[katello-devel] Permissions for domains and subnets
Lukas Zapletal
lzap at redhat.com
Thu Nov 22 09:57:25 UTC 2012
Good point,
so Foreman does this currently also as "tagged verbs", but the default
behavior is different - all orgs/users has the permissions and you need
to explicitly disallow it. I just wanted to know how they do it right
not, Foreman permissions are turned off in Katello mode.
So basically the question is: do we want users to explicitly create
permission after they create new domain or organization is created? Or
do we want this to be automatic?
I think the more "secure" approach is to require explicit permission to
be given by administrator when organization/subnet is created. For
the same organization this is automatic of course.
Therefore I designed "tagged verb" approach witch seems to be best fit
in this case:
https://fedorahosted.org/katello/wiki/PermissionMatrix#Foremantermwasnotdecidedyet
Opinions?
LZ
On Wed, Nov 21, 2012 at 08:51:10AM -0500, Justin Sherrill wrote:
> On 11/21/2012 08:04 AM, Lukas Zapletal wrote:
> >Hey,
> >
> >starting working on this task, I think I can inspire from Providers:
> >
> >https://fedorahosted.org/katello/wiki/PermissionMatrix#Providers
> >
> >I am going to implement the very same permission set. Opinions?
> >
> >(Are we keeping the page up to date?)
> >
> >LZ
> >
> So I think it makes sense except for one point. Provider
> permissions are generally tagged verbs. So all verbs except for
> create/administer are only for a specific Provider (that is unless
> you tick the all box). So an example would be "Read Provider X",
> which not allow the user to read provider Y.
>
> I'm not sure this makes sense for subnets and domains? I guess it
> depends on what you do with a subnet or domain. Thoughts?
>
> Other resources like Activationkeys do not use tags for any of their
> verbs. So giving the ability to read is giving the ability to read
> all. (Same with update & delete).
>
> -Jusitn
>
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
--
Later,
Lukas "lzap" Zapletal
#katello #systemengine
More information about the katello-devel
mailing list