>> Can it be used with Kerberos?
> The AuthN and Z peices do not know about each other, so yes, it can.
Doesn't seem to work for me.
The following configuration allows me to login with my Kerberos creds
(pcompany or user2),
but I seem to only have "list" permissions on all the objects.
The documentation says:
Users that authenticate against the chosen cobbler authentication module
but who are not mentioned in users.conf will still be given read
access to view
things in the Cobbler web interface, but will not be able to
perform any actions,
such as sync, deletion, and edits.
Well, pcompany & user2 *are* "listed in users.conf" in the [admins]
and [jradmin] sections.
The way I understand it, pcompany should have full access under this
configuration;
and user2 should fall thru to the acl.conf jradmin permissions and
only have those permissions.
Why does the below configuration not work?
What am I missing?
Here is what I have configured:
# vi /etc/cobbler/modules.conf
[authentication]
module = authn_passthru
[authorization]
module = authz_ownership
:wq!
# vi /etc/cobbler/users.conf
[admins]
admin = ""
cobbler = ""
pcompany = ""
[jradmin]
user2 = ""
:wq!
# vi /etc/cobbler/acls.conf
admin: {}
admins: {}
jradmin:
copy_distro: {}
copy_image: {}
copy_profile: {}
copy_repo: {}
modify_distro: {}
modify_image: {}
modify_profile: {}
modify_repo: {}
new_distro: {}
new_image: {}
new_profile: {}
new_repo: {}
remove_distro: {}
remove_image: {}
remove_profile: {}
remove_repo: {}
save_distro: {}
save_profile: {}
save_image: {}
save_repo: {}
write_kickstart_templates: {}
unmatched: {}
:wq!
On Wed, Aug 12, 2009 at 12:18 PM, Michael DeHaan<[email protected]> wrote:
> On 08/12/2009 02:20 PM, Paul Company wrote:
>
> There is the "authz_ownership" module
>
>
> https://fedorahosted.org/cobbler/wiki/AuthorizationWithOwnership
> Thank you, I'll look into it.
> Can it be used with Kerberos?
> I currently have Kerberos working and it seems to require (authz_allowall).
> I'll test it and see if it works.
>
>
>
> The AuthN and Z peices do not know about each other, so yes, it can.
>
> As a sidenote, since you sound like you are interested in helping us work on
> Cobbler Web,
>
>
> I'd love to, but I'm not familiar with Django (Python) development.
> Both have steep learning curves - especially since I'm starting from
> scratch.
>
>
> I disagree -- The Django app is infinitely easier to work on that the
> mod_python one
> and is a lot easier to work on because the templates are simpler, and there
> are now even less
> of them. We are also not even using the persistance layers of Django,
> since views.py just
> speaks XMLRPC back to cobblerd.
>
> It'll be months before I'm even a little bit productive.
> I love learning new things, so I'll start climbing the Python/Django
> learning curve now
> and I'll let you know when I'm skilled enough to contribute.
>
>
>
> This could be done as a seperate Django app in the cobbler Django project
> It really warrants a new thread on cobbler-devel list there, would you like
> to start one?
>
>
> I would, but not quite yet.
> We're going to deploy cobbler 1.6.6.
> Feels like this thread will be good when we decide to go with 2.0.
> For now I'm going to concentrate on modifying the Systems page for 1.6.6.
> Any suggestions there?
>
>
> Once 2.0 releases, there will be no further updates to the 1.6 branch.
>
> Thankfully, nothing really changes from a user perspective, only new
> features, and easier development.
>
> I can't help you working on 1.6.6, because that's an evolutionary dead end
> -- and subtracts
> time from working on things other people will be able to get in future
> releases.
>
> The authz modules in fact, are still pretty much the same, though I'm due to
> make some improvements to them
> in coming week or so -- to make sure they are up-to-date with all of the new
> method names and so forth.
>
> It's quite safe to try out now, and there is a very smooth upgrade path for
> production machines.
>
> Paul
>
> On Wed, Aug 12, 2009 at 8:47 AM, Michael DeHaan<[email protected]> wrote:
>
>
> On 08/11/2009 09:33 PM, Paul Company wrote:
>
>
> I'm running cobbler 1.6.6 on RHEL 5.3.
>
> Three Questions:
>
> Q1: Is there a way to have the Web UI behavior change according to the
> person that logs in?
> For example, I'd like it if user "foo" has full access to everything,
> but user "bar" to only be able to create systems.
> Listing distros, profiles, and repos is ok, but I don't want
> bar to have the ability to add or delete distros, profiles or repos.
>
>
>
> There is the "authz_ownership" module which is detailed on the Wiki
> under the security pages, that can restrict
> what objects people can edit.
>
> At a generic level, there's not a concept for a read-only user group,
> but that's probably something that could be easily
> added.
>
> As a sidenote, since you sound like you are interested in helping us
> work on Cobbler Web, new things need to be done on the "master"
> branch, which targets 2.0 -- that should be out in a month.
>
>
> Q2: Has anyone customized the "Add System" web page?
> I'm not a web programmer but I'd like to simplify/customize
> the "Add System" page so it's simpler for our end user.
> I'd to add fields like "Location" and have the values entered
> show up as --ksmeta values; so if you enter Location: nyc,
> that would get processed into --ksmeta="loc=nyc"
> Also, things like, if one chooses a profile that isn't a vm profile,
> then don't show the VM stuff. Or if power management
> is disabled, don't show the power management stuff. etc.
>
>
>
> We've had some ideas on this, about making templates for self-service
> views in Cobbler.
>
> This could be done as a seperate Django app in the cobbler Django
> project, and I would like to see something like
> this very much.
>
> It really warrants a new thread on cobbler-devel list there, would you
> like to start one?
>
> I have a fair amount of ideas from our own IT guys -- things that we
> didn't quite implement yet -- but I think that would be exceptionally
> powerful. It really warrants a new thread on cobbler-devel list there,
> would you
> like to start one?
>
>
>
> Q3: Should I wait for cobbler 2.0 which uses Django?
> Or should I plow ahead with the current mod_python stuff?
>
>
>
> Aha, I got ahead of myself. Glad you're aware of that :)
>
> Yes, we need to do things on 2.0, since it will be out soon, and porting
> anything done to the old codebase will be a lot of extra effort.
>
>
>
> Any tips/information/examples on developing mod_python or Django web
> pages would be a big help.
>
>
>
> Do a checkout of git's master branch and do a "make webtest" to get started.
>
> Code lives in the "web" directory and should be fairly self explanatory,
> but I'd be more than happy to answer any specific questions.
>
> Hoping on #cobbler and #cobbler-devel on irc.freenode.net is also a
> great idea.
>
>
>
> Thanks,
>
> Paul
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
>
>
>
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
>
>
>
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
>
>
> _______________________________________________
> cobbler mailing list
> [email protected]
> https://fedorahosted.org/mailman/listinfo/cobbler
>
>
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
