Created
June 13, 2015 20:14
-
-
Save kgilpin/194bec11de408f03743d to your computer and use it in GitHub Desktop.
Simple blue/green model
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Simple script which creates two groups, blue and green. Each | |
# group contains a couple of users. The groups have different permissions | |
# on 'webservice' resources. In an SDF gatekeeper scenario, the 'blue' | |
# team will be able to 'read' service a, and the 'green' team will be | |
# able to 'read' service b. Neither team can perform any action besides 'read'. | |
# The owner of the 'webservice' resources (which is the user that runs this script) | |
# has all permissions on all records, via Conjur ownership. | |
# Create the blue team | |
blue = group "blue" do | |
add_member user("bob", password: 'password') | |
add_member user("brenda", password: 'password') | |
end | |
# Create the green team | |
green = group "green" do | |
add_member user("george", password: 'password') | |
add_member user("greg", password: 'password') | |
end | |
a = resource "webservice", "blue-green-a" | |
b = resource "webservice", "blue-green-b" | |
# Blue team can 'read' blue-green-a | |
blue.can "read", a | |
# Green team can 'read' blue-green-b | |
green.can "read", b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
conjur authn whoami | |
# {"account":"kegdev","username":"kgilpin"} | |
CONJURAPI_LOG=stderr conjur script execute -c blue-green.json blue-green.rb | |
conjur resource permitted_roles webservice:blue-green-a read | |
#[ | |
# "kegdev:user:kgilpin", | |
# "kegdev:group:blue", | |
# "kegdev:user:brenda", | |
# "kegdev:user:bob" | |
#] | |
conjur resource permitted_roles webservice:blue-green-b read | |
#[ | |
# "kegdev:user:kgilpin", | |
# "kegdev:group:green", | |
# "kegdev:user:george", | |
# "kegdev:user:greg" | |
#] | |
conjur resource permitted_roles webservice:blue-green-a update | |
#[ | |
# "kegdev:user:kgilpin" | |
#] | |
conjur resource check webservice:blue-green-a update | |
#true | |
echo password | conjur authn login brenda | |
# Logged in | |
conjur authn whoami | |
# {"account":"kegdev","username":"brenda"} | |
conjur resource check webservice:blue-green-a read | |
# true | |
conjur resource check webservice:blue-green-b read | |
# false | |
conjur resource check webservice:blue-green-a update | |
# false | |
echo password | conjur authn login greg | |
# Logged in | |
conjur authn whoami | |
# {"account":"kegdev","username":"greg"} | |
conjur resource check webservice:blue-green-a read | |
# false | |
conjur resource check webservice:blue-green-b read | |
# true | |
conjur resource check webservice:blue-green-a update | |
# false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment