[et-mgmt-tools] Cobbler and the ownership module, question about policies?
Michael DeHaan
mdehaan at redhat.com
Tue Apr 1 16:08:35 UTC 2008
Bryan Kearney wrote:
>
>
> Michael DeHaan wrote:
>> So,
>>
>> Warning -- technical email :)
>>
>> I have a pretty good ownership module going for Cobbler now
>> (https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization),
>> that allows you to say that objects are owned by certain users and/or
>> groups, and prevents users not in those groups (except for an admin
>> group) to be able to edit those objects. This is designed for very
>> large organizations that may want lab admins to control certain
>> profiles, but not all of them (for instance, a build lab versus a
>> test lab versus a production datacenter, etc).
>> In this implementation, users in the admin group have access to all
>> objects always, and by default all objects are created with no
>> editing restrictions unless the creator decides to lock them
>> down. The command line has none of these restrictions so you can
>> always recover/reconfigure things with root if you find you've
>> somehow locked yourself out. (It's also coded up so you can't use
>> the WebUI to remove your own access from an object).
>>
>> There are a couple of policy questions for this dealing with some of
>> the corner cases.
>>
>> (A) What to do about kickstart editing in the WebUI. This is the
>> "fun" corner case to figure out.
>>
>> The WebUI contains a very basic kickstart template editor (it's just
>> a text field for now). Possible Answer1? I think the solution is that
>> a kickstart template file can be edited if the user editing it is
>> allowed to edit ALL profiles/systems making use of it. This is a bit
>> of a catch 22 as it would be possible to create a system using a
>> template file, just for the purpose of making that user not be able
>> to edit it. This shouldn't happen but is technically possible.
>> Possible Answer2 -- If you're not in the admin group, you can't edit
>> kickstart template files at all.
>>
>> Possible Answer3 -- Remove kickstart editing from the WebUI, and
>> encourage users to create kickstart templates where they have
>> filesystem access (i..e their home directories)
>
> For testing, I have liked the ability to edit he ks file and not need
> to log into the box. If possible, please keep it. It may be heinous,
> but is there a model where each ks has a security item associated to
> it (e.g. a role) or ks files can be grouped and a role associated to
> the group?
The ownership module is off by default, so if we removed it, it might
only be for that. I think we can find a workable solution though :)
I'm trying to avoid creating an additional cobbler object wrapping the
kickstarts -- as that ends up creating too many Cobbler objects and
makes things less simpler for newer users (who have this feature turned
off by default, anyway).
>>
>> ----
>>
>> (B) What do to about "orphanage".
>>
>> If UserA owns ProfileA, and UserB owns SystemB, which depends on
>> ProfileB, what happens if UserA wants to delete ProfileA?
>>
>> Answer? The profile cannot be deleted.
>>
>> If UserA owns ProfileA, and UserB owns SubprofileB, what happens when
>> UserA wants to delete ProfileA?
>>
>> Answer? I think the answer is Subprofile B is promoted to a full
>> profile with all of the inherited fields set to the values of Profile A.
>> However this is complicated and confusing so "No deletion allowed"
>> may be the better route.
>
> First cut, no delete. Every time i have used nested profiles it was
> becuase I had nested logic in the kickstart file. So. promoting a
> subprofile would cause the subprofile to break.
I agree. Though it might not cause breakage if we promote the
attributes that are marked "inherit", it's clearly non-obvious behavior
to the user.
The admin could always intervene and blow away all objects below it if
required.
>>
>> ---
>>
>> (C) FYI...
>>
>> Everyone is allowed to run "cobbler sync" if they can authenticate.
>> I don't think this should be a problem.
>>
>> Also, if you're in, you can read everything, you just might not be
>> able to /write/ everything. This also should not be a problem as
>> provisioning
>> data is basically public if you want to use it in a Fully Automated
>> Context anyway.
>>
>> Currently settings, modules.conf, and users.conf can't be edited
>> through the WebUI as that's a really good way to lock yourself out of
>> the WebUI
>> altogether :)
>>
>> ---
>>
>> Any thoughts on the above from those who have a vested interest in
>> controlling access to cobbler objects through the WebUI?
>> Remember this is all off by default and is only there if you want it
>> -- but if you want it, I want to make sure this fits your
>> organizational needs.
>>
>> --Michael
>>
>> _______________________________________________
>> et-mgmt-tools mailing list
>> et-mgmt-tools at redhat.com
>> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
More information about the et-mgmt-tools
mailing list