I have yet to catch up on email, due to personal and work life dumping way too much onto my todo pile. But I will take a moment to saythat authz_ownership type functionallity will be critical for us to start using it in the data center where I work. We have numerous grad students and projects which are granted pools of machines for their use in our data center, and while they are free to reload their machines at will, we do not want them making changes to other machines which they do not own, especially if those machines are infrastructure nodes.
If I can get through to my counterpart, our chief scientist, and my boss, I know we will definitely be giving things a work out, once Debian support is completed and I have had a chance to test it. We have around 750 physical servers in our data center right now, and are probably looking to having 300-500 virtual hosts running by the end of summer term. And I know cobbler will definitely make things more manageable. - Doug Quoting Ian Meyer ([email protected]): > I actually use it in our env, and it works pretty well. Granted, I > tend to use systems as they're intended, rather than tinkering > *trying* to break something, so any shortcomings or exploits that may > be there, I'm unaware of. > > I like the idea of it a lot though. > > - Ian > > On Tue, May 19, 2009 at 1:16 PM, Michael DeHaan <[email protected]> wrote: > > Jeff Schroeder wrote: > >> On Tue, May 19, 2009 at 10:10 AM, Michael DeHaan <[email protected]> > >> wrote: > >> > >>> Jeff Schroeder wrote: > >>> > >>>> On Tue, May 19, 2009 at 9:57 AM, Michael DeHaan <[email protected]> > >>>> wrote: > >>>> > >>>> > >>>>> Just out of curiosity, how many people are using authz_ownership? > >>>>> > >>>>> I need to determine whether we want to support this in 2.0 or not, > >>>>> seeing Spacewalk/Satellite is already offering it's own levels of access > >>>>> control and authz_ownership itself is not super-flexible or smart. > >>>>> > >>>>> > >>>> We would _like_ to use it for giving app teams access to rebuild their > >>>> own boxes based on ldap groups but are not using it as of yet. > >>>> > >>>> > >>>> > >>> One failing of authz_ownership is that it allows too much access. We > >>> implemented an "acls" module on top of cobbler to lock this down further, > >>> but it's never really been surfaced in the web app. > >>> > >>> For example, if editing a system object that you own, you can change the > >>> MAC > >>> of that system, which therefore means you are editing the boot > >>> configuration > >>> of /some other/ system. > >>> > >>> I have a to-do list item for coming up with some better way of making a > >>> self-service workflow, but in all honesty that may be a long while off. > >>> However anyone could still do this, seperate from cobbler web, > >>> using the XMLRPC API. > >>> > >>> Either way, scrubbing this allows a /great/ amount of simplification and > >>> also opens the door to doing it the right way later... when we may need to > >>> handle per-field authz. > >>> > >> > >> So if no one pipes up on using it scrap the feature. Were the ovirt > >> guys using it any to integrate with the ipa instance? You might check > >> with them also. > >> > >> > > > > Integration with IPA is actually one of the reasons I bring this up. > > In the future we'll more likely have a much more standardized > > role/permission system using IPA, that accounts for ownership by role level > > on specific resources. > > > > Again though, I can't give any dates for it. ?It's on the radar as > > something we want to do -- to have one central place to manage all the > > roles a given user has. > > > > --Michael > > > > > > _______________________________________________ > > cobbler mailing list > > [email protected] > > https://fedorahosted.org/mailman/listinfo/cobbler > > > > > > -- > This was not sent from my iPhone > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
