Cobbler has several access control features designed for various
purposes, there's the ownership module, the new per-field ACL feature on
top of that (not really enforced by the webapp yet... TBD), the
pluggable authorization modes, and fields such as "server-override" and
"dhcptag" for making sure machines show up with the correct DHCP and
Cobbler server addresses. There are also tools such as replication to
help deal with multiple cobbler servers. So far this has mostly been
sufficient, but a use case came up today that is not completely aligned
with the above that I wanted to bring up here.
Today in a meeting with some of the Spacewalk developers they brought up
a rather interesting use case. Historically Spacewalk has had
essentially random temporary kickstart URLs and has not had a tool like
koan that allows for browsing the remote profiles. This seems to be a
security feature, and it kind of is, but it's not especially robust ---
TFTP and DHCP are wide open protocols and this information is freely
obtainable and easily sniffable depending on network setups. What they
want however, is largely a shoot-foot-prevention feature that would fit
a scenario something like this.
A Cobbler server is used to manage a hosting company -- not something
that is chrooted per se, but something closer to gogrid, slicehost, EC
2, or another that gives full root access.
How do we prevent someone from installing profiles that are assigned to
another organization, therefore using their kickstart URLs, and those
kickstart URLs contain
The most secure answer is to create a seperate cobbler server that each
org can access (possibly running virtualized), pointing to a master
server that they all get distro content from.
However, in the Spacewalk case this is not possible to install in all
situations.
What they want is essentially a way for --list-profiles, --list-systems,
and --list-images in koan to not show all the images, but only which
ones are in the current "organization". For example:
koan --server=cobbler.example.org --list-profiles # shows profiles
that don't have the organization set.
koan --server=cobbler.example.org --org=acmecorp # shows profiles that
have the field organization set to acmecorp
The above would be required because there is no way to tell from an
existing Spacewalk node what organization it is part of, and we don't
want to require cobbler to pass credentials back when using koan -- it
makes koan /much/ less usable to do this.
Does anyone else find this idea useful or have ideas on implementation,
or have similar concerns? Does anyone run anything similar to this
current use case now and might want to share what they do to ensure one
company doesn't use another's kickstarts?
All profiles would still be readable via the API, but their wish is to
see this filtered out from the user to avoid shoot-foot scenarios. The
only problem is that this is adding yet-another-field to cobbler and
that adds complexity for the user when trying to understand the application.
The other solution I have suggested is that instead we increase the
strength of the multi-org support within Spacewalk, so that if they
attempt to call rhn_register to an organization where the physical
machine is not part of that organization, this can be blocked. This
would be something that would not be set up by default.
Does this make sense? Kind of?
Another option might be for Spacewalk to use koan as a library, and
write their own client code around it for the multi-org feature.
For those that can see a use for this in Cobbler core and have similar
setups, what would you like to see?
--Michael