3 title: SimpleRPC Authorization
6 [SimpleRPCIntroduction]: index.html
7 [SecurityWithActiveMQ]: /mcollective/reference/integration/activemq_security.html
8 [SimpleRPCAuditing]: /mcollective/simplerpc/auditing.html
9 [ActionPolicy]: http://projects.puppetlabs.com/projects/mcollective-plugins/wiki/AuthorizationActionPolicy
11 As part of the [SimpleRPC][SimpleRPCIntroduction] framework we've added an authorization system that you can use to exert fine grained control over who can call agents and actions.
13 Combined with [Connection Security][SecurityWithActiveMQ], [Centralized Auditing][SimpleRPCAuditing] and Crypto signed messages this rounds out a series of extremely important features for large companies that in combination allow for very precise control over your MCollective Cluster.
15 The clients will include the _uid_ of the process running the client library in the requests and the authorization function will have access to that on the requests.
17 There is a sample full featured plugin called [ActionPolicy] that you can use or get some inspiration from.
19 ## Writing Authorization Plugins
21 Writing an Authorization plugin is pretty simple, the below example will only allow RPC calls from Unix UID 500.
23 {% highlight ruby linenos %}
24 module MCollective::Util
26 def self.authorize(request)
27 if request.caller != "uid=500"
28 raise("Not authorized")
35 Any exception thrown by your class will just result in the message not being processed or audited.
37 You'd install this in your libdir where you should already have a Util directory for these kinds of classes.
39 To use your authorization plugin in an agent simply do something like this:
41 {% highlight ruby linenos %}
42 module MCollective::Agent
43 class Service<RPC::Agent
44 authorized_by :authorize_it
51 The call extra _authorized`_`by :authorize`_`it_ line tells your agent to use the _MCollective::Util::AuthorizeIt_ class for authorization.
53 ## Enabling RPC auditing globally
54 You can enable a specific plugin on all RPC agents in the server config file. If you do this and an agent also specify it's own authorization the agent will take priority.
57 rpcauthorization = yes
58 rpcauthprovider = action_policy
61 Note setting _rpcauthorization = no_ here doesn't disable it everywhere, agents that specify authorization will still be used. This boolean enables the global auth policy not the per agent.