[et-mgmt-tools] Re: cobbler support for users & tags

Mon Nov 5 17:37:48 UTC 2007

Al Tobey wrote:
> The attached patch is the first step towards an authorization system
> for cobbler.    It only adds tags for systems and user support.   The
> tags do nothing yet, but will come into play with later patches.
>
> Michael, you can apply if you want or do the sensible thing and wait
> until this does something useful.    I'll try to push my branch to the
> public repository later if people want to try that rather than
> patches.
>
> The authorization support I have in mind uses these generic tags to
> grant users access to systems and profiles.     I think profiles will
> have inheritable tags, but will not be editable by non-superuser
> users, since this is probably what most people want.    Basically, if
> a user has a tag that a system (or its upstream profile(s)) also has,
> they have r/w access.   Otherwise, it's a deny-all policy.    Users
> can be granted superuser access with the --superuser flag which is
> only available on the CLI for now.
>
> It looks like it will be really easy to support authorization in both
> the webui and CLI.   The CLI support will come via sudo and its
> SUDO_USER environment variable.   That way users can be given access
> to run the CLI as root, but only for given systems.   It will be up to
> each sysadmin out there to determine whether they want to risk giving
> sudo access to cobbler as root and trust cobbler's code.
>
> I'm definitely open to discussion about how the authorization stuff
> plays out.   Right now I'm sticking to the KISS principle and trying
> to keep things very flexible.
>
> -Al
>   
I'm wanting to work with the FreeIPA folks some rather than build a lot 
of infrastructure ourselves here.
http://freeipa.org/page/Main_Page -- which is on my list to investigate 
more fully in the coming weeks.

We probably do want to keep the user/group requirements stored in 
Cobbler, but how that plays out in the greater whole
I am not entirely sure yet.

Keeping things in generic tags is a good way to keep options open, 
though I'm hesitant to implement a Cobbler-specific auth model at this 
point,
given we can possibly leverage other projects and the RFE list is 
already quite large.   I really would like to see more of those core 
items dealt with first.  
(https://hosted.fedoraproject.org/projects/cobbler/report/)

A good suggestion submitted by others would be to have a way to request 
a Cobbler edit through the the WebUI and be able to have
an admin level user approve it.   This may imply a slightly variant CGI 
that allows users to pick a system or create a new one and have their
edits go into a queue.    That sort of approach may also keep us from 
having to build/maintain a lot of auth/user/group infrastructure.

--Michael