[et-mgmt-tools] Thoughts on Cobbler authorization/authentication and access levels in your organization?

[Michael DeHaan]

Hi folks,

I'm getting ready to add support for user-level 
authentication/authorization to Cobbler.   While I am going to implement 
this using Cobbler
modules to make it completely customizable in terms of tools and policy, 
it would be nice if most things "just worked" too, so this is where the 
call for user
opinions comes in.    If you have a large organization, how do you want 
Cobbler to work in that organization?   For many people the answer is 
just "let the admins
have full control", which is fine, though I know many of you want finer 
grained access.   That's what I want to enable.   We don't want to 
require a specific workflow,
but do want to enable the ones that need to exist.

So ... at this point, it's important to understand the ways different 
people would want to use this, so that we make sure the right things are 
there and possible.  There are two aspects to this.

(1)  What sort of policy do folks need ... what does a multi-user 
cobbler workflow look like?
(2)  What sorts of existing authentication/authorization systems are 
already in place, or want to be used*  (i.e. kerberos, etc).  How do you 
want to maintain user/group information (LDAP, etc?).

The simplest example use case (that we have now) looks like this:

(A)  Admins X, Y, and Z all have different passwords and can do anything.

What I see as the more corporate use case looks something like this:

(A)  Dave and Sammy work for the central IT group of ACME Corp.   They 
create distros and profiles for other people to use, including 
production boxes.
(B)   Gary is an admin for Lab A.   He can inherit from profiles created 
by Dave/Sammy, or make up his own.  He can also add systems.
(C)   Eddie is an admin for Lab B.   He can also do the same kinds of 
things as Gary, but cannot muck with Gary's configurations.
(D)  Alex is an ordinary user.    He can use koan against any existing 
profiles, and can PXE boot, and possibly edit just the profile setting 
of the systems that he owns (if any).

Now there is a /slight/ problem if Gary adds a MAC address that isn't in 
Eddie's lab, but that should be something an admin can fix.

Anyhow, if you have opinions/comments on how you might want to grant 
tiered access in Cobbler, now is the time to speak up!   This is just as 
much for the WebUI as it is
for the software in general, so if you were building another web app on 
Cobbler that gave a simpler view to users, or so on, it could use these 
things also.

(Replying offline with technical/organizational details is totally 
fine.   The more detail I can get the better ... and I'll try to 
summarize all of these later).

--Michael