Kevin Gilpin kgilpin

## basic-org.rb
test_layer = nil

group "security_admin" do
  owns do
    scope "v1" do
      ops = group "ops" do
        owns do
          test_layer = layer "test"
          layer "production"
        end

## Notes
Upgrade Conjur CLI

$ sudo /opt/conjur/embedded/bin/gem install conjur-cli --no-rdoc --no-ri


## blue-green.rb
# Simple script which creates two groups, blue and green. Each
# group contains a couple of users. The groups have different permissions
# on 'webservice' resources. In an SDF gatekeeper scenario, the 'blue'
# team will be able to 'read' service a, and the 'green' team will be
# able to 'read' service b. Neither team can perform any action besides 'read'.
# The owner of the 'webservice' resources (which is the user that runs this script)
# has all permissions on all records, via Conjur ownership.

# Create the blue team
blue = group "blue" do

## How-To-Play-Quake2-With-Conjur.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kgilpin
                / How-To-Play-Quake2-With-Conjur.md
            
            
              Last active
              August 29, 2015 14:26
            
          
    How to play Quake2 with Conjur

Have you checked out how we secured a Node.js port of Quake2 using Nginx and Conjur
and you want to give it a try yourself?
Here's how to do it.
Install the Conjur CLI

First, install the Conjur CLI. You'll need this to login to Conjur.

  
## executor.rb
        exit_code = Open3.popen3(env, cmd, opts) do |stdin, stdout, stderr, thread|
          stdin.close
          # Create a thread to read from each stream
          threads = [[:stdout, stdout], [:stderr, stderr]].collect do |method, stream|
            Thread.new do
              until (line = stream.gets).nil?
                callback.send(method, line)
              end
            end
          end

## gist:3537559
cd pkg && INSCITIV_ENV=stage rvm 1.9.2@myproject do bundle exec ../bin/conjur datafile:upload "Jenkins artifacts: myproject" *.gem

## gist:3873480
  # Need to find the next available device to let AWS know where to attach
  # the volume
  drive = (Array('c'..'z').map{|c| "/dev/xvd#{c}"} - Dir.glob("/dev/xvd*"))[0]
  device_id = drive[-1..-1]

## bastion-policy.rb
# Defines a Bastion server layer.
#
# Usage:
# conjur policy load --as-group ops bastion-policy.rb
policy "bastion" do
  # Members of this group will be able to adminsiter the bastion.
  admins = group "admins"
  # Members of this group will be able to login to the bastion
  # with a regular, non-privileged account.
  users  = group "users"

## create_bacon.sh
$ conjur resource:create food:$ns/bacon
{
  "id":    "sandbox:food:1eqwg0/bacon",
  "owner": "sandbox:user:kgilpin",
  "permissions": []
}

## README.md

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                kgilpin
                / README.md
            
            
              Last active
              February 11, 2016 22:23
            
              
                Conjur Traffic Auth for the Truly Paranoid
              
          
    Approach

Create distinct roles with specific permissions to call untrusted web services.
Client services authenticate as one of these roles when calling an untrusted web service.
Discussion

When using an externalized (Nginx) forwarder and gatekeeper, a webservice client can send a Conjur access
token for its own identity. The client doesn't have to worry about the gatekeeper misusing the access token,
	test_layer = nil

	group "security_admin" do
	owns do
	scope "v1" do
	ops = group "ops" do
	owns do
	test_layer = layer "test"
	layer "production"
	end
	Upgrade Conjur CLI

	$ sudo /opt/conjur/embedded/bin/gem install conjur-cli --no-rdoc --no-ri
	# Simple script which creates two groups, blue and green. Each
	# group contains a couple of users. The groups have different permissions
	# on 'webservice' resources. In an SDF gatekeeper scenario, the 'blue'
	# team will be able to 'read' service a, and the 'green' team will be
	# able to 'read' service b. Neither team can perform any action besides 'read'.
	# The owner of the 'webservice' resources (which is the user that runs this script)
	# has all permissions on all records, via Conjur ownership.

	# Create the blue team
	blue = group "blue" do
	exit_code = Open3.popen3(env, cmd, opts) do \|stdin, stdout, stderr, thread\|
	stdin.close
	# Create a thread to read from each stream
	threads = [[:stdout, stdout], [:stderr, stderr]].collect do \|method, stream\|
	Thread.new do
	until (line = stream.gets).nil?
	callback.send(method, line)
	end
	end
	end
	# Need to find the next available device to let AWS know where to attach
	# the volume
	drive = (Array('c'..'z').map{\|c\| "/dev/xvd#{c}"} - Dir.glob("/dev/xvd*"))[0]
	device_id = drive[-1..-1]
	# Defines a Bastion server layer.
	#
	# Usage:
	# conjur policy load --as-group ops bastion-policy.rb
	policy "bastion" do
	# Members of this group will be able to adminsiter the bastion.
	admins = group "admins"
	# Members of this group will be able to login to the bastion
	# with a regular, non-privileged account.
	users = group "users"
	$ conjur resource:create food:$ns/bacon
	{
	"id": "sandbox:food:1eqwg0/bacon",
	"owner": "sandbox:user:kgilpin",
	"permissions": []
	}