Today we're open sourcing
rails-approvals, a gem which makes it very easy to add approval workflows via Slack to control who can start Rails console sessions or run database migrations in production.
rails-approvals is not dependent on Cased, instead it's self-hosted by you as a Rails engine!
rails-approvals repository contains all of the steps necessary to create and install the required Slack application, specify the Slack channel that approval requests are delivered to, configure approval settings, and more.
rails-approvals works by adding a blocking approval request before a Rails console can be started. By default, the approval request will only be triggered in production. You can configure additional non-production Rails environments that will require approval via Slack.
module Rails module Approvals class Railtie < ::Rails::Railtie console do Rails::Approvals.start! end end end end
By using the
Rails::Railtie.console method made available by Rails to integrators,
rails-approvals is able to manage the approval lifecycle and subsequently permit access or quit the process as necessary. In this case, once approval is obtained via Slack the console session is authorized as usual.
$ rails console ✅ Request to run rails console approved by email@example.com Loading production environment (Rails 188.8.131.52) irb(main):001:0>
Otherwise, if the approval request has been denied or ultimately times out per the configured settings,
rails-approvals will exit the process entirely requiring the user to go through the approval process again.
$ rails console 🛑 Request to run rails console denied by firstname.lastname@example.org
rails-approvals uses the Rails::Approvals::Request model contained within the bundled Rails engine to track all approval requests. The model tracks the following attributes:
requester: The user who triggered the approval request.
rails-approvalswill attempt to obtain the requesting user via the
$USERenvironment variable as long as it is a non-root or default user (
reason: The reason the user is requesting access to a production console. The requirement to provide a reason is configurable.
responder: The user in Slack who responded to the approval request.
command: The command the user executed. This will likely be
rails consolemost of the time, but in the cases additional arguments are provided it will keep track for you.
What's the difference between
rails-approvals contains a subset of features available in the
cased-rails gem which is powered by Cased.
- Require the requesting user to identify themselves using your organization's identity provider (Okta, Google, SAML, OpenID Connect, etc).
- Automatically approve requests if the requesting user is on-call for a particular PagerDuty Escalation Policy.
- Restrict who can respond to approval requests to a particular group in your organization such as Engineering or Managers.
- Comprehensive audit logging around approval requests.
- An easy to use online interface to configure approval workflows.
If you'd like to have enhanced approval workflow controls as described above, be sure to check out another blog post we've published on
cased-rails. Additionally you can schedule a demo, or send us an email at email@example.com and we'd be happy to learn about your needs.