[et-mgmt-tools] Cobbler and the ownership module, question about policies?

Bryan Kearney bkearney at redhat.com
Tue Apr 1 12:39:43 UTC 2008 


Michael DeHaan wrote:
> So,
> 
> Warning -- technical email :)
> 
> I have a pretty good ownership module going for Cobbler now 
> (https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization), that 
> allows you to say that objects are owned by certain users and/or groups, 
> and prevents users not in those groups (except for an admin group) to be 
> able to edit those objects.   This is designed for very large 
> organizations that may want lab admins to control certain profiles, but 
> not all of them (for instance, a build lab versus a test lab versus a 
> production datacenter, etc).
> In this implementation, users in the admin group have access to all 
> objects always, and by default all objects are created with no editing 
> restrictions unless the creator decides to lock them down.      The 
> command line has none of these restrictions so you can always 
> recover/reconfigure things with root if you find you've somehow locked 
> yourself out.   (It's also coded up so you can't use the WebUI to remove 
> your own access from an object).
> 
> There are a couple of policy questions for this dealing with some of the 
> corner cases.
> 
> (A) What to do about kickstart editing in the WebUI.   This is the "fun" 
> corner case to figure out.
> 
> The WebUI contains a very basic kickstart template editor (it's just a 
> text field for now). 
> Possible Answer1? I think the solution is that a kickstart template file 
> can be edited if the user editing it is allowed to edit ALL 
> profiles/systems making use of it.  This is a bit of a catch 22 as it 
> would be possible to create a system using a template file, just for the 
> purpose of making that user not be able to edit it.  This shouldn't 
> happen but is technically possible.
> Possible Answer2 -- If you're not in the admin group, you can't edit 
> kickstart template files at all.
> 
> Possible Answer3 -- Remove kickstart editing from the WebUI, and 
> encourage users to create kickstart templates where they have filesystem 
> access (i..e their home directories)

For testing, I have liked the ability to edit he ks file and not need to 
log into the box. If possible, please keep it. It may be heinous, but is 
there a model where each ks has a security item associated to it (e.g. a 
role) or ks files can be grouped and a role associated to the group?
> 
> ----
> 
> (B) What do to about "orphanage".
> 
> If UserA owns ProfileA, and UserB owns SystemB, which depends on 
> ProfileB, what happens if UserA wants to delete ProfileA?
> 
> Answer?   The profile cannot be deleted.
> 
> If UserA owns ProfileA, and UserB owns SubprofileB, what happens when 
> UserA wants to delete ProfileA?
> 
> Answer?   I think the answer is Subprofile B is promoted to a full 
> profile with all of the inherited fields set to the values of Profile A.
> However this is complicated and confusing so "No deletion allowed" may 
> be the better route.

First cut, no delete. Every time i have used nested profiles it was 
becuase I had nested logic in the kickstart file. So. promoting a 
subprofile would cause the subprofile to break.
> 
> ---
> 
> (C) FYI...
> 
> Everyone is allowed to run "cobbler sync" if they can authenticate.  I 
> don't think this should be a problem.
> 
> Also, if you're in, you can read everything, you just might not be able 
> to /write/ everything.   This also should not be a problem as provisioning
> data is basically public if you want to use it in a Fully Automated 
> Context anyway.
> 
> Currently settings, modules.conf, and users.conf can't be edited through 
> the WebUI as that's a really good way to lock yourself out of the WebUI
> altogether :)
> 
> ---
> 
> Any thoughts on the above from those who have a vested interest in 
> controlling access to cobbler objects through the WebUI?
> Remember this is all off by default and is only there if you want it -- 
> but if you want it, I want to make sure this fits your organizational 
> needs.
> 
> --Michael
> 
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools

More information about the et-mgmt-tools mailing list