As part of the SimpleRPC framework we’ve added an authorization system that you can use to exert fine grained control over who can call agents and actions.
Combined with Connection Security, Centralized Auditing and Crypto signed messages this rounds out a series of extremely important features for large companies that in combination allow for very precise control over your MCollective Cluster.
The clients will include the uid of the process running the client library in the requests and the authorization function will have access to that on the requests.
There is a sample full featured plugin called ActionPolicy that you can use or get some inspiration from.
Writing Authorization Plugins
Writing an Authorization plugin is pretty simple, the below example will only allow RPC calls from Unix UID 500.
1 module MCollective::Util 2 class AuthorizeIt 3 def self.authorize(request) 4 if request.caller != "uid=500" 5 raise("Not authorized") 6 end 7 end 8 end 9 end
Any exception thrown by your class will just result in the message not being processed or audited.
You’d install this in your libdir where you should already have a Util directory for these kinds of classes.
To use your authorization plugin in an agent simply do something like this:
1 module MCollective::Agent 2 class Service<RPC::Agent 3 authorized_by :authorize_it 4 5 # ... 6 end 7 end
The call extra authorized
_it line tells your agent to use the MCollective::Util::AuthorizeIt class for authorization.
Enabling RPC authorization globally
You can enable a specific plugin on all RPC agents in the server config file. If you do this and an agent also specify it’s own authorization the agent will take priority.
rpcauthorization = yes rpcauthprovider = action_policy
Note setting rpcauthorization = no here doesn’t disable it everywhere, agents that specify authorization will still be used. This boolean enables the global auth policy not the per agent.