ā‡  Back to the blog
Cover for Approve Rails console sessions via Slack using rails-approvals

Approve Rails console sessions via Slack using rails-approvals

Garrett Bjerkhoel avatarWritten by Garrett Bjerkhoel

Today we're open sourcing rails-approvals, a gem which makes it very easy to add approval workflows via Slack to control who can start Rails console sessions or run database migrations in production. rails-approvals is not dependent on Cased, instead it's self-hosted by you as a Rails engine!

The rails-approvals repository contains all of the steps necessary to create and install the required Slack application, specify the Slack channel that approval requests are delivered to, configure approval settings, and more.

How does rails-approvals work?

rails-approvals works by adding a blocking approval request before a Rails console can be started. By default, the approval request will only be triggered in production. You can configure additional non-production Rails environments that will require approval via Slack.

module Rails
  module Approvals
    class Railtie < ::Rails::Railtie
      console do
        Rails::Approvals.start!
      end
    end
  end
end

By using the Rails::Railtie.console method made available by Rails to integrators, rails-approvals is able to manage the approval lifecycle and subsequently permit access or quit the process as necessary. In this case, once approval is obtained via Slack the console session is authorized as usual.

$ rails console
āœ… Request to run rails console approved by manager@company.com
Loading production environment (Rails 6.1.3.1)
irb(main):001:0>

Otherwise, if the approval request has been denied or ultimately times out per the configured settings, rails-approvals will exit the process entirely requiring the user to go through the approval process again.

$ rails console
šŸ›‘ Request to run rails console denied by manager@company.com

rails-approvals uses the Rails::Approvals::Request model contained within the bundled Rails engine to track all approval requests. The model tracks the following attributes:

  • requester: The user who triggered the approval request. rails-approvals will attempt to obtain the requesting user via the $USER environment variable as long as it is a non-root or default user (ec2-user).
  • reason: The reason the user is requesting access to a production console. The requirement to provide a reason is configurable.
  • responder: The user in Slack who responded to the approval request.
  • command: The command the user executed. This will likely be rails console most of the time, but in the cases additional arguments are provided it will keep track for you.

What's the difference between rails-approvals and cased-rails

rails-approvals contains a subset of features available in the cased-rails gem which is powered by Cased. cased-rails:

  1. Require the requesting user to identify themselves using your organization's identity provider (Okta, Google, SAML, OpenID Connect, etc).
  2. Automatically approve requests if the requesting user is on-call for a particular PagerDuty Escalation Policy.
  3. Restrict who can respond to approval requests to a particular group in your organization such as Engineering or Managers.
  4. Comprehensive audit logging around approval requests.
  5. An easy to use online interface to configure approval workflows.

If you'd like to have enhanced approval workflow controls as described above, be sure to check out another blog post we've published on cased-rails. Additionally you can schedule a demo, or send us an email at team@cased.com and we'd be happy to learn about your needs.