Thoughts on Cobbler authorization/authentication and access levels in your organization?
Hi,
One of the features that would be good would be the abllity to intagrate with NSS. Fedora / RedHat Directory server etc. I think looking at mod_nss and the already existing pam, pam_pkcs11 etc would really expand overall enterprise usage, at least for my use. I think that usage of PAM, NSS, kerberos would provide a good baseline for the largest set of use cases. Just my thoughts. Yours, Aaron On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan@redhat.com> wrote: > Jack Neely wrote: > > Michael, > > > > Here at NCSU I have an existing provisioning system that generates > > kickstarts based on a set of "keyword [value [value...]]" rules. We'd > > like to continue to use that as it works well for us...and it integrates > > with Cobbler well. > > > > So given that, admins already have the ability to control/alter their > > profiles in a defined way that scales well and lonely me can support. > > > > What I'd like from Cobbler is the ability for a select few admins (like > > me) to be able to setup all the bits to make Cobbler distros/profiles > > etc. work. > > > > Normal admins should be able to associate a MAC address with a profile > > and remove said MAC. Actually, it would be great if an admin could > > associate a hostname/IP address with a profile and Cobbler would run a > > plugin to translate that into a MAC. > > > > One of the things I thought about doing was creating a simpler page to > just edit a systems mapping. > > Login would work as before, but the page could be as simple as what you > mentioned above, a dropbox, > and an ok button. CLI equivalents should work too... > > Groups of admins as well. Any admin can modify MAC->profile of any > > other admin provided both are in the same group. > > > > Authentication via kerberos (PAM probably) authorization done by auto > > generated groups of admins (a plugin)? > > > Sounds reasonable. > > Okay...some half-baked ideas about how I see a workflow here. If you > > have questions please feel free. > > > > Thanks! I've got some good feedback so far, so I'll try to summarize > findings/plans shortly. > If anyone else wants to share their thoughts on how they'd ideally like > their site to work, please do. > > Jack Neely > > > > > _______________________________________________ > et-mgmt-tools mailing list > et-mgmt-tools@redhat.com > https://www.redhat.com/mailman/listinfo/et-mgmt-tools > _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
Thoughts on Cobbler authorization/authentication and access levels in your organization?
Hi,
Could http://www.freeipa.org/ offer up any quick wins? Yours, Aaron On Nov 27, 2007 2:49 AM, Aaron Lippold <lippold@gmail.com> wrote: > Hi, > > One of the features that would be good would be the abllity to > intagrate with NSS. Fedora / RedHat Directory server etc. I think > looking at mod_nss and the already existing pam, pam_pkcs11 etc would > really expand overall enterprise usage, at least for my use. I think > that usage of PAM, NSS, kerberos would provide a good baseline for the > largest set of use cases. Just my thoughts. > > Yours, > > Aaron > > > On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan@redhat.com> wrote: > > Jack Neely wrote: > > > Michael, > > > > > > Here at NCSU I have an existing provisioning system that generates > > > kickstarts based on a set of "keyword [value [value...]]" rules. We'd > > > like to continue to use that as it works well for us...and it integrates > > > with Cobbler well. > > > > > > So given that, admins already have the ability to control/alter their > > > profiles in a defined way that scales well and lonely me can support. > > > > > > What I'd like from Cobbler is the ability for a select few admins (like > > > me) to be able to setup all the bits to make Cobbler distros/profiles > > > etc. work. > > > > > > Normal admins should be able to associate a MAC address with a profile > > > and remove said MAC. Actually, it would be great if an admin could > > > associate a hostname/IP address with a profile and Cobbler would run a > > > plugin to translate that into a MAC. > > > > > > > One of the things I thought about doing was creating a simpler page to > > just edit a systems mapping. > > > > Login would work as before, but the page could be as simple as what you > > mentioned above, a dropbox, > > and an ok button. CLI equivalents should work too... > > > Groups of admins as well. Any admin can modify MAC->profile of any > > > other admin provided both are in the same group. > > > > > > Authentication via kerberos (PAM probably) authorization done by auto > > > generated groups of admins (a plugin)? > > > > > Sounds reasonable. > > > Okay...some half-baked ideas about how I see a workflow here. If you > > > have questions please feel free. > > > > > > > Thanks! I've got some good feedback so far, so I'll try to summarize > > findings/plans shortly. > > If anyone else wants to share their thoughts on how they'd ideally like > > their site to work, please do. > > > Jack Neely > > > > > > > > > _______________________________________________ > > et-mgmt-tools mailing list > > et-mgmt-tools@redhat.com > > https://www.redhat.com/mailman/listinfo/et-mgmt-tools > > > _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
Thoughts on Cobbler authorization/authentication and access levels in your organization?
Aaron Lippold wrote:
Hi, Could http://www.freeipa.org/ offer up any quick wins? Yours, Aaron Supporting kerberos and LDAP generically, and /enabling/ that kind of support (probably including tutorial instructions for doing that with the IPA stuff) is certaintly the plan. We're not going to require Free IPA setup, however, as we want to support existing installations, which probably have something they already want to use. The other (and slightly more interesting) part of course is getting the permissions/ownership workflows right, and I've gotten some good feedback on that so far as well. --Michael On Nov 27, 2007 2:49 AM, Aaron Lippold <lippold@gmail.com> wrote: Hi, One of the features that would be good would be the abllity to intagrate with NSS. Fedora / RedHat Directory server etc. I think looking at mod_nss and the already existing pam, pam_pkcs11 etc would really expand overall enterprise usage, at least for my use. I think that usage of PAM, NSS, kerberos would provide a good baseline for the largest set of use cases. Just my thoughts. Yours, Aaron On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan@redhat.com> wrote: Jack Neely wrote: Michael, Here at NCSU I have an existing provisioning system that generates kickstarts based on a set of "keyword [value [value...]]" rules. We'd like to continue to use that as it works well for us...and it integrates with Cobbler well. So given that, admins already have the ability to control/alter their profiles in a defined way that scales well and lonely me can support. What I'd like from Cobbler is the ability for a select few admins (like me) to be able to setup all the bits to make Cobbler distros/profiles etc. work. Normal admins should be able to associate a MAC address with a profile and remove said MAC. Actually, it would be great if an admin could associate a hostname/IP address with a profile and Cobbler would run a plugin to translate that into a MAC. One of the things I thought about doing was creating a simpler page to just edit a systems mapping. Login would work as before, but the page could be as simple as what you mentioned above, a dropbox, and an ok button. CLI equivalents should work too... Groups of admins as well. Any admin can modify MAC->profile of any other admin provided both are in the same group. Authentication via kerberos (PAM probably) authorization done by auto generated groups of admins (a plugin)? Sounds reasonable. Okay...some half-baked ideas about how I see a workflow here. If you have questions please feel free. Thanks! I've got some good feedback so far, so I'll try to summarize findings/plans shortly. If anyone else wants to share their thoughts on how they'd ideally like their site to work, please do. Jack Neely _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
| All times are GMT. The time now is 11:02 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.