> Can it be used with Kerberos?
The AuthN and Z peices do not know about each other, so yes, it can.
Doesn't seem to work for me.
The following configuration allows me to login with my Kerberos creds
(pcompany or user2),
but I seem to only have "list" permissions on all the objects.
The documentation says:
Users that authenticate against the chosen cobbler authentication module
but who are not mentioned in users.conf will still be given read
access to view
things in the Cobbler web interface, but will not be able to
perform any actions,
such as sync, deletion, and edits.
Well, pcompany & user2 *are* "listed in users.conf" in the [admins]
and [jradmin] sections.
The way I understand it, pcompany should have full access under this
configuration;
and user2 should fall thru to the acl.conf jradmin permissions and
only have those permissions.
Why does the below configuration not work?
What am I missing?
Here is what I have configured:
# vi /etc/cobbler/modules.conf
[authentication]
module = authn_passthru
[authorization]
module = authz_ownership
:wq!
# vi /etc/cobbler/users.conf
[admins]
admin = ""
cobbler = ""
pcompany = ""
[jradmin]
user2 = ""
:wq!
# vi /etc/cobbler/acls.conf
admin: {}
admins: {}
jradmin:
copy_distro: {}
copy_image: {}
copy_profile: {}
copy_repo: {}
modify_distro: {}
modify_image: {}
modify_profile: {}
modify_repo: {}
new_distro: {}
new_image: {}
new_profile: {}
new_repo: {}
remove_distro: {}
remove_image: {}
remove_profile: {}
remove_repo: {}
save_distro: {}
save_profile: {}
save_image: {}
save_repo: {}
write_kickstart_templates: {}
unmatched: {}
:wq!
On Wed, Aug 12, 2009 at 12:18 PM, Michael DeHaan<mdehaan(a)redhat.com> wrote:
On 08/12/2009 02:20 PM, Paul Company wrote:
There is the "authz_ownership" module
https://fedorahosted.org/cobbler/wiki/AuthorizationWithOwnership
Thank you, I'll look into it.
Can it be used with Kerberos?
I currently have Kerberos working and it seems to require (authz_allowall).
I'll test it and see if it works.
The AuthN and Z peices do not know about each other, so yes, it can.
As a sidenote, since you sound like you are interested in helping us work on
Cobbler Web,
I'd love to, but I'm not familiar with Django (Python) development.
Both have steep learning curves - especially since I'm starting from
scratch.
I disagree -- The Django app is infinitely easier to work on that the
mod_python one
and is a lot easier to work on because the templates are simpler, and there
are now even less
of them. We are also not even using the persistance layers of Django,
since views.py just
speaks XMLRPC back to cobblerd.
It'll be months before I'm even a little bit productive.
I love learning new things, so I'll start climbing the Python/Django
learning curve now
and I'll let you know when I'm skilled enough to contribute.
This could be done as a seperate Django app in the cobbler Django project
It really warrants a new thread on cobbler-devel list there, would you like
to start one?
I would, but not quite yet.
We're going to deploy cobbler 1.6.6.
Feels like this thread will be good when we decide to go with 2.0.
For now I'm going to concentrate on modifying the Systems page for 1.6.6.
Any suggestions there?
Once 2.0 releases, there will be no further updates to the 1.6 branch.
Thankfully, nothing really changes from a user perspective, only new
features, and easier development.
I can't help you working on 1.6.6, because that's an evolutionary dead end
-- and subtracts
time from working on things other people will be able to get in future
releases.
The authz modules in fact, are still pretty much the same, though I'm due to
make some improvements to them
in coming week or so -- to make sure they are up-to-date with all of the new
method names and so forth.
It's quite safe to try out now, and there is a very smooth upgrade path for
production machines.
Paul
On Wed, Aug 12, 2009 at 8:47 AM, Michael DeHaan<mdehaan(a)redhat.com> wrote:
On 08/11/2009 09:33 PM, Paul Company wrote:
I'm running cobbler 1.6.6 on RHEL 5.3.
Three Questions:
Q1: Is there a way to have the Web UI behavior change according to the
person that logs in?
For example, I'd like it if user "foo" has full access to everything,
but user "bar" to only be able to create systems.
Listing distros, profiles, and repos is ok, but I don't want
bar to have the ability to add or delete distros, profiles or repos.
There is the "authz_ownership" module which is detailed on the Wiki
under the security pages, that can restrict
what objects people can edit.
At a generic level, there's not a concept for a read-only user group,
but that's probably something that could be easily
added.
As a sidenote, since you sound like you are interested in helping us
work on Cobbler Web, new things need to be done on the "master"
branch, which targets 2.0 -- that should be out in a month.
Q2: Has anyone customized the "Add System" web page?
I'm not a web programmer but I'd like to simplify/customize
the "Add System" page so it's simpler for our end user.
I'd to add fields like "Location" and have the values entered
show up as --ksmeta values; so if you enter Location: nyc,
that would get processed into --ksmeta="loc=nyc"
Also, things like, if one chooses a profile that isn't a vm profile,
then don't show the VM stuff. Or if power management
is disabled, don't show the power management stuff. etc.
We've had some ideas on this, about making templates for self-service
views in Cobbler.
This could be done as a seperate Django app in the cobbler Django
project, and I would like to see something like
this very much.
It really warrants a new thread on cobbler-devel list there, would you
like to start one?
I have a fair amount of ideas from our own IT guys -- things that we
didn't quite implement yet -- but I think that would be exceptionally
powerful. It really warrants a new thread on cobbler-devel list there,
would you
like to start one?
Q3: Should I wait for cobbler 2.0 which uses Django?
Or should I plow ahead with the current mod_python stuff?
Aha, I got ahead of myself. Glad you're aware of that :)
Yes, we need to do things on 2.0, since it will be out soon, and porting
anything done to the old codebase will be a lot of extra effort.
Any tips/information/examples on developing mod_python or Django web
pages would be a big help.
Do a checkout of git's master branch and do a "make webtest" to get
started.
Code lives in the "web" directory and should be fairly self explanatory,
but I'd be more than happy to answer any specific questions.
Hoping on #cobbler and #cobbler-devel on
irc.freenode.net is also a
great idea.
Thanks,
Paul
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler