[et-mgmt-tools] Re: cobbler support for users & tags
Michael DeHaan
mdehaan at redhat.com
Mon Nov 5 17:37:48 UTC 2007
Al Tobey wrote:
> The attached patch is the first step towards an authorization system
> for cobbler. It only adds tags for systems and user support. The
> tags do nothing yet, but will come into play with later patches.
>
> Michael, you can apply if you want or do the sensible thing and wait
> until this does something useful. I'll try to push my branch to the
> public repository later if people want to try that rather than
> patches.
>
> The authorization support I have in mind uses these generic tags to
> grant users access to systems and profiles. I think profiles will
> have inheritable tags, but will not be editable by non-superuser
> users, since this is probably what most people want. Basically, if
> a user has a tag that a system (or its upstream profile(s)) also has,
> they have r/w access. Otherwise, it's a deny-all policy. Users
> can be granted superuser access with the --superuser flag which is
> only available on the CLI for now.
>
> It looks like it will be really easy to support authorization in both
> the webui and CLI. The CLI support will come via sudo and its
> SUDO_USER environment variable. That way users can be given access
> to run the CLI as root, but only for given systems. It will be up to
> each sysadmin out there to determine whether they want to risk giving
> sudo access to cobbler as root and trust cobbler's code.
>
> I'm definitely open to discussion about how the authorization stuff
> plays out. Right now I'm sticking to the KISS principle and trying
> to keep things very flexible.
>
> -Al
>
I'm wanting to work with the FreeIPA folks some rather than build a lot
of infrastructure ourselves here.
http://freeipa.org/page/Main_Page -- which is on my list to investigate
more fully in the coming weeks.
We probably do want to keep the user/group requirements stored in
Cobbler, but how that plays out in the greater whole
I am not entirely sure yet.
Keeping things in generic tags is a good way to keep options open,
though I'm hesitant to implement a Cobbler-specific auth model at this
point,
given we can possibly leverage other projects and the RFE list is
already quite large. I really would like to see more of those core
items dealt with first.
(https://hosted.fedoraproject.org/projects/cobbler/report/)
A good suggestion submitted by others would be to have a way to request
a Cobbler edit through the the WebUI and be able to have
an admin level user approve it. This may imply a slightly variant CGI
that allows users to pick a system or create a new one and have their
edits go into a queue. That sort of approach may also keep us from
having to build/maintain a lot of auth/user/group infrastructure.
--Michael
More information about the et-mgmt-tools
mailing list