platform = Gem::Platform::RUBY 8 | s.extra_rdoc_files = ["LICENSE" ] 9 | s.summary = "Knife plugin to manupulate Chef server access control lists" 10 | s.description = s.summary 11 | s.authors = [ "Seth Falcon", "Jeremiah Snapp" ] 12 | s.email = "support@chef.io" 13 | s.homepage = "https://github.com/chef/knife-acl" 14 | s.require_path = "lib" 15 | s.files = %w{LICENSE} + Dir.glob("lib/**/*") 16 | end 17 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/BUG_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: � Bug Report 3 | about: If something isn't working as expected �. 4 | labels: "Status: Untriaged, Type: Bug" 5 | --- 6 | 7 | # Version: 8 | 9 | [Version of the project installed] 10 | 11 | # Environment: 12 | 13 | [Details about the environment such as the Operating System, cookbook details, etc...] 14 | 15 | # Scenario: 16 | 17 | [What you are trying to achieve and you can't?] 18 | 19 | # Steps to Reproduce: 20 | 21 | [If you are filing an issue what are the things we need to do in order to repro your problem?] 22 | 23 | # Expected Result: 24 | 25 | [What are you expecting to happen as the consequence of above reproduction steps?] 26 | 27 | # Actual Result: 28 | 29 | [What actually happens after the reproduction steps?] 30 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/ENHANCEMENT_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: 🚀 Enhancement Request 3 | about: I have a suggestion (and may want to implement it 🙂)! 4 | labels: "Status: Untriaged" 5 | --- 6 | 7 | ### Describe the Enhancement 8 | 9 | 10 | ### Describe the Need 11 | 12 | 13 | ### Current Alternative 14 | 15 | 16 | ### Can We Help You Implement This? 17 | 18 | -------------------------------------------------------------------------------- /.expeditor/verify.pipeline.yml: -------------------------------------------------------------------------------- 1 | --- 2 | expeditor: 3 | defaults: 4 | buildkite: 5 | timeout_in_minutes: 30 6 | 7 | steps: 8 | 9 | - label: run-lint-and-specs-ruby-2.5 10 | command: 11 | - .expeditor/run_linux_tests.sh rake 12 | expeditor: 13 | executor: 14 | docker: 15 | image: ruby:2.5-buster 16 | 17 | - label: run-lint-and-specs-ruby-2.6 18 | command: 19 | - .expeditor/run_linux_tests.sh rake 20 | expeditor: 21 | executor: 22 | docker: 23 | image: ruby:2.6-buster 24 | 25 | - label: run-lint-and-specs-ruby-2.7 26 | command: 27 | - .expeditor/run_linux_tests.sh rake 28 | expeditor: 29 | executor: 30 | docker: 31 | image: ruby:2.7-buster 32 | 33 | - label: run-specs-windows 34 | command: 35 | - bundle install --jobs=7 --retry=3 --without docs debug 36 | - bundle exec rake 37 | expeditor: 38 | executor: 39 | docker: 40 | host_os: windows 41 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require "bundler/gem_tasks" 2 | 3 | begin 4 | require "rspec/core/rake_task" 5 | 6 | RSpec::Core::RakeTask.new do |t| 7 | t.pattern = "spec/**/*_spec.rb" 8 | end 9 | rescue LoadError 10 | desc "rspec is not installed, this task is disabled" 11 | task :spec do 12 | abort "rspec is not installed. bundle install first to make sure all dependencies are installed." 13 | end 14 | end 15 | 16 | begin 17 | require "chefstyle" 18 | require "rubocop/rake_task" 19 | desc "Run Chefstyle tests" 20 | RuboCop::RakeTask.new(:style) do |task| 21 | task.options += ["--display-cop-names", "--no-color"] 22 | end 23 | rescue LoadError 24 | puts "chefstyle gem is not installed. bundle install first to make sure all dependencies are installed." 25 | end 26 | 27 | begin 28 | require "yard" 29 | YARD::Rake::YardocTask.new(:docs) 30 | rescue LoadError 31 | puts "yard is not available. bundle install first to make sure all dependencies are installed." 32 | end 33 | 34 | task default: %i{style spec} 35 | -------------------------------------------------------------------------------- /lib/chef/knife/user_invite_list.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna () 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class UserInviteList < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife user invite list" 23 | 24 | def run 25 | api_endpoint = "association_requests/" 26 | invited_users = rest.get_rest(api_endpoint).map { |i| i["username"] } 27 | ui.output(invited_users) 28 | end 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /lib/chef/knife/user_list.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Seth Falcon () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class UserList < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife user list" 24 | 25 | deps do 26 | require "pp" 27 | end 28 | 29 | def run 30 | users = rest.get_rest("users").map { |u| u["user"]["username"] } 31 | pp users.sort 32 | end 33 | end 34 | end 35 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # knife-acl change log 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | ## [v1.0.8](https://github.com/chef/knife-acl/tree/v1.0.8) (2020-02-12) 10 | 11 | #### Merged Pull Requests 12 | - Move helpers to their own dir to speedup loading [#51](https://github.com/chef/knife-acl/pull/51) ([tas50](https://github.com/tas50)) 13 | 14 | 15 | ## [v1.0.6](https://github.com/chef/knife-acl/tree/v1.0.6) (2019-12-30) 16 | 17 | #### Merged Pull Requests 18 | - Use Expeditor / Buildkite to manage this repo [#48](https://github.com/chef/knife-acl/pull/48) ([tas50](https://github.com/tas50)) 19 | - Use require_relative instead of require [#47](https://github.com/chef/knife-acl/pull/47) ([tas50](https://github.com/tas50)) 20 | - Chefstyle fixes [#49](https://github.com/chef/knife-acl/pull/49) ([tas50](https://github.com/tas50)) 21 | - Don't ship the readme in the gem artifact [#50](https://github.com/chef/knife-acl/pull/50) ([tas50](https://github.com/tas50)) 22 | 23 | 24 | # 0.0.12 - 2014-03-31 25 | - Add `knife group destroy GROUP` command 26 | - Update copyright notice for 2014 and company name change -------------------------------------------------------------------------------- /lib/chef/knife/group_list.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Seth Falcon () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class GroupList < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife group list" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | groups = rest.get_rest("groups").keys.sort 32 | ui.output(remove_usags(groups)) 33 | end 34 | 35 | def remove_usags(groups) 36 | groups.select { |gname| !is_usag?(gname) } 37 | end 38 | end 39 | end 40 | -------------------------------------------------------------------------------- /lib/chef/knife/user_invite_add.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna () 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class UserInviteAdd < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife user invite add USERNAMES" 23 | 24 | def run 25 | if name_args.length < 1 26 | show_usage 27 | ui.fatal("You must specify a username.") 28 | exit 1 29 | end 30 | 31 | users = name_args 32 | api_endpoint = "association_requests/" 33 | users.each do |u| 34 | body = { user: u } 35 | rest.post_rest(api_endpoint, body) 36 | end 37 | end 38 | end 39 | end 40 | -------------------------------------------------------------------------------- /lib/chef/knife/user_dissociate.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna () 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class UserDissociate < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife user dissociate USERNAMES" 23 | 24 | def run 25 | if name_args.length < 1 26 | show_usage 27 | ui.fatal("You must specify a username.") 28 | exit 1 29 | end 30 | users = name_args 31 | ui.confirm("Are you sure you want to dissociate the following users: #{users.join(", ")}") 32 | users.each do |u| 33 | api_endpoint = "users/#{u}" 34 | rest.delete_rest(api_endpoint) 35 | end 36 | end 37 | end 38 | end 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/DESIGN_PROPOSAL.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Design Proposal 3 | about: I have a significant change I would like to propose and discuss before starting 4 | labels: "Status: Untriaged, Type: Design Proposal" 5 | --- 6 | 7 | ### When a Change Needs a Design Proposal 8 | 9 | A design proposal should be opened any time a change meets one of the following qualifications: 10 | 11 | - Significantly changes the user experience of a project in a way that impacts users. 12 | - Significantly changes the underlying architecture of the project in a way that impacts other developers. 13 | - Changes the development or testing process of the project such as a change of CI systems or test frameworks. 14 | 15 | ### Why We Use This Process 16 | 17 | - Allows all interested parties (including any community member) to discuss large impact changes to a project. 18 | - Serves as a durable paper trail for discussions regarding project architecture. 19 | - Forces design discussions to occur before PRs are created. 20 | - Reduces PR refactoring and rejected PRs. 21 | 22 | --- 23 | 24 | 25 | 26 | ## Motivation 27 | 28 | 33 | 34 | ## Specification 35 | 36 | 37 | 38 | ## Downstream Impact 39 | 40 | 41 | -------------------------------------------------------------------------------- /lib/chef/knife/group_show.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Seth Falcon () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class GroupShow < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife group show GROUP_NAME" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | group_name = name_args[0] 32 | 33 | if name_args.length != 1 34 | show_usage 35 | ui.fatal "You must specify group name" 36 | exit 1 37 | end 38 | 39 | validate_member_name!(group_name) 40 | 41 | group = rest.get_rest("groups/#{group_name}") 42 | ui.output group 43 | end 44 | end 45 | end 46 | -------------------------------------------------------------------------------- /.expeditor/run_linux_tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This script runs a passed in command, but first setups up the bundler caching on the repo 4 | 5 | set -ue 6 | 7 | export USER="root" 8 | 9 | echo "--- dependencies" 10 | export LANG=C.UTF-8 LANGUAGE=C.UTF-8 11 | S3_URL="s3://public-cd-buildkite-cache/${BUILDKITE_PIPELINE_SLUG}/${BUILDKITE_LABEL}" 12 | 13 | pull_s3_file() { 14 | aws s3 cp "${S3_URL}/$1" "$1" || echo "Could not pull $1 from S3" 15 | } 16 | 17 | push_s3_file() { 18 | if [ -f "$1" ]; then 19 | aws s3 cp "$1" "${S3_URL}/$1" || echo "Could not push $1 to S3 for caching." 20 | fi 21 | } 22 | 23 | apt-get update -y 24 | apt-get install awscli -y 25 | 26 | echo "--- bundle install" 27 | pull_s3_file "bundle.tar.gz" 28 | pull_s3_file "bundle.sha256" 29 | 30 | if [ -f bundle.tar.gz ]; then 31 | tar -xzf bundle.tar.gz 32 | fi 33 | 34 | if [ -n "${RESET_BUNDLE_CACHE:-}" ]; then 35 | rm bundle.sha256 36 | fi 37 | 38 | bundle config --local path vendor/bundle 39 | bundle install --jobs=7 --retry=3 40 | 41 | echo "--- bundle cache" 42 | if test -f bundle.sha256 && shasum --check bundle.sha256 --status; then 43 | echo "Bundled gems have not changed. Skipping upload to s3" 44 | else 45 | echo "Bundled gems have changed. Uploading to s3" 46 | shasum -a 256 Gemfile.lock > bundle.sha256 47 | tar -czf bundle.tar.gz vendor/ 48 | push_s3_file bundle.tar.gz 49 | push_s3_file bundle.sha256 50 | fi 51 | 52 | echo "+++ bundle exec task" 53 | bundle exec $1 54 | -------------------------------------------------------------------------------- /lib/chef/knife/group_create.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Seth Falcon () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class GroupCreate < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife group create GROUP_NAME" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | group_name = name_args[0] 32 | 33 | if name_args.length != 1 34 | show_usage 35 | ui.fatal "You must specify group name" 36 | exit 1 37 | end 38 | 39 | validate_member_name!(group_name) 40 | 41 | ui.msg "Creating '#{group_name}' group" 42 | rest.post_rest("groups", { groupname: group_name }) 43 | end 44 | end 45 | end 46 | -------------------------------------------------------------------------------- /.expeditor/config.yml: -------------------------------------------------------------------------------- 1 | # Documentation available at https://expeditor.chef.io/docs/getting-started/ 2 | --- 3 | 4 | # Slack channel in Chef Software slack to send notifications about build failures, etc 5 | slack: 6 | notify_channel: 7 | - sustaining-notify 8 | 9 | # This publish is triggered by the `built_in:publish_rubygems` artifact_action. 10 | rubygems: 11 | - knife-acl 12 | 13 | github: 14 | # This deletes the GitHub PR branch after successfully merged into the release branch 15 | delete_branch_on_merge: true 16 | # The tag format to use (e.g. v1.0.0) 17 | version_tag_format: "v{{version}}" 18 | # allow bumping the minor release via label 19 | minor_bump_labels: 20 | - "Expeditor: Bump Version Minor" 21 | # allow bumping the major release via label 22 | major_bump_labels: 23 | - "Expeditor: Bump Version Major" 24 | 25 | changelog: 26 | rollup_header: Changes not yet released to rubygems.org 27 | 28 | # These actions are taken, in order they are specified, anytime a Pull Request is merged. 29 | merge_actions: 30 | - built_in:bump_version: 31 | ignore_labels: 32 | - "Expeditor: Skip Version Bump" 33 | - "Expeditor: Skip All" 34 | - bash:.expeditor/update_version.sh: 35 | only_if: built_in:bump_version 36 | - built_in:update_changelog: 37 | ignore_labels: 38 | - "Expeditor: Skip Changelog" 39 | - "Expeditor: Skip All" 40 | - built_in:build_gem: 41 | only_if: built_in:bump_version 42 | 43 | promote: 44 | actions: 45 | - built_in:rollover_changelog 46 | - built_in:publish_rubygems 47 | 48 | pipelines: 49 | - verify: 50 | description: Pull Request validation tests 51 | public: true 52 | -------------------------------------------------------------------------------- /lib/chef/knife/user_show.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna () 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class UserShow < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife user show [USERNAME]" 23 | 24 | # ui.format_for_display has logic to handle displaying 25 | # any attributes set in the config[:attribute] Array. 26 | attrs_to_show = [] 27 | option :attribute, 28 | short: "-a [ATTR]", 29 | long: "--attribute [ATTR]", 30 | proc: lambda { |val| attrs_to_show << val }, 31 | description: "Show attribute ATTR. Use multiple times to show multiple attributes." 32 | 33 | def run 34 | if name_args.length < 1 35 | show_usage 36 | ui.fatal "You must specify a username." 37 | exit 1 38 | end 39 | 40 | username = name_args[0] 41 | api_endpoint = "users/#{username}" 42 | user = rest.get_rest(api_endpoint) 43 | ui.output(ui.format_for_display(user)) 44 | end 45 | end 46 | end 47 | -------------------------------------------------------------------------------- /lib/chef/knife/group_destroy.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Christopher Maier () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2015-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class GroupDestroy < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife group destroy GROUP_NAME" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | group_name = name_args[0] 32 | 33 | if name_args.length != 1 34 | show_usage 35 | ui.fatal "You must specify group name" 36 | exit 1 37 | end 38 | 39 | validate_member_name!(group_name) 40 | 41 | if %w{admins billing-admins clients users}.include?(group_name.downcase) 42 | ui.fatal "the '#{group_name}' group is a special group that should not be destroyed" 43 | exit 1 44 | end 45 | ui.msg "Destroying '#{group_name}' group" 46 | rest.delete_rest("groups/#{group_name}") 47 | end 48 | end 49 | end 50 | -------------------------------------------------------------------------------- /lib/chef/knife/acl_show.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna (steve@chef.io) 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class AclShow < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife acl show OBJECT_TYPE OBJECT_NAME" 23 | 24 | deps do 25 | require_relative "helpers/acl_base" 26 | include OpscodeAcl::AclBase 27 | end 28 | 29 | def run 30 | object_type, object_name = name_args 31 | 32 | if name_args.length != 2 33 | show_usage 34 | ui.fatal "You must specify an object type and object name" 35 | exit 1 36 | end 37 | 38 | validate_object_type!(object_type) 39 | validate_object_name!(object_name) 40 | acl = get_acl(object_type, object_name) 41 | PERM_TYPES.each do |perm| 42 | # Filter out the actors field if we have 43 | # users and clients. Note that if one is present, 44 | # both will be - but we're checking both for completeness. 45 | if acl[perm].key?("users") && acl[perm].key?("clients") 46 | acl[perm].delete "actors" 47 | end 48 | end 49 | ui.output acl 50 | end 51 | end 52 | end 53 | -------------------------------------------------------------------------------- /lib/chef/knife/group_add.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Seth Falcon () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class GroupAdd < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | member_type, member_name, group_name = name_args 32 | 33 | if name_args.length != 3 34 | show_usage 35 | ui.fatal "You must specify member type [client|group|user], member name and group name" 36 | exit 1 37 | end 38 | 39 | validate_member_name!(group_name) 40 | validate_member_type!(member_type) 41 | validate_member_name!(member_name) 42 | 43 | if group_name.downcase == "users" 44 | ui.fatal "knife-acl can not manage members of the Users group" 45 | ui.fatal "please read knife-acl's README.md for more information" 46 | exit 1 47 | end 48 | 49 | add_to_group!(member_type, member_name, group_name) 50 | end 51 | end 52 | end 53 | -------------------------------------------------------------------------------- /lib/chef/knife/group_remove.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Seth Falcon () 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class GroupRemove < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | member_type, member_name, group_name = name_args 32 | 33 | if name_args.length != 3 34 | show_usage 35 | ui.fatal "You must specify member type [client|group|user], member name and group name" 36 | exit 1 37 | end 38 | 39 | validate_member_name!(group_name) 40 | validate_member_type!(member_type) 41 | validate_member_name!(member_name) 42 | 43 | if group_name.downcase == "users" 44 | ui.fatal "knife-acl can not manage members of the Users group" 45 | ui.fatal "please read knife-acl's README.md for more information" 46 | exit 1 47 | end 48 | 49 | remove_from_group!(member_type, member_name, group_name) 50 | end 51 | end 52 | end 53 | -------------------------------------------------------------------------------- /lib/chef/knife/acl_add.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna (steve@chef.io) 3 | # Author:: Jeremiah Snapp (jeremiah@chef.io) 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class AclAdd < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | member_type, member_name, object_type, object_name, perms = name_args 32 | 33 | if name_args.length != 5 34 | show_usage 35 | ui.fatal "You must specify the member type [client|group], member name, object type, object name and perms" 36 | exit 1 37 | end 38 | 39 | unless %w{client group}.include?(member_type) 40 | ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL." 41 | ui.fatal " See the knife-acl README for more information." 42 | exit 1 43 | end 44 | validate_perm_type!(perms) 45 | validate_member_name!(member_name) 46 | validate_object_name!(object_name) 47 | validate_object_type!(object_type) 48 | validate_member_exists!(member_type, member_name) 49 | 50 | add_to_acl!(member_type, member_name, object_type, object_name, perms) 51 | end 52 | end 53 | end 54 | -------------------------------------------------------------------------------- /lib/chef/knife/user_invite_recind.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna () 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class UserInviteRecind < Chef::Knife 21 | banner "knife user invite recind [USERNAMES] (options)" 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | 24 | option :all, 25 | short: "-a", 26 | long: "--all", 27 | description: "Recind all invites!" 28 | 29 | def run 30 | if (name_args.length < 1) && ! config.key?(:all) 31 | show_usage 32 | ui.fatal("You must specify a username.") 33 | exit 1 34 | end 35 | 36 | # To recind we need to send a DELETE to association_requests/INVITE_ID 37 | # For user friendliness we look up the invite ID based on username. 38 | @invites = {} 39 | usernames = name_args 40 | rest.get_rest("association_requests").each { |i| @invites[i["username"]] = i["id"] } 41 | if config[:all] 42 | ui.confirm("Are you sure you want to recind all association requests") 43 | @invites.each do |u, i| 44 | rest.delete_rest("association_requests/#{i}") 45 | end 46 | else 47 | ui.confirm("Are you sure you want to recind the association requests for: #{usernames.join(", ")}") 48 | usernames.each do |u| 49 | if @invites.key?(u) 50 | rest.delete_rest("association_requests/#{@invites[u]}") 51 | else 52 | ui.fatal("No association request for #{u}.") 53 | exit 1 54 | end 55 | end 56 | end 57 | end 58 | end 59 | end 60 | -------------------------------------------------------------------------------- /lib/chef/knife/acl_remove.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna (steve@chef.io) 3 | # Author:: Jeremiah Snapp (jeremiah@chef.io) 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | class AclRemove < Chef::Knife 22 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 23 | banner "knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS" 24 | 25 | deps do 26 | require_relative "helpers/acl_base" 27 | include OpscodeAcl::AclBase 28 | end 29 | 30 | def run 31 | member_type, member_name, object_type, object_name, perms = name_args 32 | 33 | if name_args.length != 5 34 | show_usage 35 | ui.fatal "You must specify the member type [client|group|user], member name, object type, object name and perms" 36 | exit 1 37 | end 38 | 39 | if member_name == "pivotal" && %w{client user}.include?(member_type) 40 | ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL." 41 | exit 1 42 | end 43 | if member_name == "admins" && member_type == "group" && perms.to_s.split(",").include?("grant") 44 | ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE." 45 | ui.fatal " Removal could prevent future attempts to modify permissions." 46 | exit 1 47 | end 48 | validate_perm_type!(perms) 49 | validate_member_type!(member_type) 50 | validate_member_name!(member_name) 51 | validate_object_name!(object_name) 52 | validate_object_type!(object_type) 53 | validate_member_exists!(member_type, member_name) 54 | 55 | remove_from_acl!(member_type, member_name, object_type, object_name, perms) 56 | end 57 | end 58 | end 59 | -------------------------------------------------------------------------------- /lib/chef/knife/acl_bulk_add.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Jeremiah Snapp (jeremiah@chef.io) 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class AclBulkAdd < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS" 23 | 24 | deps do 25 | require_relative "helpers/acl_base" 26 | include OpscodeAcl::AclBase 27 | end 28 | 29 | def run 30 | member_type, member_name, object_type, regex, perms = name_args 31 | object_name_matcher = /#{regex}/ 32 | 33 | if name_args.length != 5 34 | show_usage 35 | ui.fatal "You must specify the member type [client|group], member name, object type, object name REGEX and perms" 36 | exit 1 37 | end 38 | 39 | unless %w{client group}.include?(member_type) 40 | ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL." 41 | ui.fatal " See the knife-acl README for more information." 42 | exit 1 43 | end 44 | validate_perm_type!(perms) 45 | validate_member_name!(member_name) 46 | validate_object_type!(object_type) 47 | validate_member_exists!(member_type, member_name) 48 | 49 | if %w{containers groups}.include?(object_type) 50 | ui.fatal "bulk modifying the ACL of #{object_type} is not permitted" 51 | exit 1 52 | end 53 | 54 | objects_to_modify = [] 55 | all_objects = rest.get_rest(object_type) 56 | objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher } 57 | 58 | if objects_to_modify.empty? 59 | ui.info "No #{object_type} match the expression /#{regex}/" 60 | exit 0 61 | end 62 | 63 | ui.msg("The ACL of the following #{object_type} will be modified:") 64 | ui.msg("") 65 | ui.msg(ui.list(objects_to_modify.sort, :columns_down)) 66 | ui.msg("") 67 | ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?") 68 | 69 | objects_to_modify.each do |object_name| 70 | add_to_acl!(member_type, member_name, object_type, object_name, perms) 71 | end 72 | end 73 | end 74 | end 75 | -------------------------------------------------------------------------------- /lib/chef/knife/acl_bulk_remove.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Jeremiah Snapp (jeremiah@chef.io) 3 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 4 | # License:: Apache License, Version 2.0 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | module OpscodeAcl 20 | class AclBulkRemove < Chef::Knife 21 | category "OPSCODE HOSTED CHEF ACCESS CONTROL" 22 | banner "knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS" 23 | 24 | deps do 25 | require_relative "helpers/acl_base" 26 | include OpscodeAcl::AclBase 27 | end 28 | 29 | def run 30 | member_type, member_name, object_type, regex, perms = name_args 31 | object_name_matcher = /#{regex}/ 32 | 33 | if name_args.length != 5 34 | show_usage 35 | ui.fatal "You must specify the member type [client|group|user], member name, object type, object name REGEX and perms" 36 | exit 1 37 | end 38 | 39 | if member_name == "pivotal" && %w{client user}.include?(member_type) 40 | ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL." 41 | exit 1 42 | end 43 | if member_name == "admins" && member_type == "group" && perms.to_s.split(",").include?("grant") 44 | ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE." 45 | ui.fatal " Removal could prevent future attempts to modify permissions." 46 | exit 1 47 | end 48 | validate_perm_type!(perms) 49 | validate_member_type!(member_type) 50 | validate_member_name!(member_name) 51 | validate_object_type!(object_type) 52 | validate_member_exists!(member_type, member_name) 53 | 54 | if %w{containers groups}.include?(object_type) 55 | ui.fatal "bulk modifying the ACL of #{object_type} is not permitted" 56 | exit 1 57 | end 58 | 59 | objects_to_modify = [] 60 | all_objects = rest.get_rest(object_type) 61 | objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher } 62 | 63 | if objects_to_modify.empty? 64 | ui.info "No #{object_type} match the expression /#{regex}/" 65 | exit 0 66 | end 67 | 68 | ui.msg("The ACL of the following #{object_type} will be modified:") 69 | ui.msg("") 70 | ui.msg(ui.list(objects_to_modify.sort, :columns_down)) 71 | ui.msg("") 72 | ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?") 73 | 74 | objects_to_modify.each do |object_name| 75 | remove_from_acl!(member_type, member_name, object_type, object_name, perms) 76 | end 77 | end 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /lib/chef/knife/helpers/acl_base.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Author:: Steven Danna (steve@chef.io) 3 | # Author:: Jeremiah Snapp () 4 | # Copyright:: Copyright 2011-2020 Chef Software, Inc. 5 | # License:: Apache License, Version 2.0 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | 20 | module OpscodeAcl 21 | module AclBase 22 | 23 | PERM_TYPES = %w{create read update delete grant}.freeze unless defined? PERM_TYPES 24 | MEMBER_TYPES = %w{client group user}.freeze unless defined? MEMBER_TYPES 25 | OBJECT_TYPES = %w{clients containers cookbooks data environments groups nodes roles policies policy_groups}.freeze unless defined? OBJECT_TYPES 26 | OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/.freeze unless defined? OBJECT_NAME_SPEC 27 | 28 | def validate_object_type!(type) 29 | unless OBJECT_TYPES.include?(type) 30 | ui.fatal "Unknown object type \"#{type}\". The following types are permitted: #{OBJECT_TYPES.join(", ")}" 31 | exit 1 32 | end 33 | end 34 | 35 | def validate_object_name!(name) 36 | unless OBJECT_NAME_SPEC.match(name) 37 | ui.fatal "Invalid name: #{name}" 38 | exit 1 39 | end 40 | end 41 | 42 | def validate_member_type!(type) 43 | unless MEMBER_TYPES.include?(type) 44 | ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(", ")}" 45 | exit 1 46 | end 47 | end 48 | 49 | def validate_member_name!(name) 50 | # Same rules apply to objects and members 51 | validate_object_name!(name) 52 | end 53 | 54 | def validate_perm_type!(perms) 55 | perms.split(",").each do |perm| 56 | unless PERM_TYPES.include?(perm) 57 | ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(",")}" 58 | exit 1 59 | end 60 | end 61 | end 62 | 63 | def validate_member_exists!(member_type, member_name) 64 | true if rest.get_rest("#{member_type}s/#{member_name}") 65 | rescue NameError 66 | # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client 67 | true 68 | rescue 69 | ui.fatal "#{member_type} '#{member_name}' does not exist" 70 | exit 1 71 | end 72 | 73 | def is_usag?(gname) 74 | gname.length == 32 && gname =~ /^[0-9a-f]+$/ 75 | end 76 | 77 | def get_acl(object_type, object_name) 78 | rest.get_rest("#{object_type}/#{object_name}/_acl?detail=granular") 79 | end 80 | 81 | def get_ace(object_type, object_name, perm) 82 | get_acl(object_type, object_name)[perm] 83 | end 84 | 85 | def add_to_acl!(member_type, member_name, object_type, object_name, perms) 86 | acl = get_acl(object_type, object_name) 87 | perms.split(",").each do |perm| 88 | ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'" 89 | ace = acl[perm] 90 | 91 | case member_type 92 | when "client", "user" 93 | # Our PUT body depends on the type of reply we get from _acl?detail=granular 94 | # When the server replies with json attributes 'users' and 'clients', 95 | # we'll want to modify entries under the same keys they arrived.- their presence 96 | # in the body tells us that CS will accept them in a PUT. 97 | # Older version of chef-server will continue to use 'actors' for a combined list 98 | # and expect the same in the body. 99 | key = "#{member_type}s" 100 | key = "actors" unless ace.key? key 101 | next if ace[key].include?(member_name) 102 | 103 | ace[key] << member_name 104 | when "group" 105 | next if ace["groups"].include?(member_name) 106 | 107 | ace["groups"] << member_name 108 | end 109 | 110 | update_ace!(object_type, object_name, perm, ace) 111 | end 112 | end 113 | 114 | def remove_from_acl!(member_type, member_name, object_type, object_name, perms) 115 | acl = get_acl(object_type, object_name) 116 | perms.split(",").each do |perm| 117 | ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'" 118 | ace = acl[perm] 119 | 120 | case member_type 121 | when "client", "user" 122 | key = "#{member_type}s" 123 | key = "actors" unless ace.key? key 124 | next unless ace[key].include?(member_name) 125 | 126 | ace[key].delete(member_name) 127 | when "group" 128 | next unless ace["groups"].include?(member_name) 129 | 130 | ace["groups"].delete(member_name) 131 | end 132 | 133 | update_ace!(object_type, object_name, perm, ace) 134 | end 135 | end 136 | 137 | def update_ace!(object_type, object_name, ace_type, ace) 138 | rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace) 139 | end 140 | 141 | def add_to_group!(member_type, member_name, group_name) 142 | validate_member_exists!(member_type, member_name) 143 | existing_group = rest.get_rest("groups/#{group_name}") 144 | ui.msg "Adding '#{member_name}' to '#{group_name}' group" 145 | unless existing_group["#{member_type}s"].include?(member_name) 146 | existing_group["#{member_type}s"] << member_name 147 | new_group = { 148 | "groupname" => existing_group["groupname"], 149 | "orgname" => existing_group["orgname"], 150 | "actors" => { 151 | "users" => existing_group["users"], 152 | "clients" => existing_group["clients"], 153 | "groups" => existing_group["groups"], 154 | }, 155 | } 156 | rest.put_rest("groups/#{group_name}", new_group) 157 | end 158 | end 159 | 160 | def remove_from_group!(member_type, member_name, group_name) 161 | validate_member_exists!(member_type, member_name) 162 | existing_group = rest.get_rest("groups/#{group_name}") 163 | ui.msg "Removing '#{member_name}' from '#{group_name}' group" 164 | if existing_group["#{member_type}s"].include?(member_name) 165 | existing_group["#{member_type}s"].delete(member_name) 166 | new_group = { 167 | "groupname" => existing_group["groupname"], 168 | "orgname" => existing_group["orgname"], 169 | "actors" => { 170 | "users" => existing_group["users"], 171 | "clients" => existing_group["clients"], 172 | "groups" => existing_group["groups"], 173 | }, 174 | } 175 | rest.put_rest("groups/#{group_name}", new_group) 176 | end 177 | end 178 | 179 | end 180 | end 181 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # knife-acl 2 | 3 | WARNING: This plugin was moved directly into Chef Infra Client in 16.0. This repo is no longer maintained. 4 | 5 | * **Umbrella Project: [Knife](https://github.com/chef/chef-oss-practices/blob/master/projects/knife.md)** 6 | 7 | * **Project State [Deprecated](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md#deprecated)** 8 | 9 | * **Issues [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md#what-is-the-response-time-maximum): None** 10 | 11 | * **Pull Request [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/master/repo-management/repo-states.md#what-is-the-response-time-maximum): None** 12 | 13 | ## Description 14 | 15 | This is a Chef Software, Inc.-supported knife plugin which provides some user/group ACL operations for Chef server. 16 | 17 | All commands assume a working knife configuration for an admin user of a Chef organization. 18 | 19 | Reference: 20 | 21 | 1. [Chef Server Permissions PDF](https://github.com/chef/chef-server/blob/master/doc/ChefServerPermissions_v1.3.pdf) 22 | 2. [Chef Server Permissions Docs](https://docs.chef.io/server/server_orgs.html#permissions) 23 | 3. [Chef Server Groups Docs](https://docs.chef.io/server/server_orgs.html#groups) 24 | 25 | ### Installation 26 | 27 | This gem already ships as part of Chef-DK / Workstation. 28 | 29 | ### _Warning about Users group_ 30 | 31 | The "Users" group is a special group and should not be managed with knife-acl. As such, knife-acl will give an error if either `knife acl group add user users USER` or `knife acl group remove user users USER` are run. 32 | 33 | ### Chef Server Roles Based Access Control (RBAC) Summary 34 | 35 | In the context of the Chef Server's API a container is just the API endpoint used when creating a new object of a particular object type. 36 | 37 | For example, the container for creating client objects is called `clients` and the container for creating node objects is called `nodes`. 38 | 39 | Two containers are used when creating (uploading) cookbooks. The `cookbooks` and `sandboxes` containers. 40 | 41 | Here is a full list of the containers in a Chef Server. 42 | 43 | - clients 44 | - cookbooks 45 | - data 46 | - environments 47 | - groups 48 | - nodes 49 | - policies 50 | - policy_groups 51 | - roles 52 | - sandboxes 53 | 54 | The permissions assigned to a container are inherited by the objects that the container creates. When a permission is changed on a container that change will only affect new objects. The change does not propagate to existing objects. 55 | 56 | For reference and restoral purposes the [Default Permissions for Containers](#default-permissions-for-containers) section of this document contains `knife-acl` commands that will set the default permissions for the admins, clients and users groups on all containers. These can be helpful if you need to restore container permissions back to their default values. 57 | 58 | #### Permissions Management Best Practice 59 | 60 | The best practice for managing permissions is to only add clients and groups to an objects' permissions. 61 | 62 | Adding a user to an objects' permissions is possible by first adding the group to the permissions and then adding the user to the group. This is much easier to maintain when compared to adding individual users to each objects' permissions. 63 | 64 | To enforce this the `knife acl add` and `knife acl bulk add` commands can only add a client or a group to an objects' permissions. 65 | 66 | If a group ever needs to be removed from the permissions of all objects the group can simply be deleted. 67 | 68 | #### Setup Default Read-Only Access for Non-admin Users 69 | 70 | The "Users" group by default provides regular (non-admin) users a lot of access to modify objects in the Chef Server. 71 | 72 | Removing the "Users" group from the "create", "update", "delete" and "grant" Access Control Entries (ACEs) of all objects and containers will create a default read-only access for non-admin users. 73 | 74 | To completely prevent non-admin users from accessing all objects and containers then also remove the "Users" group from the "read" ACE. 75 | 76 | Admin users will still have default admin access to all objects and containers. 77 | 78 | **NOTE:** Please note that currently the Chef Manage web UI will appear to allow read-only users to edit some objects. However, the changes are not actually saved and they disappear when the read-only user refreshes the page. 79 | 80 | ``` 81 | knife acl remove group users containers clients create,update,delete,grant 82 | knife acl bulk remove group users clients '.*' create,update,delete,grant 83 | 84 | 85 | knife acl remove group users containers sandboxes create,update,delete,grant 86 | knife acl remove group users containers cookbooks create,update,delete,grant 87 | knife acl bulk remove group users cookbooks '.*' create,update,delete,grant 88 | 89 | 90 | knife acl remove group users containers data create,update,delete,grant 91 | knife acl bulk remove group users data '.*' create,update,delete,grant 92 | 93 | 94 | knife acl remove group users containers environments create,update,delete,grant 95 | knife acl bulk remove group users environments '.*' create,update,delete,grant 96 | 97 | 98 | knife acl remove group users containers nodes create,update,delete,grant 99 | knife acl bulk remove group users nodes '.*' create,update,delete,grant 100 | 101 | 102 | knife acl remove group users containers policies create,update,delete,grant 103 | knife acl bulk remove group users policies '.*' create,update,delete,grant 104 | 105 | 106 | knife acl remove group users containers policy_groups create,update,delete,grant 107 | knife acl bulk remove group users policy_groups '.*' create,update,delete,grant 108 | 109 | 110 | knife acl remove group users containers roles create,update,delete,grant 111 | knife acl bulk remove group users roles '.*' create,update,delete,grant 112 | ``` 113 | 114 | #### Selectively Allow Access 115 | 116 | You can also create a new group and manage its members with knife-acl or the Manage web interface. 117 | 118 | Then add this group to the ACEs of all appropriate containers and/or objects according to your requirements. 119 | 120 | #### Create read-only group with read only access 121 | 122 | The following set of commands creates a group named `read-only` and gives it `read` access on all objects. 123 | 124 | ``` 125 | knife group create read-only 126 | 127 | 128 | knife acl add group read-only containers clients read 129 | knife acl bulk add group read-only clients '.*' read 130 | 131 | 132 | knife acl add group read-only containers sandboxes read 133 | knife acl add group read-only containers cookbooks read 134 | knife acl bulk add group read-only cookbooks '.*' read 135 | 136 | 137 | knife acl add group read-only containers data read 138 | knife acl bulk add group read-only data '.*' read 139 | 140 | 141 | knife acl add group read-only containers environments read 142 | knife acl bulk add group read-only environments '.*' read 143 | 144 | 145 | knife acl add group read-only containers nodes read 146 | knife acl bulk add group read-only nodes '.*' read 147 | 148 | 149 | knife acl add group read-only containers policies read 150 | knife acl bulk add group read-only policies '.*' read 151 | 152 | 153 | knife acl add group read-only containers policy_groups read 154 | knife acl bulk add group read-only policy_groups '.*' read 155 | 156 | 157 | knife acl add group read-only containers roles read 158 | knife acl bulk add group read-only roles '.*' read 159 | ``` 160 | 161 | # Subcommands 162 | 163 | ## knife user list 164 | 165 | Show a list of users associated with your organization 166 | 167 | ## knife group list 168 | 169 | List groups in the organization. 170 | 171 | ## knife group create GROUP_NAME 172 | 173 | Create a new group `GROUP_NAME` to the organization. 174 | 175 | ## knife group show GROUP_NAME 176 | 177 | Show the membership details for `GROUP_NAME`. 178 | 179 | ## knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME 180 | 181 | Add MEMBER_NAME to `GROUP_NAME`. 182 | 183 | Valid `MEMBER_TYPE` values are 184 | 185 | - client 186 | - group 187 | - user 188 | 189 | ## knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME 190 | 191 | Remove `MEMBER_NAME` from `GROUP_NAME`. 192 | 193 | See the `knife group add` documentation above for valid `MEMBER_TYPE` values. 194 | 195 | ## knife group destroy GROUP_NAME 196 | 197 | Removes group `GROUP_NAME` from the organization. All members of the group (clients, groups and users) remain in the system, only `GROUP_NAME` is removed. 198 | 199 | The `admins`, `billing-admins`, `clients` and `users` groups are special groups so knife-acl will not allow them to be destroyed. 200 | 201 | ## knife acl show OBJECT_TYPE OBJECT_NAME 202 | 203 | Shows the ACL for the specified object. Objects are identified by the combination of their type and name. 204 | 205 | Valid `OBJECT_TYPE` values are 206 | 207 | - clients 208 | - containers 209 | - cookbooks 210 | - data 211 | - environments 212 | - groups 213 | - nodes 214 | - policies 215 | - policy_groups 216 | - roles 217 | 218 | For example, use the following command to obtain the ACL for a node named "web.example.com": 219 | 220 | ``` 221 | knife acl show nodes web.example.com 222 | ``` 223 | 224 | ## knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS 225 | 226 | The best practice is to only add clients and groups to ACLs. To enforce this best practice the `knife acl add` command is only able to add a client or a group to ACLs. 227 | 228 | Valid `MEMBER_TYPE` values are 229 | 230 | - client 231 | - group 232 | 233 | Add `MEMBER_NAME` to the `PERMS` access control entry of `OBJECT_NAME`. Objects are specified by the combination of their type and name. 234 | 235 | Valid `OBJECT_TYPE` values are 236 | 237 | - clients 238 | - containers 239 | - cookbooks 240 | - data 241 | - environments 242 | - groups 243 | - nodes 244 | - policies 245 | - policy_groups 246 | - roles 247 | 248 | Valid `PERMS` are: 249 | 250 | - create 251 | - read 252 | - update 253 | - delete 254 | - grant 255 | 256 | Multiple `PERMS` can be given in a single command by separating them with a comma with no extra spaces. 257 | 258 | For example, use the following command to give the superusers group the ability to delete and update the node called "web.example.com": 259 | 260 | ``` 261 | knife acl add group superusers nodes web.example.com delete,update 262 | ``` 263 | 264 | ## knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS 265 | 266 | The best practice is to only add clients and groups to ACLs. To enforce this best practice the `knife acl bulk add` command is only able to add a client or a group to ACLs. 267 | 268 | Valid `MEMBER_TYPE` values are 269 | 270 | - client 271 | - group 272 | 273 | Add `MEMBER_NAME` to the `PERMS` access control entry for each object in a set of objects of `OBJECT_TYPE`. 274 | 275 | The set of objects are specified by matching the objects' names with the given REGEX regular expression surrounded by quotes. 276 | 277 | See the `knife acl add` documentation above for valid `OBJECT_TYPE` and `PERMS` values. 278 | 279 | Appending `-y` or `--yes` to the `knife acl bulk add` command will run the command without any prompts for confirmation. 280 | 281 | For example, use the following command to give the superusers group the ability to delete and update all nodes matching the regular expression 'WIN-.*': 282 | 283 | ``` 284 | knife acl bulk add group superusers nodes 'WIN-.*' delete,update --yes 285 | ``` 286 | 287 | ## knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS 288 | 289 | Remove `MEMBER_NAME` from the `PERMS` access control entry of `OBJECT_NAME`. Objects are specified by the combination of their type and name. 290 | 291 | Valid `MEMBER_TYPE` values are 292 | 293 | - client 294 | - group 295 | - user 296 | 297 | Valid `OBJECT_TYPE` values are 298 | 299 | - clients 300 | - containers 301 | - cookbooks 302 | - data 303 | - environments 304 | - groups 305 | - nodes 306 | - policies 307 | - policy_groups 308 | - roles 309 | 310 | Valid `PERMS` are: 311 | 312 | - create 313 | - read 314 | - update 315 | - delete 316 | - grant 317 | 318 | Multiple `PERMS` can be given in a single command by separating them with a comma with no extra spaces. 319 | 320 | For example, use the following command to remove the superusers group from the delete and update access control entries for the node called "web.example.com": 321 | 322 | ``` 323 | knife acl remove group superusers nodes web.example.com delete,update 324 | ``` 325 | 326 | ## knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS 327 | 328 | Remove `MEMBER_NAME` from the `PERMS` access control entry for each object in a set of objects of `OBJECT_TYPE`. 329 | 330 | The set of objects are specified by matching the objects' names with the given REGEX regular expression surrounded by quotes. 331 | 332 | See the `knife acl remove` documentation above for valid `MEMBER_TYPE`, `OBJECT_TYPE` and `PERMS` values. 333 | 334 | Appending `-y` or `--yes` to the `knife acl bulk add` command will run the command without any prompts for confirmation. 335 | 336 | For example, use the following command to remove the superusers group from the delete and update access control entries for all nodes matching the regular expression 'WIN-.*': 337 | 338 | ``` 339 | knife acl bulk remove group superusers nodes 'WIN-.*' delete,update --yes 340 | ``` 341 | 342 | ## Default Permissions for Containers 343 | 344 | The following commands will set the default permissions for the admins, clients and users groups on all containers. These can be helpful if you need to restore container permissions back to their default values. 345 | 346 | ``` 347 | knife acl add group admins containers clients create,read,update,delete,grant 348 | knife acl remove group clients containers clients create,read,update,delete,grant 349 | knife acl add group users containers clients read,delete 350 | knife acl remove group users containers clients create,update,grant 351 | 352 | knife acl add group admins containers cookbook_artifacts create,read,update,delete,grant 353 | knife acl add group clients containers cookbook_artifacts read 354 | knife acl remove group clients containers cookbook_artifacts create,update,delete,grant 355 | knife acl add group users containers cookbook_artifacts create,read,update,delete 356 | knife acl remove group users containers cookbook_artifacts grant 357 | 358 | knife acl add group admins containers cookbooks create,read,update,delete,grant 359 | knife acl add group clients containers cookbooks read 360 | knife acl remove group clients containers cookbooks create,update,delete,grant 361 | knife acl add group users containers cookbooks create,read,update,delete 362 | knife acl remove group users containers cookbooks grant 363 | 364 | knife acl add group admins containers data create,read,update,delete,grant 365 | knife acl add group clients containers data read 366 | knife acl remove group clients containers data create,update,delete,grant 367 | knife acl add group users containers data create,read,update,delete 368 | knife acl remove group users containers data grant 369 | 370 | knife acl add group admins containers environments create,read,update,delete,grant 371 | knife acl add group clients containers environments read 372 | knife acl remove group clients containers environments create,update,delete,grant 373 | knife acl add group users containers environments create,read,update,delete 374 | knife acl remove group users containers environments grant 375 | 376 | knife acl add group admins containers groups create,read,update,delete,grant 377 | knife acl remove group clients containers groups create,read,update,delete,grant 378 | knife acl add group users containers groups read 379 | knife acl remove group users containers groups create,update,delete,grant 380 | 381 | knife acl add group admins containers nodes create,read,update,delete,grant 382 | knife acl add group clients containers nodes create,read 383 | knife acl remove group clients containers nodes update,delete,grant 384 | knife acl add group users containers nodes create,read,update,delete 385 | knife acl remove group users containers nodes grant 386 | 387 | knife acl add group admins containers policies create,read,update,delete,grant 388 | knife acl add group clients containers policies read 389 | knife acl remove group clients containers policies create,update,delete,grant 390 | knife acl add group users containers policies create,read,update,delete 391 | knife acl remove group users containers policies grant 392 | 393 | knife acl add group admins containers policy_groups create,read,update,delete,grant 394 | knife acl add group clients containers policy_groups read 395 | knife acl remove group clients containers policy_groups create,update,delete,grant 396 | knife acl add group users containers policy_groups create,read,update,delete 397 | knife acl remove group users containers policy_groups grant 398 | 399 | knife acl add group admins containers roles create,read,update,delete,grant 400 | knife acl add group clients containers roles read 401 | knife acl remove group clients containers roles create,update,delete,grant 402 | knife acl add group users containers roles create,read,update,delete 403 | knife acl remove group users containers roles grant 404 | 405 | knife acl add group admins containers sandboxes create,read,update,delete,grant 406 | knife acl remove group clients containers sandboxes create,read,update,delete,grant 407 | knife acl add group users containers sandboxes create 408 | knife acl remove group users containers sandboxes read,update,delete,grant 409 | ``` 410 | 411 | ## Contributing 412 | 413 | For information on contributing to this project see 414 | 415 | ## License 416 | 417 | Unless otherwise specified all works in this repository are 418 | 419 | Copyright 2013-2018 Chef Software, Inc. 420 | 421 | ```text 422 | | | 423 | --------- | --------------------------------------------: 424 | Author | Seth Falcon (seth@chef.io) 425 | Author | Jeremiah Snapp (jeremiah@chef.io) 426 | Copyright | Copyright (c) 2013-2015 Chef Software, Inc. 427 | License | Apache License, Version 2.0 428 | 429 | Licensed under the Apache License, Version 2.0 (the "License"); 430 | you may not use this file except in compliance with the License. 431 | You may obtain a copy of the License at 432 | 433 | http://www.apache.org/licenses/LICENSE-2.0 434 | 435 | Unless required by applicable law or agreed to in writing, software 436 | distributed under the License is distributed on an "AS IS" BASIS, 437 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 438 | See the License for the specific language governing permissions and 439 | limitations under the License. 440 | ``` 441 | --------------------------------------------------------------------------------