Module ChefZero::ChefData::AclPath
In: lib/chef_zero/chef_data/acl_path.rb

Manages translations between REST and ACL data paths and parent paths.

Suggestions

  • make /organizations/ORG/_acl and deprecate organization/_acl and organizations/_acl
  • add endpoints for /containers/(users|organizations|containers)(/_acl)
  • add PUT for */_acl
  • add endpoints for /organizations/ORG/data/containers and /organizations/ORG/cookbooks/containers
  • sane, fully documented ACL model
  • sane inheritance / override model: if actors or groups are explicitly specified on X, they are not inherited from X‘s parent
  • stop adding pivotal to acls (he already has access to what he needs)

Methods

get_acl_data_path   get_object_path   parent_acl_data_path  

Constants

ORG_DATA_TYPES = %w(clients cookbook_artifacts cookbooks containers data environments groups nodes policies policy_groups roles sandboxes)
TOP_DATA_TYPES = %w(containers organizations users)

Public Class methods

get_acl_data_path(path)

This method takes a Chef REST path and returns the chef-zero path used to look up the ACL. If an object does not have an ACL directly, it will return nil. Paths like /organizations/ORG/data/bag/item will return nil, because it is the parent path (data/bag) that has an ACL.

get_object_path(acl_data_path)

Reverse transform from acl_data_path to path. /acls/root -> / /acls/** -> /** /organizations/ORG/acls/root -> /organizations/ORG /organizations/ORG/acls/** -> /organizations/ORG/**

This means that /acls/containers/nodes maps to /containers/nodes, not /nodes.

parent_acl_data_path(acl_data_path)

Method assumes acl_data_path is valid. /organizations/BLAH‘s parent is /organizations

An example traversal up the whole tree: /organizations/foo/acls/nodes/mario -> /organizations/foo/acls/containers/nodes -> /organizations/foo/acls/containers/containers -> /organizations/foo/acls/root -> /acls/containers/organizations -> /acls/containers/containers -> /acls/root -> nil

[Validate]