class MU::Config::Role
Basket of Kittens config schema and parser logic. See modules/mu/providers/*/role.rb
Public Class Methods
A generic, cloud-neutral descriptor for a policy that grants or denies permissions to some entity over some other entity. @param subobjects [Boolean]: Whether the returned schema should include a path
parameter @param grant_to [Boolean]: Whether the returned schema should include an explicit grant_to
parameter @return [Hash]
# File modules/mu/config/role.rb, line 59 def self.policy_primitive(subobjects: false, grant_to: false, permissions_optional: false, targets_optional: false) cfg = { "type" => "object", "description" => "Policies which grant or deny permissions.", "required" => ["name"], # "additionalProperties" => false, "properties" => { "name" => { "type" => "string", "description" => "A unique name for this policy" }, "flag" => { "type" => "string", "enum" => ["allow", "deny"], "default" => "allow" }, "permissions" => { "type" => "array", "items" => { "type" => "string", "description" => "Permissions to grant or deny. Valid permission strings are cloud-specific." } }, "targets" => { "type" => "array", "items" => { "type" => "object", "description" => "Entities to which this policy will grant or deny access.", "required" => ["identifier"], "additionalProperties" => false, "properties" => { "type" => { "type" => "string", "description" => "A Mu resource type, used when referencing a sibling Mu resource in this stack with +identifier+.", "enum" => MU::Cloud.resource_types.values.map { |t| t[:cfg_name] }.sort }, "identifier" => { "type" => "string", "description" => "Either the name of a sibling Mu resource in this stack (used in conjunction with +entity_type+), or the full cloud identifier for a resource, such as an ARN in Amazon Web Services." }, "path" => { "type" => "string", } } } } } } cfg["required"] << "permissions" if !permissions_optional cfg["required"] << "targets" if !targets_optional schema_aliases = [ { "identifier" => "id" }, ] if grant_to cfg["properties"]["grant_to"] = { "type" => "array", "default" => [ { "identifier" => "*" } ], "items" => MU::Config::Ref.schema(schema_aliases, desc: "Entities to which this policy will grant or deny access.") } end if subobjects cfg["properties"]["targets"]["items"]["properties"]["path"] = { "type" => "string", "description" => "Target this policy to a path or child resource of the object to which we are granting or denying permissions, such as a key or wildcard in an S3 or Cloud Storage bucket." } end cfg end
Chunk of schema to reference an account/project, here to be embedded into the schemas of other resources.
# File modules/mu/config/role.rb, line 50 def self.reference MU::Config::Ref.schema(type: "roles") end
Base configuration schema for a Group
@return [Hash]
# File modules/mu/config/role.rb, line 22 def self.schema { "type" => "object", "additionalProperties" => false, "description" => "Set up a cloud provider role for mapping permissions to other entities", "properties" => { "name" => { "type" => "string", "description" => "The name of a cloud provider role to create", "pattern" => '^[a-zA-Z0-9_\-]+$' }, "import" => { "type" => "array", "items" => { "type" => "string", "description" => "Import pre-fabricated roles/policies from the cloud provider into this role." } }, "policies" => { "type" => "array", "items" => self.policy_primitive } } } end
Generic pre-processing of {MU::Config::BasketofKittens::role}, bare and unvalidated. @param _role [Hash]: The resource to process and validate @param _configurator [MU::Config]: The overall deployment configurator of which this resource is a member @return [Boolean]: True if validation succeeded, False otherwise
# File modules/mu/config/role.rb, line 137 def self.validate(_role, _configurator) ok = true ok end