Sorry, but I'm completely confused now. First, it looks like admin is a member of every object's "owners" list by default, so the commands you gave don't do anything.
Second, I can't figure out whether you answered my question. I think the short answer is "no", cobbler can't do what I asked? You said, >the following prevents edit/save operations on all objects from users outside >admin. Well I don't want that. I want to prevent edit/save operations on everything but Systems from users outside admin. Third, even with the simplest configuration, where I'm a member of admins, I can't seem to edit anything. As soon as I set module = authz_ownership I can login with my Kerberos creds, but I can't edit/save anything. # vi /etc/cobbler/modules.conf [authentication] module = authn_passthru [authorization] module = authz_ownership :wq! # vi /etc/cobbler/users.conf [admins] admin = "" cobbler = "" pcompany = "" :wq! With this configuration, shouldn't I be able to login with my Kerberos credentials and edit/save everything? It's almost as if cobbler thinks I'm not in the user.conf file. Here's my configuration for Kerberos (which works). # vi /etc/httpd/conf.d/cobbler.conf <-- enable Kerberos login to the Web Interface <Directory "/var/www/cobbler/web/"> AllowOverride AuthConfig AuthType Kerberos AuthName "Kerberos Login" KrbServiceName HTTP Krb5Keytab /etc/httpd/conf.d/HTTP.keytab) Require valid-user SetHandler mod_python PythonAuthenHandler index PythonHandler index PythonPath "sys.path + ['/var/www/cobbler/web/']" PythonDebug on </Directory> :wq! Paul On Wed, Aug 12, 2009 at 2:21 PM, Michael DeHaan<[email protected]> wrote: > On 08/12/2009 05:07 PM, Paul Company wrote: >> So how do I do the following: >> >> Allow users (i.e., pcompany) listed in [admins] to do everything, >> but for everyone else (i.e., user2) >> allow >> list on distros, profiles, repos, kickstarts >> deny >> everything else (copy/modify/new/remove/save) on distros, profiles, >> repos, kickstarts >> allow >> everything (list/copy/modify/new/remove/save) on systems >> > > For example, the following prevents edit/save operations on all objects > from users outside admin. > > # cobbler distro list | xargs -n1 --replace cobbler object edit > --name={} --owners="admin" > # cobbler profile list | xargs -n1 --replace cobbler object edit > --name={} --owners="admin" > # cobbler repo list | xargs -n1 --replace cobbler object edit --name={} > --owners="admin" > > Kickstarts aren't objects right now, so they don't have ownership, but > there is logic to say that to edit a kickstart you must > have permissions to edit all profiles and systems that use it -- this is > a bit goofy, IMHO, but we don't have pseudo objects > wrapping kickstarts and snippets, and I'm not sure we want them. > > It doesn't control who can reposync/sync/etc... which is I think what we > want to work out, how we want that to work. > acls.conf is a little rough.... > > We might make it so only that admin group users can edit > kickstarts/snippets as well. We really do have the opportunity to figure > out exactly what we want to do here, beyond what we have, in trying to > make this more self service. > > The idea behind acls was eventually to have it fine grained enough to > say what /fields/ someone could access -- if you can edit a MAC, you can > effectively > make a system represent another physical system, which is crazy bad, > because if there isn't already a system with that record there, you can > reinstall > that system. > > Thus the permissions system in Cobbler is very much "shoot foot" > protection versus a really hardcore security system, and various folks > who are using > it more of a self-service apporach have written their own systems/views > on top of it. > > I think, moving forward, I would like to see those self-service views > implemented in Cobbler proper. Doing so on top of the acls.conf > system would > hamstring our ability to do what we /really/ need to do (whatever that > is), which is why I think we need to break from it. > > However the idea of ownership is still important, and will stay. We > just have to figure out that, without the ACLs system, exactly what we > want to do > with the non-edit actions, as there are now a lot more of them. > > FWIW, all of cobbler is public in terms of read access, and this /can't/ > be locked down (because by the very nature of installation, this data is > eventually > public, and we don't attempt to obfuscate that). > >> I'm a bit confused. >> >> Seems like I shouldn't use acl.conf for many reasons (unsupported, >> will not be in 2.0, etc.). >> How do you disable using acl.conf? >> > > acl.conf in stock configuration really doesn't do anything, so you can > just leave it as is. > >> Paul >> >> > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
