I've been experimenting with the ownership features in Cobbler, using the
authz_ownership module.
My users.conf looks like this:
[admins]
admin = ""
cobbler = ""
[mygroup]
myuser = ""
I'm seeing a problem where "myuser" can edit systems in the WebUI, owned by
"mygroup" that already exist, but "myuser" can't create new systems. I get an
authorization error, that seems to be tied back to item_system.py, which loads
the obj.owners as the string "<<inherit>>" for a new system object (even if I
try to create the object with group "mygroup"). The function
__is_user_allowed() seems to expect a list here, and ends up iterating over
this string, and incorrectly checks for user/group matches against each
character in the string - ie: "<". Not sure if this is a known issue? I'm
running 2.6.9 on my server (latest from the EPEL repos), but it looks like it's
unchanged in the latest version up on github as well. Is this a bug?
The code snippet is here. When creating a system, obj.owners is a string
containing "<<inherit>>":
def __is_user_allowed(obj, groups, user, resource, arg1, arg2):
if user == "<DIRECT>":
# system user, logged in via web.ss
return True
for group in groups:
if group in [ "admins", "admin" ]:
return True
if obj.owners == []:
return True
for allowed in obj.owners:
if user == allowed:
# user match
return True
# else look for a group match
for group in groups:
if group == allowed:
return True
return 0
Thanks,
Kyle
_______________________________________________
cobbler-devel mailing list
cobbler-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel
