Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require users to acknowledge changes to policies #151

Closed
p5 opened this issue Dec 6, 2024 · 3 comments
Closed

Require users to acknowledge changes to policies #151

p5 opened this issue Dec 6, 2024 · 3 comments
Labels
kind/enhancement

Comments

@p5
Copy link

p5 commented Dec 6, 2024

Is your feature request related to a problem? Please describe.

It's very easy to wipe out your entire configuration via the CLI. I've done this multiple times while trying to configure Conjur Enterprise for my organization.

Describe the solution you would like

As with other Infrastructure as Code tools, display a plan for the changes to be made, then request the user to acknowledge those changes.

Proposed Conjur CLI changes:

$ conjur policy replace -f <path-to-delete-policy> -b root
The requested action will perform the following operations:
  DELETE MyOrgDev:group:DevConjurPoc/ConjurDevJenkins-admins
  DELETE MyOrgDev:group:DevConjurPoc-admins
  DELETE MyOrgDev:variable:conjur/authn-jwt/cloudbees-corebanking/audience
 
Would you like to proceed? [y/N]
>  n
 
$ conjur policy load -f <path-to-delete-policy> -b root
The requested action will perform the following operations:
  CREATE MyOrgDev:group:DevConjurPoc/ConjurDevJenkins-admins
  CREATE MyOrgDev:group:DevConjurPoc-admins
  UPDATE MyOrgDev:variable:conjur/authn-jwt/cloudbees-corebanking/audience
 
Would you like to proceed? [y/N]
>  y
 
$ conjur policy replace -f <path-to-delete-policy> -b root –-auto-approve
The requested action will perform the following operations:
  DELETE MyOrgDev:group:DevConjurPoc/ConjurDevJenkins-admins
  DELETE MyOrgDev:group:DevConjurPoc-admins
  DELETE MyOrgDev:variable:conjur/authn-jwt/cloudbees-corebanking/audience
 
The –-auto-approve argument has been supplied, so automatically applying the requested changes.

Describe alternatives you have considered

Additional context

I've mentioned this to KK at CyberArk, who's helping us with the build-out, but wanted to raise it here too.
@p5 p5 changed the title Require users to acknowledge changes Require users to acknowledge changes to policies Dec 6, 2024
@szh
Copy link
Contributor

szh commented Dec 27, 2024

In newer versions of Conjur, we now support a --dry-run option for policy loads. I think this serves the same purpose.

@p5
Copy link
Author

p5 commented Dec 27, 2024

In newer versions of Conjur, we now support a --dry-run option for policy loads. I think this serves the same purpose.

It does, but I am hoping for a change of behaviour - where the default is to dry-run, forcing you to review the changes before accepting them.

@szh
Copy link
Contributor

szh commented Dec 27, 2024

Got it. Besides for use by developers, the CLI is also used in automation, which would make this a major breaking change. If we were going to do this we'd need to, at the very least, have it behind a configuration flag. But I don't see it getting much backing right now.

@szh szh closed this as completed Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szh @p5