>Let's instead discuss exactly what behavior are you seeing and full contents >of your /current/ >config files for users.conf, modules.conf and the Apache config. We can go >from there.
Here's the example with users.conf, modules.conf and Apache config with described behavior. (this was not answered in my other post). The following does NOT work: why? # vi /etc/cobbler/modules.conf [authentication] module = authn_passthru [authorization] module = authz_ownership :wq! # vi /etc/cobbler/users.conf [admins] admin = "" cobbler = "" [email protected] = "" :wq! # vi /etc/httpd/conf.d/cobbler.conf <Directory "/var/www/cobbler/web/"> AllowOverride AuthConfig AuthType Kerberos AuthName "Kerberos Login" KrbServiceName HTTP Krb5Keytab /etc/httpd/conf.d/HTTP.keytab KrbAuthRealms EXAMPLE.COM Require valid-user SetHandler mod_python PythonAuthenHandler index PythonHandler index PythonPath "sys.path + ['/var/www/cobbler/web/']" PythonDebug on </Directory> :wq! # /etc/init.d/cobblerd restart # /etc/init.d/httpd restart Browse to the Web UI and login as [email protected]: (1) Logging in as [email protected] works fine. BUT (2) [email protected] can only list things; [email protected] can't add anything! It's almost as if cobbler doesn't see [email protected] in user.conf. How do I debug this? On Thu, Aug 13, 2009 at 1:00 PM, Paul Company<[email protected]> wrote: >>Let's reset... > Sounds good. (and thank you for your patience). > >>Let's instead discuss exactly what behavior are you seeing and full contents >>of your /current/ >>config files for users.conf, modules.conf and the Apache config. We can go >>from there. > > I think my other post titled "authz_ownership not working with > authn_passthru + Kerberos" > > Probably summarizes what I want to do. > It also contains teh users.conf, modules.conf and Apache config you're > requesting. > > > > > On Thu, Aug 13, 2009 at 10:24 AM, Michael DeHaan<[email protected]> wrote: >> On 08/13/2009 01:10 PM, Paul Company wrote: >> >> Assign ownership of the distro/profile/repo objects to your admin group >> only. >> >> >> Isn't that the default behaviour? >> >> Here's my current config, which I've done nothing to, the owners are >> set to admin automatically. >> What am I missing? >> >> # cobbler distro dumpvars --name=5Server-x86_64 | grep owners >> 'default_ownership': ['admin'], >> 'owners': ['admin'], >> >> # cobbler profile dumpvars --name=5Server-x86_64-profile | grep owners >> 'default_ownership': ['admin'], >> 'owners': ['admin'], >> >> # cobbler system dumpvars --name=5Server-x86_64-system | grep owners >> 'default_ownership': ['admin'], >> 'owners': ['admin'], >> >> >> >> I don't see anything wrong with that. Good. >> >> >> >> Let other people create systems and the ownership of those system records >> will go to them. >> >> >> This is where I'm getting confused. >> >> Can you show me what my modules.conf, users.conf and cobbler.conf >> files should look like to implement the following. I'm totally >> misunderstanding what you're trying to get me to do. >> >> >> Let's reset... you keep pasting what you are trying to do. I've read >> that. Let's instead discuss exactly what behavior are you seeing and full >> contents of your /current/ config files for users.conf, modules.conf and the >> Apache config. We can go from there. >> >> Also, if you can, trry to explain without using the phrase "it doesn't >> work", but instead saying exactly what you are seeing and what you expect to >> see in what case... >> >> >> Allow users listed in user.conf [admins] section to do everything, but >> for everyone else: >> allow >> list on distros, profiles, repos, kickstarts >> list/copy/modify/new/remove/save on systems >> deny >> everything else (copy/modify/new/remove/save) on distros, >> profiles, repos, kickstarts >> >> >> >> >> >> >> On Thu, Aug 13, 2009 at 9:36 AM, Michael DeHaan<[email protected]> wrote: >> >> >> On 08/13/2009 12:33 PM, Paul Company wrote: >> >> You can't prevent new systems, but ... >> >> >> I don't understand this statement. >> >> >> You cannot currently prevent authenticated users from creating new system >> records. >> >> I want everyone who passes the authentication phase to edit systems. >> >> >> This is the way it presently works. >> >> I just want to lock everyone, but admins, out of distros, profiles, and >> repos. >> >> >> Yes, this is easy, just assign admin ownership to them and do not list other >> users in the ownership fields >> for those things. >> >> I still don't know if that's possible. >> >> >> It is. >> >> I feel like I'm communicating clearly what I want to do. >> Here is what I want to do: >> >> Allow users listed in user.conf [admins] section to do everything, but >> for everyone else: >> allow >> list on distros, profiles, repos, kickstarts >> list/copy/modify/new/remove/save) on systems >> deny >> everything else (copy/modify/new/remove/save) on distros, >> profiles, repos, kickstarts >> >> Can this be done? >> Yes or No >> >> >> Yes. >> >> >> If yes, how do you do it? >> >> >> Assign ownership of the distro/profile/repo objects to your admin group >> only. >> Let other people create systems and the ownership of those system records >> will go to them. >> >> >> >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler >> >> >> >> >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler >> >> >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler >> >> > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
