diff options
author | John Keiser <jkeiser@opscode.com> | 2014-07-24 20:49:02 -0600 |
---|---|---|
committer | John Keiser <jkeiser@opscode.com> | 2014-08-22 09:20:49 -0700 |
commit | 2215d4cef3592d5cb9061b6ecfa3343a8d55460a (patch) | |
tree | b70c12f7bc157e8e95d180bde97e850d466c6f04 | |
parent | 512267cdd9efd90095db8c70874727d489852e70 (diff) | |
download | chef-zero-2215d4cef3592d5cb9061b6ecfa3343a8d55460a.tar.gz |
Build full acls for groups; don't give new container objects
any groups by default
-rw-r--r-- | lib/chef_zero/data_normalizer.rb | 2 | ||||
-rw-r--r-- | lib/chef_zero/data_store/default_facade.rb | 62 | ||||
-rw-r--r-- | lib/chef_zero/endpoints/acl_base.rb | 9 |
3 files changed, 50 insertions, 23 deletions
diff --git a/lib/chef_zero/data_normalizer.rb b/lib/chef_zero/data_normalizer.rb index cd4f40a..1e5cd67 100644 --- a/lib/chef_zero/data_normalizer.rb +++ b/lib/chef_zero/data_normalizer.rb @@ -7,7 +7,7 @@ module ChefZero %w(create read update delete grant).each do |perm| acls[perm] ||= {} acls[perm]['actors'] ||= [] - acls[perm]['groups'] ||= [ 'admins' ] + acls[perm]['groups'] ||= [ ] end acls end diff --git a/lib/chef_zero/data_store/default_facade.rb b/lib/chef_zero/data_store/default_facade.rb index 49439b9..2cb1956 100644 --- a/lib/chef_zero/data_store/default_facade.rb +++ b/lib/chef_zero/data_store/default_facade.rb @@ -261,46 +261,64 @@ module ChefZero "create": { "groups": [ "admins", "users" ] }, "read": { "groups": [ "admins", "users", "clients" ] }, "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] } + "delete": { "groups": [ "admins", "users" ] }, + "grant": { "groups": [ "admins" ] } }', 'environments' => '{ "create": { "groups": [ "admins", "users" ] }, "read": { "groups": [ "admins", "users", "clients" ] }, "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] } + "delete": { "groups": [ "admins", "users" ] }, + "grant": { "groups": [ "admins" ] } }', 'roles' => '{ "create": { "groups": [ "admins", "users" ] }, "read": { "groups": [ "admins", "users", "clients" ] }, "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] } + "delete": { "groups": [ "admins", "users" ] }, + "grant": { "groups": [ "admins" ] } }', 'data' => '{ "create": { "groups": [ "admins", "users", "clients" ] }, "read": { "groups": [ "admins", "users", "clients" ] }, "update": { "groups": [ "admins", "users", "clients" ] }, - "delete": { "groups": [ "admins", "users", "clients" ] } + "delete": { "groups": [ "admins", "users", "clients" ] }, + "grant": { "groups": [ "admins" ] } }', 'nodes' => '{ "create": { "groups": [ "admins", "users", "clients" ] }, "read": { "groups": [ "admins", "users", "clients" ] }, "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] } + "delete": { "groups": [ "admins", "users" ] }, + "grant": { "groups": [ "admins" ] } }', 'clients' => '{ - "read": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] } + "create": { "groups": [ "admins" ] }, + "read": { "groups": [ "admins", "users" ] }, + "update": { "groups": [ "admins" ] }, + "delete": { "groups": [ "admins", "users" ] }, + "grant": { "groups": [ "admins" ] } + }', + 'groups' => '{ + "create": { "groups": [ "admins" ] }, + "read": { "groups": [ "admins", "users" ] }, + "update": { "groups": [ "admins" ] }, + "delete": { "groups": [ "admins" ] }, + "grant": { "groups": [ "admins" ] } }', - 'groups' => '{}', 'containers' => %'{ - "create": { "actors": [ #{creator.inspect} ] }, - "read": { "actors": [ #{creator.inspect} ], "groups": [ "admins", "users" ] }, - "update": { "actors": [ #{creator.inspect} ] }, - "delete": { "actors": [ #{creator.inspect} ] }, - "grant": { "actors": [ #{creator.inspect} ] } + "create": { "groups": [ "admins" ] }, + "read": { "groups": [ "admins", "users" ] }, + "update": { "groups": [ "admins" ] }, + "delete": { "groups": [ "admins" ] }, + "grant": { "groups": [ "admins" ] } }', 'sandboxes' => '{ - "create": { "groups": [ "admins", "users" ] } + "create": { "groups": [ "admins", "users" ] } + "read": { "groups": [ "admins" ] }, + "update": { "groups": [ "admins" ] }, + "delete": { "groups": [ "admins" ] }, + "grant": { "groups": [ "admins" ] } }' }, 'cookbooks' => {}, @@ -323,14 +341,18 @@ module ChefZero 'nodes' => {}, 'roles' => {}, 'organization' => %'{ - "create": { "actors": #{superusers.inspect} }, - "read": { "actors": #{superusers.inspect}, "groups": [ "admins", "users" ] }, - "update": { "actors": #{superusers.inspect} }, - "delete": { "actors": #{superusers.inspect} }, - "grant": { "actors": #{superusers.inspect} } + "create": { "groups": [ "admins" ] }, + "read": { "groups": [ "admins", "users" ] }, + "update": { "groups": [ "admins" ] }, + "delete": { "groups": [ "admins" ] }, + "grant": { "groups": [ "admins" ] } }', 'organizations' => '{ - "read": { "groups": [ "admins", "users" ]} + "create": { "groups": [ "admins" ] }, + "read": { "groups": [ "admins", "users" ]}, + "update": { "groups": [ "admins" ] }, + "delete": { "groups": [ "admins" ] }, + "grant": { "groups": [ "admins" ] } }', 'sandboxes' => {} }, diff --git a/lib/chef_zero/endpoints/acl_base.rb b/lib/chef_zero/endpoints/acl_base.rb index ca51420..cce9c5c 100644 --- a/lib/chef_zero/endpoints/acl_base.rb +++ b/lib/chef_zero/endpoints/acl_base.rb @@ -33,6 +33,7 @@ module ChefZero acls[perm]['actors'] ||= [] # The owners of the org and of the server (the superusers) have rights too acls[perm]['actors'] = owners | acls[perm]['actors'] + acls[perm]['groups'] ||= [] end acls end @@ -41,8 +42,12 @@ module ChefZero def get_container_acls(request, path) if path[0] == 'organizations' - if %w(clients containers cookbooks data environments groups nodes roles sandboxes).include?(path[2]) - if path[2..3] != ['containers', 'containers'] + if %w(clients cookbooks data environments groups nodes roles sandboxes).include?(path[2]) + return get_acls(request, path[0..1] + [ 'containers', path[2] ]) + elsif path[2] == 'containers' + # When we create containers, we don't merge them with the container container. + # Go figure. + if path[3] != 'containers' && is_created_with_org?(path) return get_acls(request, path[0..1] + [ 'containers', path[2] ]) end end |