I want to modify the annotation values from a variable entry in a policy.
A while ago, still on Slack, we discussed this, and the way to do this is to ‘replace’ a policy.
Using REST, this will be a PUT method on the policy identifier, together with the new policy data.
So, from Python using REST calls to Conjur, I’m able to retrieve the policy that contains the variable
entry where I want to change existing annotation values, but the current policy data is not there.
Over time, there were some modifications to the policy ( e.g. grants ), and I can see those
modifications in the ‘policy_versions’ array. But the ‘policy_version’ only contain delta’s, and there’s
no current definition return by HTTP GET
Recreating the policy by walking all these ‘policy_versions’ would really be a nasty job to do.
‘replacing’ the policy for the modified annotations requires the complete policy definition, because only explicit defined resources will get created. Meaning I’ll need to have a complete definition of the policy in it’s current state, including possible other variables, permits, hosts, bodies etc…
My question is : how can I get the complete policy definition ?
Having said that, I’d really prefer a ‘policy update’ (HTTP PATCH) to just change the annotation values… and leaving all the other policy parts as they are… But apparently that is not supported.
Also, ‘append to policy’ only appends, and does not modifying already existent annotation values.
But hey, if ‘replace policy’ is the way to go, then I’ll go for that.
Hopefully my problem description is clear enough. If not, let me know, and I’ll elaborate some more.
Thanks for any help in advance.