Thoughts on Cobbler authorization/authentication and access levels in your organization?
I'm getting ready to add support for user-level
authentication/authorization to Cobbler. While I am going to implement
this using Cobbler
modules to make it completely customizable in terms of tools and policy,
it would be nice if most things "just worked" too, so this is where the
call for user
opinions comes in. If you have a large organization, how do you want
Cobbler to work in that organization? For many people the answer is
just "let the admins
have full control", which is fine, though I know many of you want finer
grained access. That's what I want to enable. We don't want to
require a specific workflow,
but do want to enable the ones that need to exist.
So ... at this point, it's important to understand the ways different
people would want to use this, so that we make sure the right things are
there and possible. There are two aspects to this.
(1) What sort of policy do folks need ... what does a multi-user
cobbler workflow look like?
(2) What sorts of existing authentication/authorization systems are
already in place, or want to be used* (i.e. kerberos, etc). How do you
want to maintain user/group information (LDAP, etc?).
The simplest example use case (that we have now) looks like this:
(A) Admins X, Y, and Z all have different passwords and can do anything.
What I see as the more corporate use case looks something like this:
(A) Dave and Sammy work for the central IT group of ACME Corp. They
create distros and profiles for other people to use, including
(B) Gary is an admin for Lab A. He can inherit from profiles created
by Dave/Sammy, or make up his own. He can also add systems.
(C) Eddie is an admin for Lab B. He can also do the same kinds of
things as Gary, but cannot muck with Gary's configurations.
(D) Alex is an ordinary user. He can use koan against any existing
profiles, and can PXE boot, and possibly edit just the profile setting
of the systems that he owns (if any).
Now there is a /slight/ problem if Gary adds a MAC address that isn't in
Eddie's lab, but that should be something an admin can fix.
Anyhow, if you have opinions/comments on how you might want to grant
tiered access in Cobbler, now is the time to speak up! This is just as
much for the WebUI as it is
for the software in general, so if you were building another web app on
Cobbler that gave a simpler view to users, or so on, it could use these
(Replying offline with technical/organizational details is totally
fine. The more detail I can get the better ... and I'll try to
summarize all of these later).
et-mgmt-tools mailing list