[et-mgmt-tools] Re: et-mgmt-tools Digest, Vol 15, Issue 4

Dan Dengate dan.dengate at cern.ch
Mon Nov 5 07:54:07 UTC 2007 

On Sun, 2007-11-04 at 19:19 -0500, et-mgmt-tools-request at redhat.com
wrote:
> Send et-mgmt-tools mailing list submissions to
> 	et-mgmt-tools at redhat.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.redhat.com/mailman/listinfo/et-mgmt-tools
> or, via email, send a message with subject or body 'help' to
> 	et-mgmt-tools-request at redhat.com
> 
> You can reach the person managing the list at
> 	et-mgmt-tools-owner at redhat.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of et-mgmt-tools digest..."
> 
> 
> Today's Topics:
> 
>    1. cobbler support for users & tags (Al Tobey)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 4 Nov 2007 16:19:19 -0800
> From: "Al Tobey" <tobert at gmail.com>
> Subject: [et-mgmt-tools] cobbler support for users & tags
> To: "Michael DeHaan" <mdehaan at redhat.com>,	"Fedora/Linux Management
> 	Tools" <et-mgmt-tools at redhat.com>
> Message-ID:
> 	<5ac7acb10711041619l4028a85fk29fb8a571af3a049 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> The attached patch is the first step towards an authorization system
> for cobbler.    It only adds tags for systems and user support.   The
> tags do nothing yet, but will come into play with later patches.
> 
> Michael, you can apply if you want or do the sensible thing and wait
> until this does something useful.    I'll try to push my branch to the
> public repository later if people want to try that rather than
> patches.
> 
> The authorization support I have in mind uses these generic tags to
> grant users access to systems and profiles.     I think profiles will
> have inheritable tags, but will not be editable by non-superuser
> users, since this is probably what most people want.    Basically, if
> a user has a tag that a system (or its upstream profile(s)) also has,
> they have r/w access.   Otherwise, it's a deny-all policy.    Users
> can be granted superuser access with the --superuser flag which is
> only available on the CLI for now.
> 
> It looks like it will be really easy to support authorization in both
> the webui and CLI.   The CLI support will come via sudo and its
> SUDO_USER environment variable.   That way users can be given access
> to run the CLI as root, but only for given systems.   It will be up to
> each sysadmin out there to determine whether they want to risk giving
> sudo access to cobbler as root and trust cobbler's code.

...any tips for persuading others that this is ok?

> 
> I'm definitely open to discussion about how the authorization stuff
> plays out.   Right now I'm sticking to the KISS principle and trying
> to keep things very flexible.
> 
> -Al
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: 0001-Add-users-and-tags.patch
> Type: text/x-patch
> Size: 57804 bytes
> Desc: not available
> Url : https://www.redhat.com/archives/et-mgmt-tools/attachments/20071104/a3248fd9/0001-Add-users-and-tags.bin
> 
> ------------------------------
> 
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
> 
> End of et-mgmt-tools Digest, Vol 15, Issue 4
> ********************************************

More information about the et-mgmt-tools mailing list