[et-mgmt-tools] Cobbler gets pluggable authentication/authorization (devel branch)
Michael DeHaan
mdehaan at redhat.com
Wed Dec 5 21:21:40 UTC 2007
Ok,
I've implemented the first bits of a customizable authentication and
authorization system in Cobbler (0.7.x branch), that should be adaptable
to most complex workflows.
In other words, you can now define who gets to log in, in your own way,
and who gets to do what -- whether that means kerberos/LDAP (FreeIPA?),
htdigest/all access, something built on PolicyKit, or something you have
in house. (I still need to write some plugins for some of these --
contributions welcome!).
The WebUI also now uses mod_python, which allows us to do some nifty
tricks like using the same auth system on the frontend as with the web
service. That's perhaps less interesting though...
Start of documentation on this here:
https://hosted.fedoraproject.org/projects/cobbler/wiki/CustomizableSecurity
The main advantage to people who don't care about the above is that
WebUI setup is a few steps simpler now:
https://hosted.fedoraproject.org/projects/cobbler/wiki/CobblerWebInterface
You'll notice some permissions based steps are gone, and there's one
less authentication file to set up.
The other simple change I want to make is to allow the Web UI to log
directly in the Apache error logs, so it will be even easier to tell
what's going on. It does some of this directly, but it can log more
information, and that's the first place people generally look for web
based errors anyway.
We've also talked here about having logging also be module-based, so
more finer grained logging from the XMLRPC layer and the command line is
in the works too, after this gets polished up some more.
So Cobbler's growing up... and hopefully this will make it a lot more
usable in larger configurations where the idea of a few admins having
full access doesn't quite solve your administration problems. If
you're just a small installation that doesn't care about this kind of
thing, Cobbler will of course not force any of this on you... which is
also a good thing.
Thoughts welcome.
--Michael
More information about the et-mgmt-tools
mailing list