[et-mgmt-tools] Cobbler and the ownership module, question about policies?
Michael DeHaan
mdehaan at redhat.com
Thu Apr 3 20:24:52 UTC 2008
Michael DeHaan wrote:
> So,
>
> Warning -- technical email :)
>
> I have a pretty good ownership module going for Cobbler now
> (https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization),
> that allows you to say that objects are owned by certain users and/or
> groups, and prevents users not in those groups (except for an admin
> group) to be able to edit those objects. This is designed for very
> large organizations that may want lab admins to control certain
> profiles, but not all of them (for instance, a build lab versus a test
> lab versus a production datacenter, etc).
> In this implementation, users in the admin group have access to all
> objects always, and by default all objects are created with no editing
> restrictions unless the creator decides to lock them down.
[snip]
So I have what we have currently implemented written up here:
https://fedorahosted.org/cobbler/wiki/AuthorizationWithOwnership
Comments/reviewers welcome. If you would like to test out this code,
or the LDAP code, see the "devel" branch in git.
If you're not familiar with git, there are some relevant commands at the
top of this page:
https://fedorahosted.org/cobbler/wiki/PatchProcess
This policy seems fairly reasonable to me and should allow Cobbler
server admins to offload a fair amount of work to people who own certain
labs/machines/profiles, without also making the UI terribly hard to
use. And, as mentioned before, the old "if you can log in, you're in"
policy is still the default... you do have to turn the ownership system
on. This is still in line for the 1.0 release, as are most likely
improvements to Kerb eros support and the rest of the items here:
https://fedorahosted.org/cobbler/wiki/TheRoadmap
Thanks!
--Michael
More information about the et-mgmt-tools
mailing list