Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2221

cf-serverd: allow the call to realpath() to be configurable, and/or allow pattern matching in access rules

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Need more Info
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: cf-serverd
    • Labels:
      None

      Description

      Consider this case:

      I have a path like this:
      /var/cfengine/masterfiles/deploy/repo/branch/prod.a8453e93aea31f47e925a22fa747ca218652656e/files/wildfly/dev/someprivatekey.pem

      And I have a symlink to that top level that looks like this:
      /var/cfengine/masterfiles/deploy/repo/branch/prod -> /var/cfengine/masterfiles/deploy/repo/branch/prod.a8453e93aea31f47e925a22fa747ca218652656e

      What I would like to be able to do is create an access promise for this promisee:
      "$(sys.workdir)/masterfiles/deploy/repo/branch/*/files/wildfly/dev"
      comment => "Grant access to wildfly dev files to wildfly dev machines",
      admin =>

      { "wildfly-d01.mydomain.com", "wildfly-d02.mydomain.com" }

      ;

      I see two problems with this:

      1) cf-serverd is calling realpath() when processing access rules, and so the symlink at prod is evaluated to prod.a8453e93aea31f47e925a22fa747ca218652656e. In our environment, we are using symlinks to give us atomic deployments by deploying each git rev to a new directory, and using mv -T to atomically move a temporary link over top of the old prod link.

      2) Pattern matching isn't supported in access rules.

      I'm not sure if (2) is easily solvable, but I believe (1) could be solved by just disabling the call to ResolveFilename() inside AccessControl(). I would still need an rule for each branch under the branch/ directory, but pushing branches up to our servers doesn't happen all that often, and for the case of our private repository, we would want a little more access control over it.

        Attachments

          Activity

            People

            • Assignee:
              a10038 jimis (Dimitrios Apostolou)
              Reporter:
              phalenor Andrew Cobaugh
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:

                Summary Panel