Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Simple blue/green model
# Simple script which creates two groups, blue and green. Each
# group contains a couple of users. The groups have different permissions
# on 'webservice' resources. In an SDF gatekeeper scenario, the 'blue'
# team will be able to 'read' service a, and the 'green' team will be
# able to 'read' service b. Neither team can perform any action besides 'read'.
# The owner of the 'webservice' resources (which is the user that runs this script)
# has all permissions on all records, via Conjur ownership.
# Create the blue team
blue = group "blue" do
add_member user("bob", password: 'password')
add_member user("brenda", password: 'password')
end
# Create the green team
green = group "green" do
add_member user("george", password: 'password')
add_member user("greg", password: 'password')
end
a = resource "webservice", "blue-green-a"
b = resource "webservice", "blue-green-b"
# Blue team can 'read' blue-green-a
blue.can "read", a
# Green team can 'read' blue-green-b
green.can "read", b
#!/bin/bash
conjur authn whoami
# {"account":"kegdev","username":"kgilpin"}
CONJURAPI_LOG=stderr conjur script execute -c blue-green.json blue-green.rb
conjur resource permitted_roles webservice:blue-green-a read
#[
# "kegdev:user:kgilpin",
# "kegdev:group:blue",
# "kegdev:user:brenda",
# "kegdev:user:bob"
#]
conjur resource permitted_roles webservice:blue-green-b read
#[
# "kegdev:user:kgilpin",
# "kegdev:group:green",
# "kegdev:user:george",
# "kegdev:user:greg"
#]
conjur resource permitted_roles webservice:blue-green-a update
#[
# "kegdev:user:kgilpin"
#]
conjur resource check webservice:blue-green-a update
#true
echo password | conjur authn login brenda
# Logged in
conjur authn whoami
# {"account":"kegdev","username":"brenda"}
conjur resource check webservice:blue-green-a read
# true
conjur resource check webservice:blue-green-b read
# false
conjur resource check webservice:blue-green-a update
# false
echo password | conjur authn login greg
# Logged in
conjur authn whoami
# {"account":"kegdev","username":"greg"}
conjur resource check webservice:blue-green-a read
# false
conjur resource check webservice:blue-green-b read
# true
conjur resource check webservice:blue-green-a update
# false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.