Hi,
There is a problem with the cobbler Web-UI I have got working.
I am trying to use ACLs so that some of our users are limited in their capability to do things.
I have tried tinkering with many of the settings in the following files to get ACLs working correctly the way I want:
/etc/cobbler/acls.conf /etc/cobbler/users.conf /etc/cobbler/modules.conf
It seems the ACLs are not working properly, they either give me complete access to everything as an admin, or they give me "access denied" to everything.
An eg of this inconsistency in the ACLs is as follows for the group jradmin:
More /etc/cobbler/acls.conf
[15:55] LINUX [root@g40lxsatlp01:/etc/cobbler]> more acls.conf --- admin: {} admins: {} jradmin: copy_distro: {} copy_image: {} copy_profile: {} copy_repo: {} modify_distro: {} modify_image: {} modify_profile: {} modify_repo: {} new_distro: {} new_image: {} new_profile: {} new_repo: {} remove_distro: {} remove_image: {} remove_profile: {} remove_repo: {} save_distro: {} save_profile: {} save_image: {} save_repo: {} write_kickstart_templates: {} lesstrusted: copy_*: {} modify_distro: {} modify_image: {} modify_profile: {} modify_repo: {} modify_system: modify-interface: gateway-*: {} hostname-*: {} ip-address-*: {} mac-address-*: {} subnet-*: {} new_*: {} remove_*: {} rename_*: {} save_distro: {} save_image: {} save_profile: {} save_repo: {} sync: {} write_kickstart_templates: {} unmatched: {}
cat users.conf
[admins] admin = "" #cobbler = "" #timmy = ""
[jradmin] timmy = "" cobbler
[lesstrusted] #timmy = "" BC1 = ""
#[timmy] #timmy = ""
[BC1] BC1 = ""
So users "timmy" and "cobbler" are both members of the group jradmin, therefore they should have all the abilities of this group as indicated in acls.conf. , but I cannot add anything new or even edit the existing objects etc as I should be able to.
Also do I need to change any of the permissions in /etc/fstab to include ACL support?
Thanks for your help.
Thanks
On Wed, 19 Jan 2011 12:27:12 +0000, Aziz Malik aziz.malik786@googlemail.com wrote:
Hi,
There is a problem with the cobbler Web-UI I have got working.
I am trying to use ACLs so that some of our users are limited in their capability to do things.
I have tried tinkering with many of the settings in the following files to get ACLs working correctly the way I want:
/etc/cobbler/acls.conf /etc/cobbler/users.conf /etc/cobbler/modules.conf
It seems the ACLs are not working properly, they either give me complete access to everything as an admin, or they give me "access denied" to everything.
You have to set your authz module to authz_configfile in /etc/cobbler/modules.conf for those files to work.
I have already done this, actually it's authn_config according to the document online and I have already done this:
[authentication] module = authn_configfile
[authorisation] module = authz_ownership
Thanks in advance.
On 19 Jan 2011, at 13:59, Scott Henson shenson@redhat.com wrote:
On Wed, 19 Jan 2011 12:27:12 +0000, Aziz Malik aziz.malik786@googlemail.com wrote:
Hi,
There is a problem with the cobbler Web-UI I have got working.
I am trying to use ACLs so that some of our users are limited in their capability to do things.
I have tried tinkering with many of the settings in the following files to get ACLs working correctly the way I want:
/etc/cobbler/acls.conf /etc/cobbler/users.conf /etc/cobbler/modules.conf
It seems the ACLs are not working properly, they either give me complete access to everything as an admin, or they give me "access denied" to everything.
You have to set your authz module to authz_configfile in /etc/cobbler/modules.conf for those files to work.
-- Scott Henson Red Hat CIS Operator WVU Alum BSAE/BSME
On Wed, 19 Jan 2011 15:19:59 +0000, Aziz Malik aziz.malik786@googlemail.com wrote:
I have already done this, actually it's authn_config according to the document online and I have already done this:
[authentication] module = authn_configfile
[authorisation] module = authz_ownership
Thanks in advance.
The authn_configfile is to do authentication from the config file. There is a separate authz_configfile that will do the authorization you are looking for. The current authz_ownership looks at the owner field on each object to determine authorization, which is why you are getting permission denied, I assume.
Is there plans in the future to make this more restricted or is there another feature that would allow something like the following?
users.conf
[admins] admin = ""
[jradmin] timmy = "editProfiles,editSystems,addSystems"
[lesstrusted] BC1 = "addProfiles,editProfiles"
[BC1] BC1 = "*" #ie do everything
Hi,
maybe my setup will be a help for someone. For cobbler WebUI access it is also possible to deligate the authorization and authentification to apache and by using the apache "LocationMatch" directive implement different roles.
Checkout my cobbler_web.conf --> http://cobbler.pastebin.com/Dg9mft6d
In my configuration I've defined two different roles/groups:
- "admin" who can do everything in the WebUI - non-admin (but valid-user) who can only define/modify new systems
you can expand this example and setup different roles for your own configuration.
Kind regards, Alex
On Wed, 19 Jan 2011, Tim Tass wrote:
Is there plans in the future to make this more restricted or is there another feature that would allow something like the following?
users.conf
[admins] admin = ""
[jradmin] timmy = "editProfiles,editSystems,addSystems"
[lesstrusted] BC1 = "addProfiles,editProfiles"
[BC1] BC1 = "*" #ie do everything
Hi,
Ok I have done this but I now have another problem as a result. When I goto:
I get the following message in both IE and Safari browsers:
Permission Error You do not have the appropriate permission set to access the requested page. You may have reached this error page in one of several ways:
You are using Konqueror 3.0, which does not handle form variables properly in all cases. Continuing to use Konqueror 3.0 will have unexpected results. If you are using Konqueror 3.0, please use another browser. Your login session has expired. For security reasons, Red Hat Network terminates your login session after 15 minutes of inactivity. To sign in again, click here. You've found an error in our site. Please contact your Support representative with details of how you received this message. Your browser does not have cookies enabled. The Red Hat Network requires cookies in order to function; if you have disabled them, please re-enable them to use the site. You've done something naughty. Stop it.
This error message is specific to these settings, because when I revert back and then restart cobblerd and httpd it works fine again.
#cat /etc/cobbler/modules.conf
[authentication] #module = authn_spacewalk module = authn_configfile
# authorization: # once a user has been cleared by the WebUI/XMLRPC, what can they do? # choices: # authz_allowall -- full access for all authneticated users (default) # authz_configfile -- determined by /etc/cobbler/users.conf # authz_ownership -- use users.conf, but add object ownership semantics # (user supplied) -- you may write your own module # WARNING: this is a security setting, do not choose an option blindly. # If you want to further restrict cobbler with ACLs for various groups, # pick authz_ownership. authz_allowall does not support ACLs. configfile # does but does not support object ownership which is useful as an additional # layer of control.
# for more information: # https://fedorahosted.org/cobbler/wiki/CobblerWebInterface # https://fedorahosted.org/cobbler/wiki/CustomizableSecurity # https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization #https://fedorahosted.org/cobbler/wiki/AuthorizationWithOwnership # https://fedorahosted.org/cobbler/wiki/AclFeature
[authorization] #module = authz_allowall #module = authz_ownership module = authz_configfile
Thanks in advance
On 19 Jan 2011, at 16:48, Scott Henson shenson@redhat.com wrote:
On Wed, 19 Jan 2011 15:19:59 +0000, Aziz Malik aziz.malik786@googlemail.com wrote:
I have already done this, actually it's authn_config according to the document online and I have already done this:
[authentication] module = authn_configfile
[authorisation] module = authz_ownership
Thanks in advance.
The authn_configfile is to do authentication from the config file. There is a separate authz_configfile that will do the authorization you are looking for. The current authz_ownership looks at the owner field on each object to determine authorization, which is why you are getting permission denied, I assume.
-- Scott Henson Red Hat CIS Operator WVU Alum BSAE/BSME
cobbler@lists.fedorahosted.org