Jeff Schroeder wrote: > On Tue, May 19, 2009 at 9:57 AM, Michael DeHaan <[email protected]> wrote: > >> Just out of curiosity, how many people are using authz_ownership? >> >> I need to determine whether we want to support this in 2.0 or not, >> seeing Spacewalk/Satellite is already offering it's own levels of access >> control and authz_ownership itself is not super-flexible or smart. >> > > We would _like_ to use it for giving app teams access to rebuild their > own boxes based on ldap groups but are not using it as of yet. > >
One failing of authz_ownership is that it allows too much access. We implemented an "acls" module on top of cobbler to lock this down further, but it's never really been surfaced in the web app. For example, if editing a system object that you own, you can change the MAC of that system, which therefore means you are editing the boot configuration of /some other/ system. I have a to-do list item for coming up with some better way of making a self-service workflow, but in all honesty that may be a long while off. However anyone could still do this, seperate from cobbler web, using the XMLRPC API. Either way, scrubbing this allows a /great/ amount of simplification and also opens the door to doing it the right way later... when we may need to handle per-field authz. --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
