Michael DeHaan wrote:
So,
Warning -- technical email :)
I have a pretty good ownership module going for Cobbler now
(https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization),
that allows you to say that objects are owned by certain users and/or
groups, and prevents users not in those groups (except for an admin
group) to be able to edit those objects. This is designed for very
large organizations that may want lab admins to control certain
profiles, but not all of them (for instance, a build lab versus a test
lab versus a production datacenter, etc).
In this implementation, users in the admin group have access to all
objects always, and by default all objects are created with no editing
restrictions unless the creator decides to lock them down.
[snip]
So I have what we have currently implemented written up here:
https://fedorahosted.org/cobbler/wiki/AuthorizationWithOwnership
Comments/reviewers welcome. If you would like to test out this code,
or the LDAP code, see the "devel" branch in git.
If you're not familiar with git, there are some relevant commands at the
top of this page:
https://fedorahosted.org/cobbler/wiki/PatchProcess
This policy seems fairly reasonable to me and should allow Cobbler
server admins to offload a fair amount of work to people who own certain
labs/machines/profiles, without also making the UI terribly hard to
use. And, as mentioned before, the old "if you can log in, you're in"
policy is still the default... you do have to turn the ownership system
on. This is still in line for the 1.0 release, as are most likely
improvements to Kerb eros support and the rest of the items here:
https://fedorahosted.org/cobbler/wiki/TheRoadmap
Thanks!
--Michael
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
