Cobbler gets pluggable authentication/authorization (devel branch)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok,
I've implemented the first bits of a customizable authentication and authorization system in Cobbler (0.7.x branch), that should be adaptable to most complex workflows. In other words, you can now define who gets to log in, in your own way, and who gets to do what -- whether that means kerberos/LDAP (FreeIPA?), htdigest/all access, something built on PolicyKit, or something you have in house. (I still need to write some plugins for some of these -- contributions welcome!).
The WebUI also now uses mod_python, which allows us to do some nifty tricks like using the same auth system on the frontend as with the web service. That's perhaps less interesting though... 

Start of documentation on this here:

https://hosted.fedoraproject.org/projects/cobbler/wiki/CustomizableSecurity
The main advantage to people who don't care about the above is that WebUI setup is a few steps simpler now: 

https://hosted.fedoraproject.org/projects/cobbler/wiki/CobblerWebInterface
You'll notice some permissions based steps are gone, and there's one less authentication file to set up.
The other simple change I want to make is to allow the Web UI to log directly in the Apache error logs, so it will be even easier to tell what's going on. It does some of this directly, but it can log more information, and that's the first place people generally look for web based errors anyway.
We've also talked here about having logging also be module-based, so more finer grained logging from the XMLRPC layer and the command line is in the works too, after this gets polished up some more.
So Cobbler's growing up... and hopefully this will make it a lot more usable in larger configurations where the idea of a few admins having full access doesn't quite solve your administration problems. If you're just a small installation that doesn't care about this kind of thing, Cobbler will of course not force any of this on you... which is also a good thing. 

Thoughts welcome.

--Michael


_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux