diff options
author | John Keiser <jkeiser@opscode.com> | 2014-07-24 22:06:29 -0600 |
---|---|---|
committer | John Keiser <jkeiser@opscode.com> | 2014-08-22 09:20:49 -0700 |
commit | d77274c6deba896881fcc92e6fd151856852a8af (patch) | |
tree | 6a6dd55b6c44a24e1d19614a54f44c20531a0d29 | |
parent | 2215d4cef3592d5cb9061b6ecfa3343a8d55460a (diff) | |
download | chef-zero-d77274c6deba896881fcc92e6fd151856852a8af.tar.gz |
Get rid of owner storage, move to explicit container acl model
-rw-r--r-- | lib/chef_zero/data_store/default_facade.rb | 216 | ||||
-rw-r--r-- | lib/chef_zero/endpoints/acl_base.rb | 40 |
2 files changed, 145 insertions, 111 deletions
diff --git a/lib/chef_zero/data_store/default_facade.rb b/lib/chef_zero/data_store/default_facade.rb index 2cb1956..74d1ba4 100644 --- a/lib/chef_zero/data_store/default_facade.rb +++ b/lib/chef_zero/data_store/default_facade.rb @@ -74,17 +74,15 @@ module ChefZero real_store.clear if real_store.respond_to?(:clear) @defaults = { 'organizations' => {}, - 'acls' => {}, - 'metadata' => { - 'owners' => { - '' => superusers.inject({}) { |result,key| result[key] = '{}'; result } - } - } + 'acls' => {} } unless osc_compat @defaults['users'] = {} + @defaults['superusers'] = {} + superusers.each do |superuser| @defaults['users'][superuser] = '{}' + @defaults['superusers'][superuser] = '{}' end end end @@ -113,7 +111,6 @@ module ChefZero orgname = path[1] end @defaults['organizations'][orgname] ||= DefaultFacade.org_defaults(orgname, requestor, superusers, osc_compat) - @defaults['metadata']['owners']["organizations/#{orgname}"] = { requestor => '{}' } if requestor end end @@ -257,69 +254,69 @@ module ChefZero 'acls' => { 'clients' => {}, 'containers' => { - 'cookbooks' => '{ - "create": { "groups": [ "admins", "users" ] }, - "read": { "groups": [ "admins", "users", "clients" ] }, - "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'environments' => '{ - "create": { "groups": [ "admins", "users" ] }, - "read": { "groups": [ "admins", "users", "clients" ] }, - "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'roles' => '{ - "create": { "groups": [ "admins", "users" ] }, - "read": { "groups": [ "admins", "users", "clients" ] }, - "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'data' => '{ - "create": { "groups": [ "admins", "users", "clients" ] }, - "read": { "groups": [ "admins", "users", "clients" ] }, - "update": { "groups": [ "admins", "users", "clients" ] }, - "delete": { "groups": [ "admins", "users", "clients" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'nodes' => '{ - "create": { "groups": [ "admins", "users", "clients" ] }, - "read": { "groups": [ "admins", "users", "clients" ] }, - "update": { "groups": [ "admins", "users" ] }, - "delete": { "groups": [ "admins", "users" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'clients' => '{ - "create": { "groups": [ "admins" ] }, - "read": { "groups": [ "admins", "users" ] }, - "update": { "groups": [ "admins" ] }, - "delete": { "groups": [ "admins", "users" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'groups' => '{ - "create": { "groups": [ "admins" ] }, - "read": { "groups": [ "admins", "users" ] }, - "update": { "groups": [ "admins" ] }, - "delete": { "groups": [ "admins" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'containers' => %'{ - "create": { "groups": [ "admins" ] }, - "read": { "groups": [ "admins", "users" ] }, - "update": { "groups": [ "admins" ] }, - "delete": { "groups": [ "admins" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'sandboxes' => '{ - "create": { "groups": [ "admins", "users" ] } - "read": { "groups": [ "admins" ] }, - "update": { "groups": [ "admins" ] }, - "delete": { "groups": [ "admins" ] }, - "grant": { "groups": [ "admins" ] } - }' + 'cookbooks' => fill_acls(creator, { + :create => %w(admins users), + :read => %w(admins users clients), + :update => %w(admins users), + :delete => %w(admins users), + :grant => %w(admins) + }), + 'environments' => fill_acls(creator, { + :create => %w(admins users), + :read => %w(admins users clients), + :update => %w(admins users), + :delete => %w(admins users), + :grant => %w(admins) + }), + 'roles' => fill_acls(creator, { + :create => %w(admins users), + :read => %w(admins users clients), + :update => %w(admins users), + :delete => %w(admins users), + :grant => %w(admins) + }), + 'data' => fill_acls(creator, { + :create => %w(admins users clients), + :read => %w(admins users clients), + :update => %w(admins users clients), + :delete => %w(admins users clients), + :grant => %w(admins) + }), + 'nodes' => fill_acls(creator, { + :create => %w(admins users clients), + :read => %w(admins users clients), + :update => %w(admins users), + :delete => %w(admins users), + :grant => %w(admins) + }), + 'clients' => fill_acls(creator, { + :create => %w(admins), + :read => %w(admins users), + :update => %w(admins), + :delete => %w(admins users), + :grant => %w(admins) + }), + 'groups' => fill_acls(creator, { + :create => %w(admins), + :read => %w(admins users), + :update => %w(admins), + :delete => %w(admins), + :grant => %w(admins) + }), + 'containers' => fill_acls(creator, { + :create => %w(admins), + :read => %w(admins users), + :update => %w(admins), + :delete => %w(admins), + :grant => %w(admins) + }), + 'sandboxes' => fill_acls(creator, { + :create => %w(admins users), + :read => %w(admins), + :update => %w(admins), + :delete => %w(admins), + :grant => %w(admins) + }) }, 'cookbooks' => {}, 'data' => {}, @@ -340,20 +337,14 @@ module ChefZero }, 'nodes' => {}, 'roles' => {}, - 'organization' => %'{ - "create": { "groups": [ "admins" ] }, - "read": { "groups": [ "admins", "users" ] }, - "update": { "groups": [ "admins" ] }, - "delete": { "groups": [ "admins" ] }, - "grant": { "groups": [ "admins" ] } - }', - 'organizations' => '{ - "create": { "groups": [ "admins" ] }, - "read": { "groups": [ "admins", "users" ]}, - "update": { "groups": [ "admins" ] }, - "delete": { "groups": [ "admins" ] }, - "grant": { "groups": [ "admins" ] } - }', + 'organization' => org_acls, + 'organizations' => fill_acls(creator, { + :create => %w(admins), + :read => %w(admins users), + :update => %w(admins), + :delete => %w(admins), + :grant => %w(admins) + }), 'sandboxes' => {} }, 'association_requests' => {} @@ -369,6 +360,63 @@ module ChefZero result end + private + + def self.org_acls + proc do |data, path| + superusers = data.list([ 'superusers' ]) + acls = { + 'create' => { + 'actors' => superusers, + 'groups' => %w(admins) + }, + 'read' => { + 'actors' => superusers, + 'groups' => %w(admins users) + }, + 'update' => { + 'actors' => superusers, + 'groups' => %w(admins) + }, + 'delete' => { + 'actors' => superusers, + 'groups' => %w(admins) + }, + 'grant' => { + 'actors' => superusers, + 'groups' => %w(admins) + } + } + JSON.pretty_generate(acls) + end + end + + def self.fill_acls(creator, group_acls) + acls = { + 'create' => { + 'actors' => [ creator ], + 'groups' => group_acls[:create] + }, + 'read' => { + 'actors' => [ creator ], + 'groups' => group_acls[:read] + }, + 'update' => { + 'actors' => [ creator ], + 'groups' => group_acls[:update] + }, + 'delete' => { + 'actors' => [ creator ], + 'groups' => group_acls[:delete] + }, + 'grant' => { + 'actors' => [ creator ], + 'groups' => group_acls[:grant] + } + } + return JSON.pretty_generate(acls) + end + def self.admins_group(creator) proc do |data, path| admins = data.list(path[0..1] + [ 'users' ]).select do |name| diff --git a/lib/chef_zero/endpoints/acl_base.rb b/lib/chef_zero/endpoints/acl_base.rb index cce9c5c..a738cba 100644 --- a/lib/chef_zero/endpoints/acl_base.rb +++ b/lib/chef_zero/endpoints/acl_base.rb @@ -26,7 +26,17 @@ module ChefZero end # We merge owners into every acl, because we're awesome like that. - owners = owners_of(path) + # The objects that were created with the org itself, and containers for + # some reason, have the peculiar property of missing pivotal from their acls. + if is_created_with_org?(path, false) || path[0] == 'organizations' && path[2] == 'containers' + owners = [] + else + owners = superusers + # Clients need to be in their own acl list + if path.size == 4 && path[0] == 'organizations' && path[2] == 'clients' + owners |= [ path[3] ] + end + end %w(create read update delete grant).each do |perm| acls[perm] ||= {} @@ -55,18 +65,8 @@ module ChefZero return nil end - def owners_of(path) - # The objects that were created with the org itself, and containers for - # some reason, have the peculiar property of missing pivotal from their acls. - if is_created_with_org?(path, false) || path[0] == 'organizations' && path[2] == 'containers' - list_metadata(path[0..1], 'owners') - else - result = list_metadata(path, 'owners', :recurse_up) - if path.size == 4 && path[0] == 'organizations' && path[2] == 'clients' - result |= [ path[3] ] - end - result - end + def superusers + data_store.list([ 'superusers' ]) end def is_created_with_org?(path, osc_compat = false) @@ -78,20 +78,6 @@ module ChefZero end return !!value end - - # Used by owners_of to find all owners of a thing by looking up - # the trail of directories - def list_metadata(path, metadata_type, *options) - begin - result = data_store.list([ 'metadata', metadata_type, path.join('/') ]) - rescue DataStore::DataNotFoundError - result = [] - end - if options.include?(:recurse_up) && path.size >= 1 - result = list_metadata(path[0..-2], metadata_type, *options) | result - end - return result - end end end end |