Skip to content

Instantly share code, notes, and snippets.

@nickanderson

nickanderson/example.org

Created July 5, 2023 19:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nickanderson/b1158d7d9bc1c6990ae604b830df337b to your computer and use it in GitHub Desktop.
Save nickanderson/b1158d7d9bc1c6990ae604b830df337b to your computer and use it in GitHub Desktop.
Download ZIP
How to add custom policy to grant clients access to a custom directory and integrate via cfbs.
Raw
example.org

How to add custom policy to grant clients access to a custom directory and integrate via cfbs

To grant clients access to a new path via cf-serverd you need an access type promise.

We can create my-custom-access.cf with a server bundle and an access type promise:

bundle server my_custom_access
{
    access:
      "/my/path"
        admit => { @(def.acl) },
        comment => "Custom stuff in /my/path that hosts need access to";
}

Assuming this file will be kept as a “local module” inside the cfbs project we can simply add it with cfbs add:

exec 2>&1
cfbs add ./my-custom-access.cf --non-interactive
:
WARNING: Did not find any bundles to add to bundlesequence
[main 20dfc65] Added module './my-custom-access.cf'
 2 files changed, 17 insertions(+)
 create mode 100644 my-custom-access.cf
Added module: ./my-custom-access.cf
Committing using git:

: :

With that the cfbs project file should look something like this:

cat cfbs.json
{
  "name": "Example project",
  "type": "policy-set",
  "description": "Example description",
  "build": [
    {
      "name": "masterfiles",
      "description": "Official CFEngine Masterfiles Policy Framework (MPF).",
      "tags": ["supported", "base"],
      "repo": "https://github.com/cfengine/masterfiles",
      "by": "https://github.com/cfengine",
      "version": "3.21.2",
      "commit": "f495603285f9bd90d5d36df4fec4870aeee751e8",
      "added_by": "cfbs add",
      "steps": ["run ./prepare.sh -y", "copy ./ ./"]
    },
    {
      "name": "./my-custom-access.cf",
      "description": "Local policy file added using cfbs command line",
      "tags": ["local"],
      "added_by": "cfbs add",
      "steps": [
        "copy ./my-custom-access.cf services/cfbs/my-custom-access.cf",
        "policy_files services/cfbs/my-custom-access.cf"
      ]
    }
  ],
  "git": true
}

We can see that the last build element is the ./my-custom-access.cf policy (local module).

In the resulting policy set we see the policy file will be placed in services/cfbs/ relative to the root of the policy ( achieved by the copy build step ). And, the file should get parsed as part of inputs as a result of the policy_files build step which makes an entry in built def.json.

cfbs build
Modules:
001 masterfiles           @ f495603285f9bd90d5d36df4fec4870aeee751e8 (Downloaded)
002 ./my-custom-access.cf @ local                                    (Copied)

Steps:
001 masterfiles           : run './prepare.sh -y'
001 masterfiles           : copy './' 'masterfiles/'
002 ./my-custom-access.cf : copy './my-custom-access.cf' 'masterfiles/services/cfbs/my-custom-access.cf'
002 ./my-custom-access.cf : policy_files 'services/cfbs/my-custom-access.cf'

Generating tarball...

Build complete, ready to deploy 🐿
 -> Directory: out/masterfiles
 -> Tarball:   out/masterfiles.tgz

To install on this machine: sudo cfbs install
To deploy on remote hub(s): cf-remote deploy

cat out/masterfiles/def.json
{ "inputs": ["services/cfbs/my-custom-access.cf"] }

When cf-serverd is started it will parse that file and it should allow the trusted hosts as defined by default:def.acl access to that content.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment