Support groups in policies

[ripienaar]

Could have landed group support without improving the action policy plugin but decided on the https://github.com/puppetlabs/mcollective-actionpolicy-auth/pull/15 route instead, once this is released make sure its supported

[ZeroPointEnergy]

Updated link to above mentioned PR: choria-legacy/mcollective-actionpolicy-auth#15

It looks to me like the group feature was actually merged and it's also present in the action-policy plugin here: https://github.com/choria-plugins/action-policy

Would you be interested in a PR regarding the configuration of this feature in this module?

[ripienaar]

At present the action-policy in ruby is just dead bytes. It's not called in the real execution paths anymore.

The current parallel implementation is https://github.com/choria-io/go-choria/blob/main/providers/agent/mcorpc/authz_actionpolicy.go and tbh you should probably rather use Open Policy Agent if you want this kind of stuff

[ripienaar]

However it seems I do support groups in that new go one? Looks like it, in that case sure a contribution to make Puppet aware of it would be great

[smortex]

However it seems I do support groups in that new go one?

I think so, I am using it 😄, it is convenient for tiny organizations. Here is the code I am using right now in my control-repo:

class profile::choria::server {

  # [...]
  
    file { "${mcollective::configdir}/policies/groups":
      ensure  => file,
      content => @(POLICY),
        group1 choria=user1.mcollective choria=user2.mcollective
        group2 choria=user3.mcollective
        group3 choria=user4.mcollective
        group4 choria=user3.mcollective choria=user4.mcollective
        | POLICY
      notify  => Class['Choria::Service'],
    }

I guess a defined type for a group with the group name as namevar and an array of members would be great! @ZeroPointEnergy feel free to ping me when you open a PR!