So how do I do the following: Allow users (i.e., pcompany) listed in [admins] to do everything, but for everyone else (i.e., user2) allow list on distros, profiles, repos, kickstarts deny everything else (copy/modify/new/remove/save) on distros, profiles, repos, kickstarts allow everything (list/copy/modify/new/remove/save) on systems
I'm a bit confused. Seems like I shouldn't use acl.conf for many reasons (unsupported, will not be in 2.0, etc.). How do you disable using acl.conf? Paul On Wed, Aug 12, 2009 at 1:29 PM, Michael DeHaan<[email protected]> wrote: > On 08/12/2009 03:55 PM, Paul Company wrote: > > Can it be used with Kerberos? > > > The AuthN and Z peices do not know about each other, so yes, it can. > > > Doesn't seem to work for me. > > The following configuration allows me to login with my Kerberos creds > (pcompany or user2), > but I seem to only have "list" permissions on all the objects. > The documentation says: > Users that authenticate against the chosen cobbler authentication > module > but who are not mentioned in users.conf will still be given read > access to view > things in the Cobbler web interface, but will not be able to > perform any actions, > such as sync, deletion, and edits. > > Well, pcompany & user2 *are* "listed in users.conf" in the [admins] > and [jradmin] sections. > The way I understand it, pcompany should have full access under this > configuration; > and user2 should fall thru to the acl.conf jradmin permissions and > only have those permissions. > Why does the below configuration not work? > What am I missing? > > Here is what I have configured: > > # vi /etc/cobbler/modules.conf > [authentication] > module = authn_passthru > > [authorization] > module = authz_ownership > :wq! > > # vi /etc/cobbler/users.conf > [admins] > admin = "" > cobbler = "" > pcompany = "" > > [jradmin] > user2 = "" > > > > With authz_ownership you control access to certain objects. For instance > if you set the owners field on system X to "pcompany", then user2 won't be > able to edit it. > However everyone in admin will be able to edit something marked as user2. > > > # vi /etc/cobbler/acls.conf > > > (note: acls.conf is actually an unsupported/unfinished feature that runs > after authz, you should be running with the default acls.conf and this won't > be supported in 2.0) > > Apologies on that not being clear. > > I will probably make the 2.0 ownership module require admin group membership > to run various commands. Right now that is /not/ filtered very well. > > We should start a discussion on cobbler-devel list about what we want this > to be for future releases to make sure everyone's wants are planned for. > Self service views into Cobbler for less-trusted users (and also via web > services) is of growing interest by numerous folks. > > --Michael > > > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
