class SDM::Client
Client
bundles all the services together and initializes them.
Attributes
AccountAttachments
assign an account to a role or composite role.
AccountGrants
assign a resource directly to an account, giving the account the permission to connect to that resource.
Accounts
are users that have access to strongDM. There are two types of accounts:
-
*Users:* humans who are authenticated through username and password or SSO.
-
**Service Accounts:** machines that are authenticated using a service token.
API authentication token (read-only).
ControlPanel
contains all administrative controls.
Nodes
make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
-
*Gateways* are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
-
*Relays* are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
RoleAttachments
represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.
RoleGrants
represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.
Roles
are tools for controlling user access to resources. Each Role
holds a list of resources which they grant access to. Composite roles are a special type of Role
which have no resource associations of their own, but instead grant access to the combined resources associated with a set of child roles. Each user can be a member of one Role
or composite role.
SecretStores
are servers where resource secrets (passwords, keys) are stored.
Public Class Methods
Creates a new strongDM API client.
# File lib/strongdm.rb, line 31 def initialize(api_access_key, api_secret_key, host:"api.strongdm.com:443", insecure:false) @api_access_key = api_access_key @api_secret_key = Base64.strict_decode64(api_secret_key) @max_retries = DEFAULT_MAX_RETRIES @base_retry_delay = DEFAULT_BASE_RETRY_DELAY @max_retry_delay = DEFAULT_MAX_RETRY_DELAY @account_attachments = AccountAttachments.new(host, insecure, self) @account_grants = AccountGrants.new(host, insecure, self) @accounts = Accounts.new(host, insecure, self) @control_panel = ControlPanel.new(host, insecure, self) @nodes = Nodes.new(host, insecure, self) @resources = Resources.new(host, insecure, self) @role_attachments = RoleAttachments.new(host, insecure, self) @role_grants = RoleGrants.new(host, insecure, self) @roles = Roles.new(host, insecure, self) @secret_stores = SecretStores.new(host, insecure, self) @_test_options = Hash.new end
Public Instance Methods
# File lib/strongdm.rb, line 50 def get_metadata(method_name, req) return { 'x-sdm-authentication': @api_access_key,'x-sdm-signature': self.sign(method_name, req.to_proto)} end
# File lib/strongdm.rb, line 70 def jitterSleep(iter) dur_max = @base_retry_delay * 2**iter if (dur_max > @max_retry_delay) dur_max = @max_retry_delay end dur = rand() * dur_max sleep(dur) end
# File lib/strongdm.rb, line 79 def shouldRetry(iter, err) if (iter >= @max_retries-1) return false end if not err .is_a? GRPC::BadStatus return true end return err.code() == 13 end
# File lib/strongdm.rb, line 54 def sign(method_name, msg_bytes) current_utc_date = Time.now.utc date = sprintf("%04d-%02d-%02d",current_utc_date.year, current_utc_date.month, current_utc_date.day) signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date) signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, 'sdm_api_v1') sha_req = Digest::SHA256.new sha_req << method_name sha_req << "\n" sha_req << msg_bytes request_hash = sha_req.digest return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash)) end