On Sun, 1 May 2016 09:22:09 -0400 Kodiak Firesmith <[email protected]> wrote:
> Hello, > Yes you are on the right [i]path[/i]..., and I agree it's difficult > and intimidating. I've been working on recreating the Satellite 5 > model of organizations and it's been a real pain trying to > encapsulate various groups' repos from eachother using custom roles. Actually, I just switched from Spacewalk to pulp. Spacewalk is great tool but unfortunately the system requirements (was running inside a Linux Container assigned with 2GB and 100GB qcow) is a bit more than I can afford on my tiny lan network. > > One thing I can mention is to create a test group with no privs and a > test repo and spend some time doing basic tasks as a user the > unprivileged group while watching the apache logs to see the various > paths that get blocked from reads and writes, and create permissions > for each blocked thing until you have gotten all permissions you need > (and nothing more!) so that you can do what you need to do. Actually, going over https://pulp-rpm-user-guide.readthedocs.io/en/pulp-2.2/quick-start.html. It might not be necessary to create a custom user. Actually, I had presume I would have to create a separate user because I was confuse regarding registering consumers here https://pulp.readthedocs.io/en/latest/user-guide/consumer-client/register.html. The example command didn't provide any authentication information. Which worried me a bit because I assume any machine could register with the pulp server. Which initially seemed insecure to me: pulp-consumer register --consumer-id my-consumer Additionally, I assumed that --consumer-id was the authentication identification. I was sifting through docs figuring out how to create consumer-ids. Apparently I didn't read the docs thoroughly because somehow I missed this bit of information: /The -u and the -p flags supply the HTTP Basic Auth username and password respectively and must correspond to a user defined on the Pulp server. If the -p flag is not supplied, the command line client will ask for the password interactively./ I don't mind registering clients with the admin user. However, I do have a concern. Do consumers need the admin password to update from repository? Assuming that admin password is no where stored on the consumer machines? And lastly, assuming the consume machine has been compromise, is the Pulp server at risk from pulp-consumer? > Sorry I don't have better advice. One thing I'd love is for there to > be better/more predefined groups / roles capabilities bundled with > pulp that could be used as templates. Having predefined groups / roles is a great idea. In fact, when I ran 'pulp-admin auth role list' and saw none. I was a bit disappointed. Is there a feature request already open for this? > - Kodiak > > On Sun, May 1, 2016 at 8:59 AM, Lutchy Horace (Mailing List) < > [email protected]> wrote: > > > > > Hello, > > > > I am trying to comprehend setting up permissions on resources. My > > understanding thus far from: > > > > > > https://pulp.readthedocs.io/en/latest/user-guide/admin-client/authentication.html#permissions > > > > "Permissions are essentially a REST API path." > > > > Ideally, I would have preferred viewing a list of resources from > > pulp-admin. However, to view REST API path, I would have to sift > > through > > > > https://pulp.readthedocs.io/en/latest/dev-guide/integration/rest-api/index.html > > . > > Which to be honest, is a bit intimidating, especially what resource > > path does what. In the examples provided, the rest api starts with / > > and /v2? Although looking at the rest api documents, paths typically > > begin with /pulp/api. So am I to presume that / points to /pulp/api? > > Okay, if that's the case, if I want to register machines and pull > > from repositories. I would need to set permissions on: > > > > READ on /v2/repository > > READ,CREATE on /v2/consumers > > > > ? > > > > Regards > > > > -- > > Lutchy Horace > > Owner/Operator/Administrator [http://www.lhprojects.net] > > Owner/Operator/Administrator [http://www.bombshellz.net] > > Owner/Operator/Administrator [http://www.animehouse.club] > > About Me [http://about.me/lhprojects] > > USA > > > > _______________________________________________ > > Pulp-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/pulp-list > > -- Lutchy Horace Owner/Operator/Administrator [http://www.lhprojects.net] Owner/Operator/Administrator [http://www.bombshellz.net] Owner/Operator/Administrator [http://www.animehouse.club] About Me [http://about.me/lhprojects] USA _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
