Jeff Schroeder wrote: > On Tue, May 19, 2009 at 10:10 AM, Michael DeHaan <[email protected]> wrote: > >> Jeff Schroeder wrote: >> >>> On Tue, May 19, 2009 at 9:57 AM, Michael DeHaan <[email protected]> >>> wrote: >>> >>> >>>> Just out of curiosity, how many people are using authz_ownership? >>>> >>>> I need to determine whether we want to support this in 2.0 or not, >>>> seeing Spacewalk/Satellite is already offering it's own levels of access >>>> control and authz_ownership itself is not super-flexible or smart. >>>> >>>> >>> We would _like_ to use it for giving app teams access to rebuild their >>> own boxes based on ldap groups but are not using it as of yet. >>> >>> >>> >> One failing of authz_ownership is that it allows too much access. We >> implemented an "acls" module on top of cobbler to lock this down further, >> but it's never really been surfaced in the web app. >> >> For example, if editing a system object that you own, you can change the MAC >> of that system, which therefore means you are editing the boot configuration >> of /some other/ system. >> >> I have a to-do list item for coming up with some better way of making a >> self-service workflow, but in all honesty that may be a long while off. >> However anyone could still do this, seperate from cobbler web, >> using the XMLRPC API. >> >> Either way, scrubbing this allows a /great/ amount of simplification and >> also opens the door to doing it the right way later... when we may need to >> handle per-field authz. >> > > So if no one pipes up on using it scrap the feature. Were the ovirt > guys using it any to integrate with the ipa instance? You might check > with them also. > >
Integration with IPA is actually one of the reasons I bring this up. In the future we'll more likely have a much more standardized role/permission system using IPA, that accounts for ownership by role level on specific resources. Again though, I can't give any dates for it. It's on the radar as something we want to do -- to have one central place to manage all the roles a given user has. --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
