[et-mgmt-tools] Re: Cobbler Authorisation
Subhendu Ghosh
sghosh at redhat.com
Fri Nov 9 04:39:55 UTC 2007
Michael DeHaan wrote:
> Al Tobey wrote:
>> On Nov 8, 2007 5:00 AM, Dan Dengate wrote:
>>
>>> Hi Al,
>>>
>>> I should introduce myself first. My name is Dan, I'm based at ...,
>>> working on Unix Installation tools. We are currently working on a
>>> project to rewrite our existing install infrastructure and have been
>>> considering, along with others (existing, and off the shelve), cobbler
>>> for our needs.
>>>
>>> Cobbler is giving us a lot of stuff for free, but for it to succeed it
>>> obviously has to fit all our requirements, or be easily extended for our
>>> environment, as well as sustainable in the future.
>>>
>>> I'm aware that you're currently working on authorization, which is one
>>> our first areas to tackle. It's probably best to discuss this now,
>>> before things start to head in one direction.
>>>
>>> In simple, are requirements are as follows:
>>>
>>> [1] Only certain users should be able to add (remove, edit, etc)
>>> distributions.
>>>
>>> [2] Only certain users should be able to add (remove, edit, etc)
>>> profiles.
>>>
>>> [3] Only the correct "owner" of a system should be able to touch a given
>>> system.
>>>
>>>
>>> What we'd ideally like to do is keep aware from administering any user
>>> information. There are plenty of databases around with all the
>>> information we could ever need.
>>>
> This seems to lend itself to further leveraging "modules" in cobbler.
> Right now the modules
> system allows for trading out serialization modules, and we could extend
> this to also allow trading
> out authorization modules. This allows things to be expanded for
> various environments that are
> relatively diverse without installing something in core that may not be
> the best fit for everyone.
>
>>
>> Hopefully that'll be easy to accomplish with plugins and/or scripts to
>> auto-populate cobbler's users.
>>
>>
>>> One ideal solution would be to limit who can add a distribution [1] and
>>> profiles [2] based on maybe, the users Kerberos credentials.
>>>
>>
>> The way I've thought about it, we mostly care about systems, since
>> profiles and distributions should be maintained by superusers.
>> Obviously, I'm wrong ;) I'd like to hear more about how you see
>> Cobbler working in your shop as a kind of use-case if you have a need
>> for users to administer distros & profiles.
>>
>
> An auth module could provide something look like
>
> verify(user, pass,cobbler_object) -> True | False
>
> Again, the default auth module (in /etc/cobbler/modules.conf) would be
> auth_none, which would describe
> the present system.
>
>>
>>> So there would be a group of people, bob at FOO.COM, john at FOO.COM... listed
>>> somewhere, like .klogin for example. Bob or John would log on to the
>>> install server and have access to distribution management.
>>>
>>> ...or something along those lines...
>>>
>>> With regard to [3], it gets slightly more confused. For example, we have
>>> a network database which details all the devices on the network, and
>>> maps the device to a responsible and/or main user.
>>>
>>
>> This could be pulled into cobbler via triggers or some kind of backend
>> data adapter. For instance, the user code I implemented uses
>> Cobbler's serializer which Michael has conveniently made pluggable.
>> All you'd need to do is write a plugin to pull & map users from your
>> database rather than Cobbler's files.
>>
>
> Seems like we are on the same page :)
>
>> Other users have requested to be able to do this for systems too,
>> specifically against LDAP servers that already have all their system
>> information.
>>
>>
>>> This checking and auth or denying is easy, but how this can map into
>>> Cobbler is where I'm becoming stuck. Originally my idea was to rely on
>>> the Triggers, to check the database and make a decision, returning 1 for
>>> yes user is ok, so they can do stuff, returning zero if they're a
>>> fraudster.. but in talking this through with Michael a little bit, I'm
>>> beginning to move away from this.
>>>
>>> So, there's a lot to take in there.
>>>
>>> I've read the mailing list about the tags. If I understand them
>>> correctly, if a system has a tag 'Dan', only Dan can do stuff with the
>>> object(s) that have that tag? That right.
>>>
>>
>> That's pretty close. If a system or its profile has "Dan" and the
>> user has the tag "Dan", then that user has access to the system.
>>
>> The main problem with my tagging approach is that it requires that you
>> be careful about what tags users/systems/profiles get or you could
>> accidentally grant access to things by accident. That's true of
>> any system, but especially easy with something as fast and loose as
>> tag-based authorization.
>>
>
> The above module approach could leave the permissions infrastructure
> completely out
> of cobbler... so it could optionally look at tags, or it might just be a
> yes/no sort of thing
> based on the type of object ... depending on what the site wanted to
> implement. The main
> thing we'd want is to not require setup of /anything/ for the core
> install to work and make
> it easy enough for a complex site install to adapt to their needs.
>
>>
>>> The idea that sysadmins give root access to users for certain machines,
>>> although is principle is ok, and I'm sure the protection is there, it
>>> just doesn't "feel" right. It feels like we would have to maintain a
>>> list of sudo users..
>>>
>>
>> I'm pretty sure just about any system in cobbler will require sudo to
>> get user-based authorization correct. I'm mainly concentrating on
>> the webui, but noticed that the same code could probably support the
>> CLI via SUDO_USER where the webui would use REMOTE_USER. Maybe it
>> might be worth looking into having a reduced version of the CLI tool
>> that uses XMLRPC like the webui so it doesn't have to run as root.
>> That would make things a bit more interesting ;)
>>
>
> I'd like to leave the complexity out of the command line invocations.
>
> We should be thinking about web services, for which the command line can
> be a client.
>
>
>>
>>> So in conclusion, where is Cobbler going with regard to authorisation
>>> now?
>>>
>>
>> Michael's in requirements gathering phase, AFAIK. I'm just throwing
>> together prototypes to see what's easy. Once we figure out an
>> approach that works for most people, it'll probably fall together
>> pretty quickly.
>>
>>
> Yep... seeing what people want, and how best to do it.
>
> Ultimately I like the modules approach best, and in general, I intend to
> expand
> cobbler to be more modular in this regard as well. For instance, as the
> command line
> is expanded, each function in the command line might be a module, making
> it easier
> for folks to custom commands outside the core.
>
> Modules also the advantage of being able to trade cobbler objects, which
> the triggers
> don't have. Triggers aren't going away though, they are simple, and
> simple can be good.
> For something like an email notification, that's all you need.
>
>>> Michael says he's looking at the IPA stuff, which doesn't seem all that
>>> bad, but how it fits together, I've no idea.
>>>
>>
>> It looks like a nice suite, but I don't think people would appreciate
>> cobbler being hooked too tightly to any single system, since near 100%
>> of users already have some kind of system in place. I also don't
>> think they're providing much in the way of API's yet (could be wrong),
>> which is really what we'd want.
>>
>
> It's just investigation. If anything this would be "we can have a
> module that
> hooks into kerb" at most. It most certaintly would not be required,
> the standard
> behavior is to keep things working like they work now, and for things to
> be very
> simple to setup up. That's incredibly important for a large portion of
> the cobbler
> install base.
>
>> The webui is already pretty trivial to put behind kerberos for
>> authentication using any number of Apache modules, as of 0.6.3.
>> Authorization will be trickier, since that's often done using some
>> kind of LDAP or SQL scheme. Cobbler is trying to stay agnostic
>> towards databases, which is a nice idea, but leaves us on our own for
>> implementing an auth system - we can't just borrow somebody else's
>> wholesale.
>>
> Seems like where you'd want to hook into kerb to me.
>
>> I've considered extending the webui's usage of PATH_INFO so that it'll
>> be easier to have apache modules implement authorization behind
>> Cobbler's back, similar to how you can have sudo parse command line
>> options. For instance, you could do:
>>
>> dan localhost=/usr/bin/cobbler system edit --name=dan_workstation
>> bob localhost=/usr/bin/cobbler system edit --name=bob_workstation
>>
>> This is hacky though and a PITA to administer, though it wouldn't be
>> too bad if you autogenerated it from a database. Instead I'd like
>> to see:
>> dan localhost=/usr/bin/cobbler
>>
>> And have cobbler check if "dan" has edit access on "dan_workstation".
>>
>> That raises a couple more questions:
>>
>> 1. Do we only care about write access?
>>
>
> Yes.
>
>> 2. Does anybody have a need to grant read access to only parts of
>> cobbler?
>>
>
> Assume no. The permissions on all the files in the kickstart
> directories are world readable, as needed
> by Anaconda.
>
>> 3. Please tell us if you would have use for user-based authorization
>> in the cobbler CLI. If we only care about the webui, completely
>> different approaches can be taken.
>>
>
> Anything we do needs to be done at the services layer, not with just
> respect for the Web UI or the CLI. This enables
> remote command lines and integration with other services.
>>
One other aspect to authorization that I would add is logging and reporting -
who did what and when. This could be achieved by wrappers in the actions and
pluggable modules to some cobbler/syslog facilities.
I can think of all the sarbox audits that clients go thru on the patching
side, don't see how this would be any different.
-regards
Subhendu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sghosh.vcf
Type: text/x-vcard
Size: 266 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/et-mgmt-tools/attachments/20071108/850ce2a9/attachment.vcf>
More information about the et-mgmt-tools
mailing list