cyberark-conjur-cli
cyberark-conjur-cli copied to clipboard
cyberark
Resource command
Feature Overview & Customer Need
As a Conjur user I would like to use the Conjur cli In order to understand which roles and members have what privileges on Conjur's resources
==================== Initial suggestion ==================== A new command will be called resource We will use sub command
- list-roles - List roles with a specified privilege on the resource
The commands will be used as follow:
conjur resource list-roles -i demo:host:ansible/ansible-01 -p read [ "demo:user:admin", "demo:policy:ansible" ] <- returns a list in the same structure list command will
Args description:
-i --id <Resource identifier> - provide the resource identifier
-p --privilege
==================== New suggestion ====================
Process logic and Demo
A new command with the name 'list', with the following options:
- List the members of the group or layer.
- List the permitted members on a certain resource according to the permissions provided.
Conjur user with a machine that the Python CLI already been installed and Conjur init & login run against a Conjur/ Conjur Enterprise machine with the following resources:
MyAccount:group:conjur-root-admins
and the following roles -
[
"MyAccount:policy:root",
"MyAccount:user:alice",
"MyAccount:user:bob",
"MyAccount:group:conjur-root-admins",
"MyAccount:group:ops-admin",
"MyAccount:host:www-01",
"MyAccount:layer:app-layer",
"MyAccount:host:bob_machine"
]
- Members of - will return the members of the group or layer. Permissions are not relevant here.
conjur list --membersof <Group/Layer ID>
Args: --membersof, -m - the group/layer ID the user wants to get its members.
For example:
conjur list --membersof MyAccount:group:conjur-root-admins
will return the members of the group conjur-root-admins The output will be:
[
MyAccount:user:Moshe,
MyAccount:user:Vika
]
- Permitted members of of - will return a list of permitted members on a certain resource according to the permissions provided.
Conjur list --permitted-members-of <Resource ID> –p <Permission type>
Args: --permitted-members-of, -pm - the permitted members on a certain resource. --permission, -p - the permissions on the certain resource.
For example:
Conjur list --permitted-members-of cucumber:variable:secrets/test-variable – p read
Will return the roles that has read permissions on test-variable
The output will be:
[
"MyAccount:user:admin"
]
Expected behaviour should not change from the corresponding command in Ruby CLI Help is according to XXXXXXXXXX
Failure scenarios
- If the user enters a non-existing privileged resource/group/layer, we need to return the help of the command
Quality
Make sure we have test coverage of the resource command. Create test plan and execute accordingly.
User messages
All user messages regarding resource actions should be reviewed Especially error messages if an argument is missing we need to return the help of the command
Demo
- Demo each option that was implemented
- Show that the resources has permitted_roles correct
- Delete a resource by using !delete in a policy
- Show that the option of running permitted_roles is failing.
Documentation
Please provide enhance documentation in online help and readme
DOD
- [ ] Implement the resource's commands Conjur Python CLI in all 3 platforms
- [ ] Demo the flow described above
- [ ] Automatic integration tests written according to a test plan and passed successfully
- [ ] Fill in the user messages - link to a page with all user messages for CLI saved and reviewed.
- [ ] Fill in the logs and place here a link to the logs files - link to a page with all logs for CLI saved and reviewed.
- [ ] Logs were reviewed by TW and PO
- [ ] Are there new Audits to this feature? If so please document them and provide here a link (N/A)
