conjur Adding recursive permit statements

Adding recursive permit statements

Open AndrewCopeland opened this issue 4 years ago • 1 comments

Is your feature request related to a problem? Please describe.

Currently for me to permit resources to a role I have to explicitly give each resource privileges to a specific role. Example below:

- !permit
  role: !host myApplication
  resources:
  - !variable namespace/group/account/username
  - !variable namespace/group/account/password
  - !variable namespace/group/account/port
  - !variable namespace/group/account/address
  permit:
  - read
  - execute

This is not scalable and makes operationalizing conjur policy difficult and cumbersome.

Describe the solution you would like

I would like the ability to use a * or a similar character to give permissioning in a recursive manner:

- !permit
  role: !host myApplication
  resources:
  - !variable namespace/group/account/*
  permit:
  - read
  - execute

In this case now !host myApplication will have the permission to read & execute all !variables within the namespace/group/account/ branch.

Describe alternatives you have considered

n/a

Additional context

Recursive permissions could be used to grant widespread permissions such as an audit group:

- !permit
  role: !group audit
  resources: 
  - !variable *
  - !policy *
  - !group *
  - !host *
  - !group *
  privilege: read

Nov 24 '20 16:11 AndrewCopeland

Yes please!

Nov 24 '20 19:11 dataplex

conjur conjur copied to clipboard

Adding recursive permit statements

Is your feature request related to a problem? Please describe.

Describe the solution you would like

Describe alternatives you have considered

Additional context

conjur
conjur copied to clipboard