On 08/12/2009 03:55 PM, Paul Company wrote:
>> Can it be used with Kerberos?
>>
> The AuthN and Z peices do not know about each other, so yes, it can.
>
Doesn't seem to work for me.
The following configuration allows me to login with my Kerberos creds
(pcompany or user2),
but I seem to only have "list" permissions on all the objects.
The documentation says:
Users that authenticate against the chosen cobbler authentication module
but who are not mentioned in users.conf will still be given read
access to view
things in the Cobbler web interface, but will not be able to
perform any actions,
such as sync, deletion, and edits.
Well, pcompany& user2 *are* "listed in users.conf" in the [admins]
and [jradmin] sections.
The way I understand it, pcompany should have full access under this
configuration;
and user2 should fall thru to the acl.conf jradmin permissions and
only have those permissions.
Why does the below configuration not work?
What am I missing?
Here is what I have configured:
# vi /etc/cobbler/modules.conf
[authentication]
module = authn_passthru
[authorization]
module = authz_ownership
:wq!
# vi /etc/cobbler/users.conf
[admins]
admin = ""
cobbler = ""
pcompany = ""
[jradmin]
user2 = ""
With authz_ownership you control access to certain objects. For
instance if you set the owners field on system X to "pcompany", then
user2 won't be able to edit it.
However everyone in admin will be able to edit something marked as user2.
# vi /etc/cobbler/acls.conf
(note: acls.conf is actually an unsupported/unfinished feature that
runs after authz, you should be running with the default acls.conf and
this won't be supported in 2.0)
Apologies on that not being clear.
I will probably make the 2.0 ownership module require admin group
membership to run various commands. Right now that is /not/ filtered
very well.
We should start a discussion on cobbler-devel list about what we want
this to be for future releases to make sure everyone's wants are planned
for. Self service views into Cobbler for less-trusted users (and also
via web services) is of growing interest by numerous folks.
--Michael