Granting Temporary Access with a Hubot Chatbot

If you are using a Hubot chatbot to automate common activities, you can integrate with the sdm Linux binary to handle common administrative tasks. This guide shows how to add a Hubot command to grant temporary access to datasources and servers. In this guide, we use the Heroku deployment method; modify as needed if you’re using a different deployment type.

Setup

  1. Set up a Hubot chatbot according to the directions on the Hubot site.

  2. Once the setup is done, copy the Linux binary into the bin/ directory in your Hubot tree.

  3. Create an admin token in the Admin UI with the following permissions:

    1. datasource:grant
    2. datasource:list
    3. user:assign
    4. user:list
  4. Add two environment variables to your Hubot:

     $ heroku config:set SDM_HOME=/app
     $ heroku config:set SDM_ADMIN_TOKEN=<admin token here>
    
  5. Add an SDM script to scripts/. Here is a barebones example that will grant access to datasources for one hour.

     module.exports = (robot) ->
     robot.hear /access to (.*)/i, (res) ->
       target = res.match[1]
       email = res.envelope.user.email_address
       res.reply "Granting #{email} access to '#{target}' for 1 hour"
       spawn('sdm', ['admin','users','grant-temporary','-d','1h',target,email])
    
  6. Deploy the changes with git push heroku master

  7. Test by telling the bot Grant me access to datasource. It should respond with Granting <email> access to 'datasource' for 1 hour

Enhancements

There are a number of ways to improve your Hubot’s strongDM integration. Here are a few examples:

  1. Ensure the datasource/server requested actually exists by having the bot run sdm admin datasources list -j which will output a JSON-formatted list of datasources, and sdm admin servers list -j for SSH/RDP.

  2. Add additional sanitization and error checking.

  3. Ensure (through your own systems) that the requester is authorized to perform temporary grants of this nature.