knife-okta

knife-okta is a knife plugin to interact with the Okta API.

The initial use case is to create data bags based on Okta group membership.

Installation

As with all knife plugins, just install the gem:

gem install knife-okta

Or if you use ChefDK:

chef gem install knife-okta

Usage

This plugin works the same as the knife data bag from file sub command, but instead queries Okta for a group's active members:

knife data bag from okta group BAG ITEM GROUP [GROUP..] (options)

The following parameters are added with this sub command:

        --max-change MAX_CHANGE             Set the maximum amount of allowed changes
    -a, --okta-attribute OKTA_ATTRIBUTE     Specify the user profile attribute to return
    -o, --okta-endpoint  OKTA_ENDPOINT      Set the Okta API endpoint (e.g. https://yourorg.okta.com/api/v1)
    -t, --okta-token OKTA_TOKEN             Set the Okta API token
        --show-changes                      Show any changes when uploading a data bag item
        --show-members                      Show data bag item members when uploading a data bag item

You can also add Okta options to your knife config file:

knife[:okta_attribute] = 'login'
knife[:okta_endpoint]  = 'https://myorg.okta-emea.com/api/v1'
knife[:okta_token]     = '004zNgntseobUzztBLSraij...'

Examples

These examples assume the Okta configuration has been set in your knife config file.

Create a data bag item from a single Okta group

To create a data bag called users with a data bag item called linux_admins that contains the display names of the group members:

knife data bag from okta group users linux_admins Linux-Admins -a displayName

The -a option determines which profile attribute to populate the data bag with, at this time only displayName, email and login are supported.

Create a data bag item from multiple Okta groups

You can specify multiple groups by providing a comma separated value:

knife data bag from okta group users admins Linux-Admins,Windows-Admins -a displayName

You can also provide Okta group names that contain spaces:

knife data bag from okta group users admins "Linux-Admins,Windows-Admins,Other Admins" -a displayName

Limiting amount of changes

In the case where you want not upload a data bag if there more changes than expected (e.g. if running this plugin via a cron job), you can use the --max-change attribute:

knife data bag from okta group users linux_admins Linux-Admins -a displayName --max-change 5

This attribute watches for additions and removes, so using our example above if there were 3 additions and 2 removals then the data bag would not be uploaded as it met the threshold set (5).

License

Copyright 2018 Stephen Hoekstra <shoekstra@schubergphilis.com>
Copyright 2018 Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Contributing

We welcome contributed improvements and bug fixes via the usual work flow:

Fork this repository
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create a new pull request

knife-okta

Runtime

knife-okta

Installation

Usage

Examples

Create a data bag item from a single Okta group

Create a data bag item from multiple Okta groups

Limiting amount of changes

License

Contributing