* Josef Reidinger <jreidinger(a)suse.cz> [Feb 23. 2010 19:02]:
I get this task and I think it is time to little discussion what is possible and how it
should be done. (how it looks I think is decided - it is similar to groups).
Roles is something like mark which grants user set of actions. So e.g. role HR admin can
add/remove users and edits its details it is one role but it contains more permissions.
Correct, a role is a set of (PolicyKit) permissions. These can be
grant or deny permissions.
Thus a prerequisite for roles management is permissions management.
A user then gets a set of roles assigned, allowing him to act as an
administrator within the limits of the roles.
At first I investigate little how lib/yast_roles.rb work...and it doesn't work. I
try play with polkit and if you ask for user which doesn't have UID it fails. Problem
is that roles doesn't have UID. So roles must be stored beside.
My proposal how it could work.
We have defined list of roles in one yaml file.
How its stored is an implementation detail, lets look at the resource
model for the REST api first.
The permissions <-> roles <-> users mapping would match the
has_and_belongs_to_many semantics of ActiveRecord.
owned by yastws, strict permissions. This list
contain role and its
Right, this maps roles to set of permissions.
Then we have second list which assign to role its
A users <-> roles mapping, agreed.
If user get into role it get permissions of this
If user remove from role all permissions is removed and again all roles is applied.
If role is modified then all users in this role has
removed permissions and all roles is again applied (the longest variant but roles should
change only rare).
Agreed on the semantics. But what makes you think that roles only
change rarely ?
So permission module is changed that it act on roles not on users for appliance.
Of course we could also do a direct permissions <-> users mapping. But
with hundreds of permissions, this easily gets out of hand. The
insertion of roles is a means to make handling this stuff easier.
For non-appliance usage it acts on users. ( I plan
create two package to easier maintenance).
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org
For additional commands, e-mail: yast-devel+help(a)opensuse.org