Al Tobey wrote:
The attached patch is the first step towards an authorization system
for cobbler. It only adds tags for systems and user support. The
tags do nothing yet, but will come into play with later patches.
Michael, you can apply if you want or do the sensible thing and wait
until this does something useful. I'll try to push my branch to the
public repository later if people want to try that rather than
patches.
The authorization support I have in mind uses these generic tags to
grant users access to systems and profiles. I think profiles will
have inheritable tags, but will not be editable by non-superuser
users, since this is probably what most people want. Basically, if
a user has a tag that a system (or its upstream profile(s)) also has,
they have r/w access. Otherwise, it's a deny-all policy. Users
can be granted superuser access with the --superuser flag which is
only available on the CLI for now.
It looks like it will be really easy to support authorization in both
the webui and CLI. The CLI support will come via sudo and its
SUDO_USER environment variable. That way users can be given access
to run the CLI as root, but only for given systems. It will be up to
each sysadmin out there to determine whether they want to risk giving
sudo access to cobbler as root and trust cobbler's code.
I'm definitely open to discussion about how the authorization stuff
plays out. Right now I'm sticking to the KISS principle and trying
to keep things very flexible.
-Al
I'm wanting to work with the FreeIPA folks some rather than build a lot
of infrastructure ourselves here.
http://freeipa.org/page/Main_Page -- which is on my list to investigate
more fully in the coming weeks.
We probably do want to keep the user/group requirements stored in
Cobbler, but how that plays out in the greater whole
I am not entirely sure yet.
Keeping things in generic tags is a good way to keep options open,
though I'm hesitant to implement a Cobbler-specific auth model at this
point,
given we can possibly leverage other projects and the RFE list is
already quite large. I really would like to see more of those core
items dealt with first.
(https://hosted.fedoraproject.org/projects/cobbler/report/)
A good suggestion submitted by others would be to have a way to request
a Cobbler edit through the the WebUI and be able to have
an admin level user approve it. This may imply a slightly variant CGI
that allows users to pick a system or create a new one and have their
edits go into a queue. That sort of approach may also keep us from
having to build/maintain a lot of auth/user/group infrastructure.
--Michael
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
