Overwriting or deleting annotations on resources in Conjur

Secrets Management - Conjur, Secrets Hub & CP
1

We’re interested in using annotations to tag resources (users, groups) in Conjur as part of access management. However, we haven’t found a straight forward way to overwrite or remove annotations attached to either users or groups that doesn’t involve deleting the annotated resource. Is there a way to overwrite an annotation once it’s been defined?

We also wanted to inquire as to whether there was some way to get a list of groups a user is membered to through the API; we have not yet been able to find a way to do this. We’re aware that the UI shows you what groups a user is membered to, but we would like to be able to pull such a list of groups within a script as well. Is there some API call that allows us to view what groups a user is granted membership to?

1 Like
2

Hi,

To change an annotation, you need to load the policy with the new annotation value using the --replace option. Please note, annotations are not considered sensitive, but if you begin to use annotations as part of your access management, there is potential a bad actor can use this information to facilitate an attack. I’d be curious to hear more detail on exactly what the business need is here though.

The roles api endpoint should return the members list. So if you query /roles/{account}/group/my_group, this should return back the members of the group.

Nate

3

Hello,

Updating & Removing annotations:
Typically replace is the easiest way to update/delete annotations, like @nathan.whipple mentioned.
If you need a way to explicitly update one annotation the PATCH method can be used found here.
I haven’t seen how to explicily remove one annotation from a resource, so you could use the PATCH method and make it a empty string however the annotation will still exists but it will not have a value.

Listing memberships of a resource
To get the memberships a specific resource has you must use the following endpoint.
curl -H "$(conjur authn authenticate -H)" http://{{conjur_hostname}}/roles/{{account}}/user/andrew?memberships

What Nate mentioned above will list the members of a specific resource but it seems like you are trying to find the memberships a resource has.

I loaded this policy:

- !user andrew

- !group admins
- !group developers
- !group users

- !grant
  roles:
  - !group admins
  - !group developers
  - !group users
  member: !user andrew

To retrieve the memberships of andrew I performed the following command and got the following result:

$ curl -H "$(conjur authn authenticate -H)" http://conjur/roles/conjur/user/andrew?memberships
[
  {
    "admin_option": false,
    "ownership": false,
    "role": "conjur:group:admins",
    "member": "conjur:user:andrew",
    "policy": "conjur:policy:root"
  },
  {
    "admin_option": false,
    "ownership": false,
    "role": "conjur:group:developers",
    "member": "conjur:user:andrew",
    "policy": "conjur:policy:root"
  },
  {
    "admin_option": false,
    "ownership": false,
    "role": "conjur:group:users",
    "member": "conjur:user:andrew",
    "policy": "conjur:policy:root"
  }
]

Let me know if there is still confusion.

Regards,
Andrew