J -- > It occurs to me that the logical extension of a Dashboard RBAC system > > (or perhaps even moving elements of the problem upstream) is for > > auth.conf to recognize users or perhaps better "roles" as an > > authentication construct. > > > > > > I like. There would be some details that should be sorted out up front > > (e.g. if there's an allow rule for the role but a deny rule for the IP, > > what happens) but assuming these could be given a clear and coherent > > answer (which we would of course document and test, right?) it could be > > extremely useful for not too much effort. > > I think we'd do something like: > > auth.conf > > auth_order = role,host > > Make priority configurable with a rational default. >
I started to say that that would do it but then I got to thinking that it may conflict with the other resolution rules unless we specified precedence. A quick search of our documentation turned up no statement of how we resolve conflicts now, and in various forums we've made conflicting claims (deny trumps allow, first match wins) so we should probably fix the documentation too (unless it's correctly documented somewhere and I'm just failing to find it). A quick glance at the code suggests that the rule is something like "if there is one matching rule, use it; if there are no matching rules, deny, unless there are no rules, in which case allow; if more than one rules match use the first unless one of them is an allow with '*', in which case allow." -- M ----------------------------------------------------------- When in trouble or in doubt, run in circles, scream and shout. -- 1920's parody of the maritime general prudential rule ------------------------------------------------------------ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
