I've been experimenting with the ownership features in Cobbler, using the authz_ownership module. My users.conf looks like this: [admins] admin = "" cobbler = ""
[mygroup] myuser = "" I'm seeing a problem where "myuser" can edit systems in the WebUI, owned by "mygroup" that already exist, but "myuser" can't create new systems. I get an authorization error, that seems to be tied back to item_system.py, which loads the obj.owners as the string "<<inherit>>" for a new system object (even if I try to create the object with group "mygroup"). The function __is_user_allowed() seems to expect a list here, and ends up iterating over this string, and incorrectly checks for user/group matches against each character in the string - ie: "<". Not sure if this is a known issue? I'm running 2.6.9 on my server (latest from the EPEL repos), but it looks like it's unchanged in the latest version up on github as well. Is this a bug? The code snippet is here. When creating a system, obj.owners is a string containing "<<inherit>>": def __is_user_allowed(obj, groups, user, resource, arg1, arg2): if user == "<DIRECT>": # system user, logged in via web.ss return True for group in groups: if group in [ "admins", "admin" ]: return True if obj.owners == []: return True for allowed in obj.owners: if user == allowed: # user match return True # else look for a group match for group in groups: if group == allowed: return True return 0 Thanks, Kyle
_______________________________________________ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel