[katello-devel] ldap integration expected behavior with a 1:2 User:Group scenario.
Tom McKay
thomasmckay at redhat.com
Wed Sep 5 17:51:11 UTC 2012
----- Original Message -----
> From: "Justin Sherrill" <jsherril at redhat.com>
> To: katello-devel at redhat.com
> Sent: Wednesday, September 5, 2012 1:44:13 PM
> Subject: Re: [katello-devel] ldap integration expected behavior with a 1:2 User:Group scenario.
>
> On 09/05/2012 01:31 PM, Eric Sammons wrote:
> > I have a scenario where i have a user, lets call him user1, and
> > user1 is a member of two LDAP groups; groupReadOnly and
> > groupAdmin. Yes this is odd but it could happen. In Katello, I
> > have setup ldap groups as follow: groupReadOnly is a member of
> > role Read Everything and groupAdmin is a member of the
> > Administrator role. In this setup, it appears that when user1
> > logs in they will get the permissions of Administrator, if I did
> > my ABCs correctly.
> >
> > Are there any plans to address this scenario, it may be that I want
> > user1 to have Read Everything permissions and with the current
> > behavior this would not be possible
> Why would you put user1 in the groupAdmin ldap group and associate
> with
> the Administer role if you did not want to give user1 all permissions
> associated with that role?
I concur: If you assign roles by group and stuff a user in that group, they get the roles.
>
> Roles in katello are additive. So in the above scenario I would
> fully
> expect the user to be able to do everything that either the "Read
> Everything" role and the "Administer" role can do together.
>
>
>
> > as roles applied are based on the first ldap group returned that
> > matches a role (ABCs). This may be a matter of simply
> > documenting the behavior so that users are aware they may need to
> > establish specific LDAP groups to satisfy internal security
> > compliance. With that, there are at least 3 options...
> >
> > Solution 1: The LDAP admin would need to create a unique group,
> > perhaps KatelloAdmin and KatelloReadEverything and then assign the
> > appropriate users to that group. (Document)
> >
> > Solution 2: Katello could pull back all results and then apply
> > policy (role) with least permission.
> >
> > Solution 3: Katello could pull back all results and then apply
> > policy (role) with greatest permission.
> Katello doesn't really have a way to determine which role has the
> "Greatest permission" or "Least Permission". I'm not sure that there
> is
> a concrete way to do this. You could have a role A with read on FOO
> and
> write on BAR and role B with write on FOO and Read on BAR. How would
> we
> know which was 'greatest'?
If it ain't broke (see previous comment), don't fix it.
>
> >
> > Also, as a side note, in my testing it looks like user1 is placed
> > into both roles as a user based on the application of the group
> > role. i.e. user1 is now a user member in Read Everything and
> > Administrator. So my question is, do we need to clutter up the
> > user role membership if the ldap group membership already has the
> > information? This may be desired behavior but wanted to put this
> > out there
>
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
>
More information about the katello-devel
mailing list