[Pulp-list] Help setting permissions on roles
Lutchy Horace (Mailing List)
mailinglist.subscriptions at lhprojects.net
Sun May 1 13:53:29 UTC 2016
On Sun, 1 May 2016 09:22:09 -0400
Kodiak Firesmith <kfiresmith at gmail.com> wrote:
> Hello,
> Yes you are on the right [i]path[/i]..., and I agree it's difficult
> and intimidating. I've been working on recreating the Satellite 5
> model of organizations and it's been a real pain trying to
> encapsulate various groups' repos from eachother using custom roles.
Actually, I just switched from Spacewalk to pulp. Spacewalk is great
tool but unfortunately the system requirements (was running inside a
Linux Container assigned with 2GB and 100GB qcow) is a bit more than I
can afford on my tiny lan network.
>
> One thing I can mention is to create a test group with no privs and a
> test repo and spend some time doing basic tasks as a user the
> unprivileged group while watching the apache logs to see the various
> paths that get blocked from reads and writes, and create permissions
> for each blocked thing until you have gotten all permissions you need
> (and nothing more!) so that you can do what you need to do.
Actually, going over
https://pulp-rpm-user-guide.readthedocs.io/en/pulp-2.2/quick-start.html.
It might not be necessary to create a custom user. Actually, I had
presume I would have to create a separate user because I was confuse
regarding registering consumers here
https://pulp.readthedocs.io/en/latest/user-guide/consumer-client/register.html.
The example command didn't provide any authentication information.
Which worried me a bit because I assume any machine could register
with the pulp server. Which initially seemed insecure to me:
pulp-consumer register --consumer-id my-consumer
Additionally, I assumed that --consumer-id was the authentication
identification. I was sifting through docs figuring out how to create
consumer-ids. Apparently I didn't read the docs thoroughly because
somehow I missed this bit of information:
/The -u and the -p flags supply the HTTP Basic Auth username and
password respectively and must correspond to a user defined on the Pulp
server. If the -p flag is not supplied, the command line client will
ask for the password interactively./
I don't mind registering clients with the admin user. However, I do
have a concern. Do consumers need the admin password to update from
repository? Assuming that admin password is no where stored on the
consumer machines? And lastly, assuming the consume machine has been
compromise, is the Pulp server at risk from pulp-consumer?
> Sorry I don't have better advice. One thing I'd love is for there to
> be better/more predefined groups / roles capabilities bundled with
> pulp that could be used as templates.
Having predefined groups / roles is a great idea. In fact, when I
ran 'pulp-admin auth role list' and saw none. I was a bit
disappointed. Is there a feature request already open for this?
> - Kodiak
>
> On Sun, May 1, 2016 at 8:59 AM, Lutchy Horace (Mailing List) <
> mailinglist.subscriptions at lhprojects.net> wrote:
>
> >
> > Hello,
> >
> > I am trying to comprehend setting up permissions on resources. My
> > understanding thus far from:
> >
> >
> > https://pulp.readthedocs.io/en/latest/user-guide/admin-client/authentication.html#permissions
> >
> > "Permissions are essentially a REST API path."
> >
> > Ideally, I would have preferred viewing a list of resources from
> > pulp-admin. However, to view REST API path, I would have to sift
> > through
> >
> > https://pulp.readthedocs.io/en/latest/dev-guide/integration/rest-api/index.html
> > .
> > Which to be honest, is a bit intimidating, especially what resource
> > path does what. In the examples provided, the rest api starts with /
> > and /v2? Although looking at the rest api documents, paths typically
> > begin with /pulp/api. So am I to presume that / points to /pulp/api?
> > Okay, if that's the case, if I want to register machines and pull
> > from repositories. I would need to set permissions on:
> >
> > READ on /v2/repository
> > READ,CREATE on /v2/consumers
> >
> > ?
> >
> > Regards
> >
> > --
> > Lutchy Horace
> > Owner/Operator/Administrator [http://www.lhprojects.net]
> > Owner/Operator/Administrator [http://www.bombshellz.net]
> > Owner/Operator/Administrator [http://www.animehouse.club]
> > About Me [http://about.me/lhprojects]
> > USA
> >
> > _______________________________________________
> > Pulp-list mailing list
> > Pulp-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pulp-list
> >
--
Lutchy Horace
Owner/Operator/Administrator [http://www.lhprojects.net]
Owner/Operator/Administrator [http://www.bombshellz.net]
Owner/Operator/Administrator [http://www.animehouse.club]
About Me [http://about.me/lhprojects]
USA
More information about the Pulp-list
mailing list