I actually use it in our env, and it works pretty well. Granted, I tend to use systems as they're intended, rather than tinkering *trying* to break something, so any shortcomings or exploits that may be there, I'm unaware of.
I like the idea of it a lot though. - Ian On Tue, May 19, 2009 at 1:16 PM, Michael DeHaan <[email protected]> wrote: > Jeff Schroeder wrote: >> On Tue, May 19, 2009 at 10:10 AM, Michael DeHaan <[email protected]> wrote: >> >>> Jeff Schroeder wrote: >>> >>>> On Tue, May 19, 2009 at 9:57 AM, Michael DeHaan <[email protected]> >>>> wrote: >>>> >>>> >>>>> Just out of curiosity, how many people are using authz_ownership? >>>>> >>>>> I need to determine whether we want to support this in 2.0 or not, >>>>> seeing Spacewalk/Satellite is already offering it's own levels of access >>>>> control and authz_ownership itself is not super-flexible or smart. >>>>> >>>>> >>>> We would _like_ to use it for giving app teams access to rebuild their >>>> own boxes based on ldap groups but are not using it as of yet. >>>> >>>> >>>> >>> One failing of authz_ownership is that it allows too much access. We >>> implemented an "acls" module on top of cobbler to lock this down further, >>> but it's never really been surfaced in the web app. >>> >>> For example, if editing a system object that you own, you can change the MAC >>> of that system, which therefore means you are editing the boot configuration >>> of /some other/ system. >>> >>> I have a to-do list item for coming up with some better way of making a >>> self-service workflow, but in all honesty that may be a long while off. >>> However anyone could still do this, seperate from cobbler web, >>> using the XMLRPC API. >>> >>> Either way, scrubbing this allows a /great/ amount of simplification and >>> also opens the door to doing it the right way later... when we may need to >>> handle per-field authz. >>> >> >> So if no one pipes up on using it scrap the feature. Were the ovirt >> guys using it any to integrate with the ipa instance? You might check >> with them also. >> >> > > Integration with IPA is actually one of the reasons I bring this up. > In the future we'll more likely have a much more standardized > role/permission system using IPA, that accounts for ownership by role level > on specific resources. > > Again though, I can't give any dates for it. It's on the radar as > something we want to do -- to have one central place to manage all the > roles a given user has. > > --Michael > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > -- This was not sent from my iPhone _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
