Adding support for service ACLs in consul_acl module

This commit is contained in:
Chris Hoffman 2015-08-16 12:13:20 -04:00 committed by Matt Clay
parent 507352e4f0
commit 3f7fe00110

View file

@ -22,7 +22,7 @@ module: consul_acl
short_description: "manipulate consul acl keys and rules" short_description: "manipulate consul acl keys and rules"
description: description:
- allows the addition, modification and deletion of ACL keys and associated - allows the addition, modification and deletion of ACL keys and associated
rules in a consul cluster via the agent. For more details on using and rules in a consul cluster via the agent. For more details on using and
configuring ACLs, see https://www.consul.io/docs/internals/acl.html. configuring ACLs, see https://www.consul.io/docs/internals/acl.html.
requirements: requirements:
- "python >= 2.6" - "python >= 2.6"
@ -57,7 +57,7 @@ options:
required: false required: false
rules: rules:
description: description:
- an list of the rules that should be associated with a given key/token. - an list of the rules that should be associated with a given token.
required: false required: false
host: host:
description: description:
@ -83,6 +83,19 @@ EXAMPLES = '''
- key: 'private/foo' - key: 'private/foo'
policy: deny policy: deny
- name: create an acl with specific token with both key and serivce rules
consul_acl:
mgmt_token: 'some_management_acl'
name: 'Foo access'
token: 'some_client_token'
rules:
- key: 'foo'
policy: read
- service: ''
policy: write
- service: 'secret-'
policy: deny
- name: remove a token - name: remove a token
consul_acl: consul_acl:
mgmt_token: 'some_management_acl' mgmt_token: 'some_management_acl'
@ -134,8 +147,6 @@ def update_acl(module):
if token: if token:
existing_rules = load_rules_for_token(module, consul, token) existing_rules = load_rules_for_token(module, consul, token)
supplied_rules = yml_to_rules(module, rules) supplied_rules = yml_to_rules(module, rules)
print existing_rules
print supplied_rules
changed = not existing_rules == supplied_rules changed = not existing_rules == supplied_rules
if changed: if changed:
y = supplied_rules.to_hcl() y = supplied_rules.to_hcl()
@ -148,7 +159,7 @@ def update_acl(module):
try: try:
rules = yml_to_rules(module, rules) rules = yml_to_rules(module, rules)
if rules.are_rules(): if rules.are_rules():
rules = rules.to_json() rules = rules.to_hcl()
else: else:
rules = None rules = None
@ -163,7 +174,7 @@ def update_acl(module):
module.fail_json(msg="Could not create/update acl %s" % e) module.fail_json(msg="Could not create/update acl %s" % e)
module.exit_json(changed=changed, module.exit_json(changed=changed,
token=token, token=obfuscate_token(token),
rules=rules, rules=rules,
name=name, name=name,
type=token_type) type=token_type)
@ -179,18 +190,20 @@ def remove_acl(module):
if changed: if changed:
token = consul.acl.destroy(token) token = consul.acl.destroy(token)
module.exit_json(changed=changed, token=token) module.exit_json(changed=changed, token=obfuscate_token(token))
def obfuscate_token(token):
return token[:4] + "*" * (len(token) - 5)
def load_rules_for_token(module, consul_api, token): def load_rules_for_token(module, consul_api, token):
try: try:
rules = Rules() rules = Rules()
info = consul_api.acl.info(token) info = consul_api.acl.info(token)
if info and info['Rules']: if info and info['Rules']:
rule_set = to_ascii(info['Rules']) rule_set = hcl.loads(to_ascii(info['Rules']))
for rule in hcl.loads(rule_set).values(): for rule_type in rule_set:
for key, policy in rule.iteritems(): for pattern, policy in rule_set[rule_type].iteritems():
rules.add_rule(Rule(key, policy['policy'])) rules.add_rule(rule_type, Rule(pattern, policy['policy']))
return rules return rules
except Exception, e: except Exception, e:
module.fail_json( module.fail_json(
@ -208,52 +221,61 @@ def yml_to_rules(module, yml_rules):
rules = Rules() rules = Rules()
if yml_rules: if yml_rules:
for rule in yml_rules: for rule in yml_rules:
if not('key' in rule or 'policy' in rule): if ('key' in rule and 'policy' in rule):
module.fail_json(msg="a rule requires a key and a policy.") rules.add_rule('key', Rule(rule['key'], rule['policy']))
rules.add_rule(Rule(rule['key'], rule['policy'])) elif ('service' in rule and 'policy' in rule):
rules.add_rule('service', Rule(rule['service'], rule['policy']))
else:
module.fail_json(msg="a rule requires a key/service and a policy.")
return rules return rules
template = '''key "%s" { template = '''%s "%s" {
policy = "%s" policy = "%s"
}''' }
'''
RULE_TYPES = ['key', 'service']
class Rules: class Rules:
def __init__(self): def __init__(self):
self.rules = {} self.rules = {}
for rule_type in RULE_TYPES:
self.rules[rule_type] = {}
def add_rule(self, rule): def add_rule(self, rule_type, rule):
self.rules[rule.key] = rule self.rules[rule_type][rule.pattern] = rule
def are_rules(self): def are_rules(self):
return len(self.rules) > 0 return len(self) > 0
def to_json(self):
rules = {}
for key, rule in self.rules.iteritems():
rules[key] = {'policy': rule.policy}
return json.dumps({'keys': rules})
def to_hcl(self): def to_hcl(self):
rules = "" rules = ""
for key, rule in self.rules.iteritems(): for rule_type in RULE_TYPES:
rules += template % (key, rule.policy) for pattern, rule in self.rules[rule_type].iteritems():
rules += template % (rule_type, pattern, rule.policy)
return to_ascii(rules) return to_ascii(rules)
def __len__(self):
count = 0
for rule_type in RULE_TYPES:
count += len(self.rules[rule_type])
return count
def __eq__(self, other): def __eq__(self, other):
if not (other or isinstance(other, self.__class__) if not (other or isinstance(other, self.__class__)
or len(other.rules) == len(self.rules)): or len(other) == len(self)):
return False return False
for name, other_rule in other.rules.iteritems(): for rule_type in RULE_TYPES:
if not name in self.rules: for name, other_rule in other.rules[rule_type].iteritems():
return False if not name in self.rules[rule_type]:
rule = self.rules[name] return False
rule = self.rules[rule_type][name]
if not (rule and rule == other_rule): if not (rule and rule == other_rule):
return False return False
return True return True
def __str__(self): def __str__(self):
@ -261,23 +283,24 @@ class Rules:
class Rule: class Rule:
def __init__(self, key, policy): def __init__(self, pattern, policy):
self.key = key self.pattern = pattern
self.policy = policy self.policy = policy
def __eq__(self, other): def __eq__(self, other):
return (isinstance(other, self.__class__) return (isinstance(other, self.__class__)
and self.key == other.key and self.pattern == other.pattern
and self.policy == other.policy) and self.policy == other.policy)
def __hash__(self): def __hash__(self):
return hash(self.key) ^ hash(self.policy) return hash(self.pattern) ^ hash(self.policy)
def __str__(self): def __str__(self):
return '%s %s' % (self.key, self.policy) return '%s %s' % (self.pattern, self.policy)
def get_consul_api(module, token=None): def get_consul_api(module, token=None):
if not token: if not token:
token = token = module.params.get('token') token = module.params.get('token')
return consul.Consul(host=module.params.get('host'), return consul.Consul(host=module.params.get('host'),
port=module.params.get('port'), port=module.params.get('port'),
token=token) token=token)
@ -286,7 +309,7 @@ def test_dependencies(module):
if not python_consul_installed: if not python_consul_installed:
module.fail_json(msg="python-consul required for this module. "\ module.fail_json(msg="python-consul required for this module. "\
"see http://python-consul.readthedocs.org/en/latest/#installation") "see http://python-consul.readthedocs.org/en/latest/#installation")
if not pyhcl_installed: if not pyhcl_installed:
module.fail_json( msg="pyhcl required for this module."\ module.fail_json( msg="pyhcl required for this module."\
" see https://pypi.python.org/pypi/pyhcl") " see https://pypi.python.org/pypi/pyhcl")
@ -306,7 +329,7 @@ def main():
module = AnsibleModule(argument_spec, supports_check_mode=False) module = AnsibleModule(argument_spec, supports_check_mode=False)
test_dependencies(module) test_dependencies(module)
try: try:
execute(module) execute(module)
except ConnectionError, e: except ConnectionError, e: