Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora/Linux Management Tools (http://www.linux-archive.org/fedora-linux-management-tools/)
-   -   How-to: write custom authorization code (http://www.linux-archive.org/fedora-linux-management-tools/104265-how-write-custom-authorization-code.html)

Michael DeHaan 06-10-2008 08:42 PM

How-to: write custom authorization code
 
Joseph Boyer Jr. wrote:


I would like to write an update to the authorization code where a user
only has access to add a system and run cobbler sync via the webGUI.




That should be doable. The rest of the links in the WebUI (presently)
would be still visible but would generate "access denied" messages when
clicked upon. In other words, you can still read the other data, but
in most places you get a warning that you can't edit them and the button
to save is missing. This should be ok.

(In the future, I want to create a simple page that allows the user only
access to do certain things, and to present them less fields. Details
TBD and I'll ask the list as that is getting fleshed out -- I'm various
non-web RFEs first.)





I have a requirement where distros, repos, and profiles are created
and maintained by engineering (full access) and support (read/write to
systems, read-only everything else) will be performing install.





Any pointers where to start would be most appreciated.


This shouldn't be too hard.

modules/authz_ownership.py is a system that denies operations based on
the username of the user and whether he is or is not in certain "groups"
or is otherwise explicitly listed anywhere you see --owner in the
command line or Web app. you want to create a new module
"authz_mypolicy.py" based on this, but modify the "authorize()" function
to do your bidding.


You can see it returns 1 (let me in) or 0 (don't let me in) in certain
cases.


You want to modify this, and check to see if they are in the admin group
to allow everything (return 1), and if they are a user, only permit
certain resources such as "new_system", and "sync". You will see the
admin logic is already there, so in that case you don't have too much to
change.

Basically instead of checking for the ownership on the object if the
user is not an admin, you want to skip that check and then make
additional checks on the name of the operation they want to perform --
"new_system", "save_system", "sync", etc


The exact names of all the methods gating access are listed in remote.py

This is all done at the authorization layer, your authentication layer
is seperate from this and does not need to be modified.


Once you have the authz_mypolicy.py installed in
/usr/lib/python2.X/site-packages/cobbler/modules, you just need to
change the authz option in /etc/cobbler/modules.conf to point to your
new policy.


Let me know if I can be of any further help and if the above makes sense.

You probably want to join #cobbler for development discussions if you
haven't already.


--Michael





Thanks!

joe




*Joseph Boyer Jr*
*Enterprise Technology Services** **
**Liquidnet Holdings, Inc.*
*_Joseph.Boyer_**@liquidnet.com <mailto:aengelhardtsen@liquidnet.com>*
*T** * +1 646.660.8352
*C ** *+1 646.284.8394




------------------------------------------------------------------------

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools


_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools

"Joseph Boyer Jr." 06-10-2008 09:31 PM

How-to: write custom authorization code
 
Thanks for the info.

I will pass the code along once I get something working.

--joe

Joseph Boyer Jr
Enterprise Technology Services
Liquidnet Holdings, Inc.
Joseph.Boyer@liquidnet.com
T +1 646.660.8352
C +1 646.284.8394


-----Original Message-----
From: et-mgmt-tools-bounces@redhat.com [mailto:et-mgmt-tools-bounces@redhat.com] On Behalf Of Michael DeHaan
Sent: Tuesday, June 10, 2008 4:42 PM
To: Fedora/Linux Management Tools
Subject: Re: [et-mgmt-tools] How-to: write custom authorization code

Joseph Boyer Jr. wrote:
>
> I would like to write an update to the authorization code where a user
> only has access to add a system and run cobbler sync via the webGUI.
>

That should be doable. The rest of the links in the WebUI (presently)
would be still visible but would generate "access denied" messages when
clicked upon. In other words, you can still read the other data, but
in most places you get a warning that you can't edit them and the button
to save is missing. This should be ok.

(In the future, I want to create a simple page that allows the user only
access to do certain things, and to present them less fields. Details
TBD and I'll ask the list as that is getting fleshed out -- I'm various
non-web RFEs first.)


>
>
> I have a requirement where distros, repos, and profiles are created
> and maintained by engineering (full access) and support (read/write to
> systems, read-only everything else) will be performing install.
>
>
>
> Any pointers where to start would be most appreciated.
>
This shouldn't be too hard.

modules/authz_ownership.py is a system that denies operations based on
the username of the user and whether he is or is not in certain "groups"
or is otherwise explicitly listed anywhere you see --owner in the
command line or Web app. you want to create a new module
"authz_mypolicy.py" based on this, but modify the "authorize()" function
to do your bidding.

You can see it returns 1 (let me in) or 0 (don't let me in) in certain
cases.

You want to modify this, and check to see if they are in the admin group
to allow everything (return 1), and if they are a user, only permit
certain resources such as "new_system", and "sync". You will see the
admin logic is already there, so in that case you don't have too much to
change.

Basically instead of checking for the ownership on the object if the
user is not an admin, you want to skip that check and then make
additional checks on the name of the operation they want to perform --
"new_system", "save_system", "sync", etc

The exact names of all the methods gating access are listed in remote.py

This is all done at the authorization layer, your authentication layer
is seperate from this and does not need to be modified.

Once you have the authz_mypolicy.py installed in
/usr/lib/python2.X/site-packages/cobbler/modules, you just need to
change the authz option in /etc/cobbler/modules.conf to point to your
new policy.

Let me know if I can be of any further help and if the above makes sense.

You probably want to join #cobbler for development discussions if you
haven't already.

--Michael
>
>
>
> Thanks!
>
> joe
>
>
>
> *Joseph Boyer Jr*
> *Enterprise Technology Services** **
> **Liquidnet Holdings, Inc.*
> *_Joseph.Boyer_**@liquidnet.com <mailto:aengelhardtsen@liquidnet.com>*
> *T** * +1 646.660.8352
> *C ** *+1 646.284.8394
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools@redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools



_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools


All times are GMT. The time now is 04:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.