Defined Type: st2::rbac

Defined in:
manifests/rbac.pp

Summary

This defined type creates RBAC resources for users

Overview

Note:

This is an enterprise feature, and requires a license to be used.

Examples:

st2::rbac { 'admin':
  description => "Administrative user",
  roles       => [
    'observer',
    'my_test_role',
  ],
}

Parameters:

  • ensure (Any) (defaults to: 'present')
  • user (Any) (defaults to: $name)
  • description (Any) (defaults to: 'Created and managed by Puppet')
  • roles (Any) (defaults to: []) 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'manifests/rbac.pp', line 13

define st2::rbac (
  $ensure      = 'present',
  $user        = $name,
  $description = 'Created and managed by Puppet',
  $roles       = [],
) {
  $_rbac_dir = '/opt/stackstorm/rbac'
  $_enabled_state = $ensure ? {
    'present' => true,
    default   => false,
  }

  ensure_resource('file', $_rbac_dir, {
    'ensure'  => 'directory',
    'owner'   => 'root',
    'group'   => 'root',
    'mode'    => '0755',
    'require' => Class['st2::profile::server'],
  })
  ensure_resource('file', "${_rbac_dir}/assignments", {
    'ensure'  => 'directory',
    'owner'   => 'root',
    'group'   => 'root',
    'mode'    => '0755',
    'require' => Class['st2::profile::server'],
  })
  ensure_resource('file', "${_rbac_dir}/roles", {
    'ensure'  => 'directory',
    'owner'   => 'root',
    'group'   => 'root',
    'mode'    => '0755',
    'require' => Class['st2::profile::server'],
  })
  ensure_resource('file', "${_rbac_dir}/assignments", {
    'ensure'  => 'directory',
    'owner'   => 'root',
    'group'   => 'root',
    'mode'    => '0755',
    'require' => Class['st2::profile::server'],
  })
  ensure_resource('exec', 'reload st2 rbac definitions', {
    'command'         => 'st2-apply-rbac-definitions',
    'refreshonly'     => true,
    'path'            => '/usr/sbin:/usr/bin:/sbin:/bin',
  })
  file { "${_rbac_dir}/assignments/${user}.yaml":
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('st2/rbac/assignments/user.yaml.erb'),
    notify  => Exec['reload st2 rbac definitions'],
  }
}