policy

Definition

The policy command has five subcommands: generate-secret, list-users, rbac-attach, rbac-detach, and rbac-get. These commands allow the user to manage role-based access control policy for Fugue.

Usage

fugue [global options] policy [options] [command] [command arguments]

Subcommands

generate-secret
Generate a new secret for a specific user.
list-users
Display a list of all users.
rbac-attach
Attach a policy to the Conductor.
rbac-detach
Remove the policy from the Conductor.
rbac-get
Download the policy on the Conductor to the current working directory.

Options

Global options are detailed here.

-h | --help
Show help text. The help flag is available throughout the CLI in both an application-level and command-level context. It enables a user to view help text for any command within the Fugue CLI.

Policy Subcommands

generate-secret

Definition

Generate a new user secret, or access token, for the provided <user_id>. The <user_id> must exist on a policy that has been set on the Conductor. If a user secret already exists for the provided <user_id>, this command will expire the existing secret and create a new one.

Usage

fugue policy generate-secret [options] <user_id>

Options

-y | --yes
Suppress confirmation dialogs.
--json
Emit output as JSON.
-h | --help
Show help text.

Arguments

<user_id>
The user to generate the secret for. Required.

list-users

Definition

Display the list of users from the policy that has been set on the Conductor.

Usage

fugue policy list-users [options]

Options

--json
Emit output as JSON.
-h | --help
Show help text.

rbac-attach

Definition

Attach the provided <policy_file> to the Conductor. A policy is a Ludwig composition that defines RBAC rules.

Note: Fugue run will accept an RBAC policy composition or even a mixture of RBAC and standard library types, but it will have no effect.

Usage

fugue policy rbac-attach [options] <policy_file>

Options

--json
Emit output as JSON.
-h | --help
Show help text.

Arguments

<policy_file>
The policy to be attached to the Conductor. Required.

rbac-detach

Definition

Detach the currently applied policy from the Conductor.

Usage

fugue policy rbac-detach [options]

Options

-y | --yes
Suppress confirmation dialogs.
--json
Emit output as JSON.
-h | --help
Show help text.

rbac-get

Definition

Download the policy that has been set on the Conductor to the current working directory, or optionally, to <destination>. The downloaded file contains the compiled content of the Ludwig policy in JSON format.

Usage

fugue policy rbac-get [options] <destination>

Options

--stdout
Display retrieved policy via standard output.
-h | --help
Show help text.

Arguments

<destination>
The file to which the policy should be downloaded.

Examples

Attaching a policy to the Conductor

Attaching an RBAC policy to the Conductor allows the Conductor to enforce that policy’s rules. The Conductor will also create Fugue users listed in the policy.

To attach a policy to the Conductor, use the policy rbac-attach command:

fugue policy rbac-attach MyPolicy.lw

The CLI will compile the policy, upload it to S3, and ask the Conductor to apply the new policy. If successful, the CLI output will look like this:

Compiling Ludwig file MyPolicy.lw ...
[ OK ] Successfully compiled. No errors.

Uploading policy to S3 ...
[ OK ] Successfully uploaded.

Requesting the Conductor set new policy ...
[ DONE ] Policy uploaded and applied.

If there is a compilation error, the CLI will return an error message, and the policy will not be attached to the Conductor.

A newly-attached policy will overwrite the current policy on the Conductor, as only one policy may be set at a time.

Detaching a policy from the Conductor

Detaching a policy from the Conductor returns the Conductor to single-user mode, where root is the active user.

To remove a policy from the Conductor, use the policy rbac-detach command:

fugue policy rbac-detach

The CLI will prompt for confirmation, then produce output like this:

[ WARN ] Are you sure you want to detach the policy from the Conductor? [y/N]: y

Detaching policy from Conductor ...
[ DONE ] Policy detached.

Note: If users were declared in the policy that was removed, they still exist and their secrets are still set; they just cannot perform any actions. To permit the users to take action again, reattach the policy file with policy rbac-attach.

Downloading the policy from the Conductor

You can download the current policy attached to the Conductor. The downloaded file contains the compiled content of the Ludwig policy in JSON format. To retrieve it, use the policy rbac-get command:

fugue policy rbac-get

You’ll see output like this:

[ fugue policy ] Requesting policy document from the Conductor.

[ OK ] Retrieved policy document location


[ fugue policy ] Downloading the policy document.

[ DONE ] Policy document saved to ./policy20170123170823.json

If you want to save the policy to a specific location, specify the filename as an argument:

fugue policy rbac-get ~/mypolicy.json

Listing Fugue users

Fugue users are created when they’re declared in a policy document attached to the Conductor. To see a list of all Fugue users, use policy list-users:

fugue policy list-users

You’ll see a table like this:

Fugue User list for becki/xxxxxxxxxxxx - Mon Jan 23 2017 5:35pm

User Id    Enabled    Created      Updated
---------  ---------  -----------  -----------
becki      yes        Wed 1:18pm   Wed 3:00pm
root       yes        Dec 29 2016  Dec 29 2016
alice      no         2:53pm       2:53pm

[ HELP ] To enable a user, run "fugue policy generate-secret <user_id>".
User Id
The user’s ID in Fugue’s RBAC system
Enabled
Whether credentials have been generated for a user
Created
When the user was created
Updated
When the user was last updated

Generating a secret for a user

Generating a secret, or access token, for a user enables that user to operate Fugue, assuming both the user and rules pertaining to that user have been declared in the policy attached to the Conductor. You can also generate a secret for a user who already has one; the existing secret will expire and Fugue will create a new one.

To generate a user secret, use the policy generate-secret command:

fugue policy generate-secret alice

You’ll see output like this:

[ fugue policy ] Requesting the Conductor generate a secret for: alice ...

User Credential Details:

   User ID: alice
   User Secret: 7y4sK8ZwbpEXAMPLEEXAMPLEEAMPLEEXAMPLEEXAMPLE

[ DONE ] Secret successfully generated.

Root credentials are generated upon install, or upon upgrade if upgrading from a version of Fugue without the RBAC feature.

Warning

Do not lose your root credentials. They cannot be replaced with the policy generate-secret command. If you have lost your root credentials, see Troubleshooting or contact support@fugue.co.