[katello-devel] Signo and shared user management

Justin Sherrill jsherril at redhat.com
Mon Jul 1 12:44:09 UTC 2013 

On 06/20/2013 03:50 AM, Marek Hulan wrote:
> Hello Foreman and Katello,
>
> I'd like to start discussion about future of user management in
> katello/foreman/signo trio. As you probably noticed Signo currently serve only
> for authentication purpose. It does not know any information about user that
> is trying to log in. In fact it asks Katello or LDAP (or Kerberos soon)
> whether given credentials are valid.
>
> This means that we cannot create users on fly at the moment. This is especially
> annoying when you use LDAP because you have to login into Katello using old
> way so the user is created in Katello DB (which creates him in Foreman DB as
> well).
>
> We could make Signo load more info from auth backends (we need email at least)
> and serve it to apps so they can create users. I'm not sure how this would
> work with Kerberos - there is no email for principal.
>
> Or we take a bigger step and can move users to Signo. Signo would then be a
> primary database of users. In future Signo would take user CRUD functionality.
> We could then use dynflow for user propagation to Katello and Foreman. At the
> same time we could make Signo a single place where user roles would be defined.
> Since Katello and Foreman have different roles sets, Signo would define some
> generic roles and any system could translate them into its own roles.
> Assigning organizations etc. should remain in apps.
>
> Ivan, could you please describe pros of having roles in Signo as we discussed
> it?
>
> What do teams think? Ohad, Mike would you support such change?
>

While we're on the subject, i feel that we still need to think about the 
following user story:

As a user I should be able to manage users, roles, and permissions 
within an organization.  (i.e. as an admin of some org I should be able 
to create users, roles, and permissions dealing only with my organization).

I'm not sure about foreman's support for this, but I know katello is 
severely lacking in this, and we need to make sure signo can handle this 
(however it is implemented in the future).

-Justin

More information about the katello-devel mailing list