Grant Temporary Access with a Hubot Chatbot
If you are using a Hubot chatbot to automate common activities, you can integrate with the sdm
Linux binary to handle common administrative tasks. This guide shows how to add a Hubot command to grant temporary access to datasources and servers. In this guide, we use the Heroku deployment method; modify as needed if you're using a different deployment type.
Setup
Set up a Hubot chatbot according to the directions on the Hubot site.
Once the setup is done, copy the Linux binary into the
bin/
directory in your Hubot tree.Create an admin token in the Admin UI with the following permissions:
- datasource:grant
- datasource:list
- user:assign
- user:list
Add two environment variables to your Hubot:
$ heroku config:set SDM_HOME=/app$ heroku config:set SDM_ADMIN_TOKEN=<admin token here>Add an SDM script to
scripts/
. Here is a barebones example that will grant access to datasources for one hour.module.exports = (robot) ->robot.hear /access to (.*)/i, (res) ->target = res.match[1]email = res.envelope.user.email_addressres.reply "Granting #{email} access to '#{target}' for 1 hour"spawn('sdm', ['admin','users','grant-temporary','-d','1h',target,email])Deploy the changes with
git push heroku master
Test by telling the bot
Grant me access to datasource
. It should respond withGranting <email> access to 'datasource' for 1 hour
Enhancements
There are a number of ways to improve your Hubot's strongDM integration. Here are a few examples:
- Ensure the datasource/server requested actually exists by having the bot run
sdm admin datasources list -j
which will output a JSON-formatted list of datasources, andsdm admin servers list -j
for SSH/RDP. - Add additional sanitization and error checking.
- Ensure (through your own systems) that the requester is authorized to perform temporary grants of this nature.