On 08/12/2009 03:55 PM, Paul Company wrote: 
Can it be used with Kerberos?
      
The AuthN and Z peices do not know about each other, so yes, it can.
    

Doesn't seem to work for me.

The following configuration allows me to login with my Kerberos creds
(pcompany or user2),
but I seem to only have "list" permissions on all the objects.
The documentation says:
     Users that authenticate against the chosen cobbler authentication module
     but who are not mentioned in users.conf will still be given read
access to view
     things in the Cobbler web interface, but will not be able to
perform any actions,
     such as sync, deletion, and edits.

Well, pcompany & user2 *are* "listed in users.conf" in the [admins]
and [jradmin] sections.
The way I understand it, pcompany should have full access under this
configuration;
and user2 should fall thru to the acl.conf jradmin permissions and
only have those permissions.
Why does the below configuration not work?
What am I missing?

Here is what I have configured:

# vi /etc/cobbler/modules.conf
[authentication]
module = authn_passthru

[authorization]
module = authz_ownership
:wq!

# vi /etc/cobbler/users.conf
[admins]
admin = ""
cobbler = ""
pcompany = ""

[jradmin]
user2 = ""

With authz_ownership you control access to certain objects.   For instance if you set the owners field on system X to "pcompany", then user2 won't be able to edit it.
However everyone in admin will be able to edit something marked as user2.


# vi /etc/cobbler/acls.conf

(note:   acls.conf is actually an unsupported/unfinished feature that runs after authz, you should be running with the default acls.conf and this won't be supported in 2.0)

Apologies on that not being clear. 

I will probably make the 2.0 ownership module require admin group membership to run various commands.   Right now that is /not/ filtered very well.

We should start a discussion on cobbler-devel list about what we want this to be for future releases to make sure everyone's wants are planned for.  Self service views into Cobbler for less-trusted users (and also via web services) is of growing interest by numerous folks.

--Michael