Skip to main content

CLI

Guardian is a command line tool used to interact with the main guardian service. Follow the installation and configuration guides to set up the CLI tool for Guardian.

List of Commands

Guardian CLI supports many commands. To get a list of all the commands, follow these steps. Enter the following code into the terminal:

$ guardian

# or

$ guardian --help

List of all availiable commands are as follows:

CORE COMMANDS
appeal Manage appeals
policy Manage policies
provider Manage providers
resource Manage resources

ADDITIONAL COMMANDS
completion Generate shell completion scripts
config Manage client configurations
help Help about any command
job Manage jobs
reference Show command reference
server Server management
version Print version information

To know the usage of any of the core commands use the following syntax:

$ guardian <command> <subcommand> --help

Managing Policies

Policies are used to define governance rules of the data access. Policies command allows us to list, create or update policies.

What is inside?

Enter the following code into the terminal:

$ guardian policy

The output is the following:

Available Commands:
apply Apply a policy config
create Create a new policy
edit Edit a policy
init Creates a policy template
list List and filter access policies
plan Show changes from the new policy
view View a policy

Policy Init

This command is used to create a policy template with a given file name. Check policy reference for more details on the policy configuration.

Syntax for making the policy initialization file.

$ guardian policy init --file=<output-name>

flags required

-f, --file string   File name for the policy config

Example Configurations

We can configure a policy file policy.yaml as shown below.

# policy.yaml
id: my_policy
steps:
- name: manager_approval
description: Manager approval for sensitive data
when: $appeal.resource.details.is_sensitive == true
strategy: manual
approvers:
- $appeal.creator.manager_email
- name: resource_owner_approval
description: Approval from resource admin/owner
strategy: manual
approvers:
- $appeal.resource.details.owner

Now, we can create a policy using the create command as given below.

Create Policy

The create command is used to register a new policy. For this we have to define our policy file, which would be passed as a flag to the create command.

Policy has version to ensure each appeal has a reference to an applied policy when it's created. A policy is created with an initial version equal to 1.

Usage guardian policy create [flags]

Flags required:

-f, --file string   Path to the policy config

$ guardian policy create --file=<file-path>

The output is the following:

policy created with id: my_policy

List Policies

To get a list and filter of all the avaliable access policies present in the Guardian database, use the list command as explained here.

Enter the following code into the terminal:

$ guardian policy list

The output is the following:

  ID             VERSION  DESCRIPTION                             STEPS
my_policy 1 two step policy for tableau workbooks manager_approval,resource_owner_approval

Edit Policy

To update an existing policy present in the Guardian' database using a file, use the edit command as explained here. Updating a policy actually means creating a new policy with the same id but the version gets incremented by 1. Both the new and previous policies still can be used by providers.

Usage :

$ guardian policy edit --file=<file-path>

An example update of the policy.yaml file is given below:

id: my_policy
steps:
- name: supervisor_approval
strategy: manual
approvers:
- $appeal.resource.details.supervisor
- name: head_approval
strategy: manual
approvers:
- $appeal.resource.details.owner

Now to update the policy defined here.

$ guardian policies edit --file policy.yaml

The output is the following:

policy updated

Note that on update of a policy it's version is also updated. We can verify this by listing all the policies.

  ID             VERSION  DESCRIPTION                                       STEPS
my_policy 2 two step policy for tableau workbooks supervisor_approval,resource_owner_approval

View Policy

View a policy. Display the ID, name, and other information about a policy.

Usgae:

$ guardian policy view <policy-id> --version=<policy-version>

Flags

-o, --output string    Print output with the selected format (default "yaml")
-v, --version string Version of the policy

Apply Policy

Apply a policy config.Create or edit a policy from a file.

Usage:

$ guardian policy apply --file=<file-path>

Flags -f, --file string Path to the policy config

Plan Policy

Show changes from the new policy. This will not actually apply the policy config.

Usage:

$ guardian policy plan --file=<file-path>

flags

-f, --file string   Path to the policy config

Managing Providers

Providers command allows us to list, create or update providers.

  • What is inside?

Enter the following code into the terminal:

$ guardian providers

The output is the following:

Available Commands:
apply Apply a provider
create Register a new provider
edit Edit a provider
init Creates a provider template
list List and filter providers
plan Show changes from the new provider
view View a provider details

Provider Init

This command is used to creates a provider template. Following this define the provider's config file, which would be passed as a flag to the create command. Check provider reference for more details on the configuration.

Syntax for making the initialization file.

guardian provider init [flags]

Flags required :

-f, --file string   File name for the policy config

Example Configurations

We can configure a provider.yaml file for tableau provider as shown below.

type: tableau
urn: 691acb66-27ef-4b4f-9222-f07052e6ffg0
labels:
entity: gojek
landscape: id
credentials:
host: https://prod-apnortheast-a.online.tableau.com
username: user@test.com
password: password@123
content_url: guardiantestsite
appeal:
allow_active_access_extension_in: 7d
resources:
- type: metric
policy:
id: policy_20
version: 1
roles:
- id: read
name: Read
permissions:
- name: Read:Allow
- id: write
name: Write
permissions:
- name: Write:Allow

To register a new provider use the create command as shown below.

Create Provider

The create command is used to register a new provider on the Guardian database.

Usage guardian provider create [flags]

Flags required and usage:

-f, --file string   Path to the provider config

$ guardian providers create --file provider.yaml

Output is of the following form:

provider created with id: 26

List Providers

To get a list of all the providers present in the Guardian' database, use the list command as explained here.

Enter the following code into the terminal:

$ guardian providers list

The output is the following:

  ID  TYPE     URN
21 tableau 691acb66-27ef-4b4f-9222-f07052e6ffc2
22 tableau 691acb66-27ef-4b4f-9222-f07052e6ffc8
26 tableau 691acb66-27ef-4b4f-9222-f07052e6ffg0
24 tableau 691acb66-27ef-4b4f-9222-f07052e6ffd0

Edit Provider

To update an existing provider present in the Guardian' database, use the edit command as explained here. Update the provider.yaml file with required changes.

Usage : $ guardian provider edit <provider-id> --file <file-path>

Flags required :

-f, --file string   Path to the provider config

The output is the following:

provider updated

Plan Provider

This command is to show the changes from the new provider. This command will not actually apply the provider config.

Usage : $ guardian provider plan [flags]

Flags required :

-f, --file string   Path to the provider config

View Provider

This command is used to view a provider details. Displays the ID, name, and other information about a provider.

Usage : $ guardian provider view <provider-id> [flags]

Flags required :

-o, --output string   Print output with the selected format (default "yaml")

Apply Provider

Apply a provider. It is used to create or edit a provider from a file.

Usage : $ guardian provider apply [flags]

Flags required :

-f, --file string   Path to the provider config

$ guardian provider apply --file <file-path>

Managing Resources

Resources command allows us to list and set metadata of resources.

  • What is inside?

Enter the following code into the terminal:

$ guardian resources

The output is the following:

Available Commands:
list List resources
set Store new metadata for a resource
view View a resource details

List Resources

It fetches the list of all the resources in the Guardian's database.

Enter the following code into the terminal:

$ guardian resource list
$ guardian resource list --provider-type=bigquery --type=dataset
$ guardian resource list --details=key1.key2:value --details=key1.key3:value

List resources flags:

-D, --deleted                Show deleted resources
-d, --details stringArray Filter by details object values. Example: --details=key1.key2:value
-n, --name string Filter by name
-T, --provider-type string Filter by provider type
-U, --provider-urn string Filter by provider urn
-t, --type string Filter by type
-u, --urn string Filter by urn

The output is the following form:

ID    PROVIDER                              TYPE        URN                                   NAME
3552 tableau view 8a48df6d-bb5c-438f-a038-35149011e1b5 Flight Delays
691acb66-27ef-4b4f-9222-f07052e6ffc2
4704 tableau metric a408051f-c394-4a73-8f33-7bf7ba001d99 my-test-metric-ishan
691acb66-27ef-4b4f-9222-f07052e6ffc2
3792 tableau workbook 7c940f8b-34c7-44af-9998-b95deef54edd Regional
691acb66-27ef-4b4f-9222-f07052e6ffc8
3802 tableau view 3bd3acd1-0681-458b-9566-0519ba844519 Overview
691acb66-27ef-4b4f-9222-f07052e6ffc8
3807 tableau view 703c58f2-5b7f-46ba-bf96-9f4b473e4da8 Commission Model
691acb66-27ef-4b4f-9222-f07052e6ffc8
5614 tableau view 7342fec1-4092-4bd4-abf4-8e531fe0f8ad Stocks
691acb66-27ef-4b4f-9222-f07052e6ffd0

Set Resource

Store new metadata for a resource. Guardian allows users to add metadata to the resources. This can be useful when configuring the approval steps in the policy that needs information from metadata e.g. “owners” as the approvers.

$ guardian resource set <resource-id> --filePath=<file-path>

This command supports the following flags:

-f, --file string   updated resource file path

Here is an example below:

$ guardian resource set --id={{resource_id}} --values=<key1>=<value1> --values=<key2>=<value2>

View Resource

View a resource details

$ guardian resource view <resource-id> --output=json --metadata=true

This command supports the following flags:

-m, --metadata   Set if you want to see metadata, default: false

Managing Appeals

Appeals command allows us to list, create, list and reject appeal.

What is inside?

Enter the following code into the terminal:

$ guardian appeals

The output is the following:

Available Commands:
approve Approve an approval step
cancel Cancel an appeal
create Create a new appeal
list List and filter appeals
reject Reject an approval step
revoke Revoke an active access/appeal
status Approval status of an appeal

Create Appeal

It helps us to create a new appeal.

Here are some examples given below:

$ guardian appeal create
$ guardian appeal create --account=<account-id> --type=<account-type> --resource=<resource-id> --role=<role> --description="<description>"

This command supports the following flags:

-a, --account string       Email of the account to appeal
--description string The description of the appeal
-d, --duration string Duration of the access
-R, --resource string ID of the resource
-r, --role string Role to be assigned
-t, --type string Type of the account
$ guardian appeals create --resource-id 5624 --role write --user test-user@email.com --options.duration "24h"

The output is the following:

appeal created with id: 13

List Appeals

This command helps us to list appeals in the Guardian's database, we can also filter the appeals with some additional queries flags.

To filter the list of appeals by Role, Status or Account use the following flags:

-a, --account string       Filter by account
-r, --role string Filter by role
-s, --status stringArray Filter by status(es)

Here are some examples below:

$ guardian appeal list
$ guardian appeal list --status=pending
$ guardian appeal list --role=viewer

The output is of the form :

  ID  USER                  RESOURCE ID  ROLE   STATUS
13 test-user@email.com 5624 write pending

Approve Appeals

It's used to approve an appeal. Approve an approval step

$ guardian appeal approve <appeal-id> --step=<step-name>

This command supports the following flags:


-s, --step string Name of approval step

Reject Appeals

It's used to reject an appeal.

Reject an approval step

$ guardian appeal reject <appeal-id> --step=<step-name>

Revoke Appeal

Revoke an active access/appeal

$ guardian appeal revoke <appeal-id>
$ guardian appeal revoke <appeal-id> --reason=<reason>

This command supports the following flags:

-r, --reason string   Reason of the revocation

Check Appeal Status

Status value of an appeal can either be one of these pending, canceled, active,rejected,terminated. To check the current Approval status of the appeal use the following command:

$ guardian appeal status <appeal-id>

Cancel Appeal

Cancel an appeal. Appeal creator can cancel their appeal while it's status is still on pending

$ guardian appeal cancel <appeal-id>

Add Approver

Add a new approver into an existing approval

$ guardian appeal add-approver --appeal-id=<appeal-id> --approval-id=<approval-id> --email=<new-approver-email>

Delete Approver

Delete existing approver from an approval step

$ guardian appeal delete-approver --appeal-id=<appeal-id> --approval-id=<approval-id> --email=<new-approver-email>