-
Define and load policy branch for Cloud Foundry
# cf.yml - !policy id: cf annotations: description: Base policy branch for all Cloud Foundry resources
$ conjur policy load root cf.yml Loaded policy 'root' { "created_roles": { }, "version": 1 }
-
Define and load policy branch for Foundation, Org, and Space
# foundation.yml - !policy id: MyFoundation body: - !policy id: MyOrganization body: - !layer annotations: # Optional, forward looking to CF authenticator cf-guid: 09a605e5-0a62-4d30-86d2-e70500389716 - !policy id: MySpace body: - !layer annotations: # Optional, forward looking to CF authenticator cf-guid: cffde7d1-9778-42e3-9ad0-2751525edc6b # Add the space layer to the organization layer - !grant role: !layer member: !layer MySpace
$ conjur policy load cf foundation.yml Loaded policy 'cf' { "created_roles": { }, "version": 1 }
-
Define and load policy for the application
# application.yml - !policy id: MyApplication body: - !layer annotations: # Optional, forward looking to CF authenticator cf-guid: 58ff95fd-6efe-42b0-abdc-4fb76d1f7917 # Add the application layer to the space - !grant role: !layer member: !layer MyApplication
$ conjur policy load cf/MyFoundation/MyOrganization/MySpace application.yml { "created_roles": { }, "version": 1 }
Each space will need credentials for the CF Cloud Controller API
- Define and load the policy for the service broker hosts and cloud controller credentials
# service-broker.yaml - !host conjur-service-broker - &variables - !variable cloud-controller-id - !variable cloud-controller-secret - !permit resource: *variables privileges: [ read, execute ] roles: !host service-broker
$ conjur policy load cf/MyFoundation/MyOrganization/MySpace service-broker.yml Loaded policy 'cf/MyFoundation/MyOrganization/MySpace' { "created_roles": { "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/conjur-service-broker": { "id": "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/conjur-service-broker", "api_key": "zgz40h8kzm4t3y6zwsw3fjap0m1rg0kmj7t5syr3ehdec5deqpg5" } }, "version": 3 }
When an application is bound to the service broker, it adds a host to the application layer.
- !host 7a261501-e0c9-4f27-9c55-3943b0e6cabe # Binding ID
- !grant
role: !layer
member: !host 7a261501-e0c9-4f27-9c55-3943b0e6cabe
$ conjur policy load cf/MyFoundation/MyOrganization/MySpace/MyApplication binding.yml
Loaded policy 'cf/MyFoundation/MyOrganization/MySpace/MyApplication'
{
"created_roles": {
"cucumber:host:cf/MyFoundation/MyOrganization/MySpace/MyApplication/7a261501-e0c9-4f27-9c55-3943b0e6cabe": {
"id": "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/MyApplication/7a261501-e0c9-4f27-9c55-3943b0e6cabe",
"api_key": "3y02nay2tpbdpr197wnntsbq6pp2s3y9k7yptdf8x4dzgtytfcp"
}
},
"version": 1
}
Are the CF Cloud Controller API credentials meant to be for the auditor role? If so, shouldn't the "Service Broker Binding Policy" be using these credentials to retrieve the application name for the host instead of using the Binding GUID?