Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add rules to the config repo

See original GitHub issue

Issue Type

Feature enhancement

Summary

Epic Issue: #5175 (search for Better authorization), #3636

Proposal: Add Rules to the config repo to allow/deny creation/access to environments, pipeline groups and pipelines.

The rules defined for that config repo will govern what all entities can be added/referred to the GoCD. Proposed actions are:

Action	Entity Type	Description
create	environment/pipeline_group/pipeline	allow/deny ability to create a new environment/pipeline group/pipeline with the specified pattern
refer	environment	allow/deny pipelines(and agents?) to be added to the specified environment
refer	pipeline_group	allow/deny pipelines to be added to the specified pipeline group
refer	pipeline	allow/deny the specified pipeline to be used as an upstream dependency

Note: Deny rule will take precedence.

Example of the config:

<config-repo pluginId="json.config.plugin" id="json">
    <git url="/tmp/config-repo" />
    <rules>
        <allow action="refer" type="environment">env_*</allow>
        <allow action="create" type="pipeline_group">grp_*</allow>
      </rules>
</config-repo>

Need to decide:

Should the agents addition to environment be restricted as well?
Will the default rule to be deny all? The existing GoCD installations using config-repos may break if so. (Maybe we can do a config migration to get around this?)
Should we consider the rules while checking the definitions (via repoId) on preflight API?

Conclusion

Possible actions

Action	Entity Type	Description
refer	environment	allow/deny pipelines and agents to be added to the specified environment
refer	pipeline_group	allow/deny pipelines to be added to the specified pipeline group
refer	pipeline	allow/deny the specified pipeline to be used as an upstream dependency

Additional Info

deny rule will take precedence.
Should the agents addition to environment be restricted as well?: Yes
Will the default rule to be deny all? The existing GoCD installations using config-repos may break if so. (Maybe we can do a config migration to get around this?): Yes, the default rule will be deny. Will consider a config migration to add a default allow all entity.
Should we consider the rules while checking the definitions (via repoId) on preflight API?: Yes
Will there be a need to modify RBAC for config-repo?: No, since it is an option that has to be explicitly given, no need to make any change in RBAC

Issue Analytics

State:
Created 4 years ago
Comments:34 (33 by maintainers)

Top GitHub Comments

3reactions

kritika-singh3commented, Jan 17, 2020

Summarizing:

rules will be added to the config repo to allow/deny creation/access to environments, pipeline groups and pipelines.

The rules defined for that config repo will govern what all entities can be added/referred to the GoCD. Proposed actions are:

Action	Entity Type	Description
refer	environment	allow/deny pipelines and agents to be added to the specified environment (same for define)
refer	pipeline_group	allow/deny pipelines to be added to the specified pipeline group (same for define)
define	pipeline	allow/deny ability to create a pipeline with the specified pattern
refer	pipeline	allow/deny the specified pipeline to be used as an upstream dependency

Note: deny rule will take precedence.

Example of the config:

<config-repo pluginId="json.config.plugin" id="json">
    <git url="/tmp/config-repo" />
    <rules>
        <allow action="refer" type="environment">env_*</allow>
        <allow action="define" type="pipeline">teamA_*</allow>
        <allow action="refer" type="pipeline">common_*</allow>
      </rules>
</config-repo>

Should the agents addition to environment be restricted as well?: Yes
Will the default rule to be deny all? The existing GoCD installations using config-repos may break if so. (Maybe we can do a config migration to get around this?): Yes, the default rule will be deny. Will consider a config migration to add a default allow all entity.
Should we consider the rules while checking the definitions (via repoId) on preflight API?: Yes
Will there be a need to modify RBAC for config-repo?: No, since it is an option that has to be explicitly given, I don’t think we need to make any change in RBAC

Does this need any change?

1reaction

arvindsvcommented, Jan 17, 2020

Ok, I can live with that.

Top Results From Across the Web

New AWS Config Rules Repository on GitHub with sample rules

Create custom rules using the sample rules available in the new GitHub repository. To learn more, visit AWS Blog. Additional resources: AWS ...

Repo Browser: AWS Organizations Config Rules - Gruntwork

What resources does this module create? This module creates the following AWS Config Managed Rules: encrypted-volumes: Checks whether the EBS volumes that are ......

How to add rules.pl - Google Groups

The above steps initializes an empty git repository and pulls the refs/meta/config from your Gerrit project. After that you can edit the file...

AWS Config Rule Repository - A Secure Cloud

Repository of AWS Config rules examples - both AWS managed and custom Config ... Add to Stack ... A config rule that checks...

Repository Rules - Bazel

A custom repository rule can be used just like a native repository rule. It has a mandatory name attribute and every target present...