Hi, I get this task and I think it is time to little discussion what is possible and how it should be done. (how it looks I think is decided - it is similar to groups).
Roles is something like mark which grants user set of actions. So e.g. role HR admin can add/remove users and edits its details it is one role but it contains more permissions.
At first I investigate little how lib/yast_roles.rb work...and it doesn't work. I try play with polkit and if you ask for user which doesn't have UID it fails. Problem is that roles doesn't have UID. So roles must be stored beside.
My proposal how it could work.
We have defined list of roles in one yaml file. owned by yastws, strict permissions. This list contain role and its permissions. Then we have second list which assign to role its users. If user get into role it get permissions of this role. If user remove from role all permissions is removed and again all roles is applied. If role is modified then all users in this role has removed permissions and all roles is again applied (the longest variant but roles should change only rare).
So permission module is changed that it act on roles not on users for appliance. For non-appliance usage it acts on users. ( I plan create two package to easier maintenance).
I welcome any comments, hints or questions
Josef
* Josef Reidinger jreidinger@suse.cz [Feb 23. 2010 19:02]:
Hi, I get this task and I think it is time to little discussion what is possible and how it should be done. (how it looks I think is decided - it is similar to groups).
Roles is something like mark which grants user set of actions. So e.g. role HR admin can add/remove users and edits its details it is one role but it contains more permissions.
Correct, a role is a set of (PolicyKit) permissions. These can be grant or deny permissions.
Thus a prerequisite for roles management is permissions management.
A user then gets a set of roles assigned, allowing him to act as an administrator within the limits of the roles.
At first I investigate little how lib/yast_roles.rb work...and it doesn't work. I try play with polkit and if you ask for user which doesn't have UID it fails. Problem is that roles doesn't have UID. So roles must be stored beside.
My proposal how it could work.
We have defined list of roles in one yaml file.
How its stored is an implementation detail, lets look at the resource model for the REST api first.
The permissions <-> roles <-> users mapping would match the has_and_belongs_to_many semantics of ActiveRecord.
owned by yastws, strict permissions. This list contain role and its permissions.
Right, this maps roles to set of permissions.
Then we have second list which assign to role its users.
A users <-> roles mapping, agreed.
If user get into role it get permissions of this role. If user remove from role all permissions is removed and again all roles is applied.
If role is modified then all users in this role has removed permissions and all roles is again applied (the longest variant but roles should change only rare).
Agreed on the semantics. But what makes you think that roles only change rarely ?
So permission module is changed that it act on roles not on users for appliance.
Yes !
Of course we could also do a direct permissions <-> users mapping. But with hundreds of permissions, this easily gets out of hand. The insertion of roles is a means to make handling this stuff easier.
For non-appliance usage it acts on users. ( I plan create two package to easier maintenance).
Why ?
Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
Klaus Kaempf write:
- Josef Reidinger jreidinger@suse.cz [Feb 23. 2010 19:02]:
Hi, I get this task and I think it is time to little discussion what is possible and how it should be done. (how it looks I think is decided - it is similar to groups).
Roles is something like mark which grants user set of actions. So e.g. role HR admin can add/remove users and edits its details it is one role but it contains more permissions.
Correct, a role is a set of (PolicyKit) permissions. These can be grant or deny permissions.
Thus a prerequisite for roles management is permissions management.
A user then gets a set of roles assigned, allowing him to act as an administrator within the limits of the roles.
At first I investigate little how lib/yast_roles.rb work...and it doesn't work. I try play with polkit and if you ask for user which doesn't have UID it fails. Problem is that roles doesn't have UID. So roles must be stored beside.
My proposal how it could work.
We have defined list of roles in one yaml file.
How its stored is an implementation detail, lets look at the resource model for the REST api first.
The permissions <-> roles <-> users mapping would match the has_and_belongs_to_many semantics of ActiveRecord.
Agree. I write how I plan to store it for Thomas.
owned by yastws, strict permissions. This list contain role and its permissions.
Right, this maps roles to set of permissions.
Then we have second list which assign to role its users.
A users <-> roles mapping, agreed.
If user get into role it get permissions of this role. If user remove from role all permissions is removed and again all roles is applied.
If role is modified then all users in this role has removed permissions and all roles is again applied (the longest variant but roles should change only rare).
Agreed on the semantics. But what makes you think that roles only change rarely ?
Maybe I am affected from one my work with roles, where I create role generation system. It is planned that in bank role is set once and change rare but assign to employer change quite often with personal moves.
But in general I hope it is quite fast and even if it take some time we could use same trick as for patches and status, because granting need not to be synchronous.
So permission module is changed that it act on roles not on users for appliance.
Yes !
Of course we could also do a direct permissions <-> users mapping. But with hundreds of permissions, this easily gets out of hand. The insertion of roles is a means to make handling this stuff easier.
Yes, if we allow direct mapping (which is now done hidden in backend) we have problems with overwritting perms with roles.
For non-appliance usage it acts on users. ( I plan create two package to easier maintenance).
Why ?
I think we should have some tool which allow administrator to easy maintain permissions. But in non-appliance is user module mapped with roles and not permissions (because users is users on system and not webyast users). Of course it is possible to use same role model as in appliance, but then it is little unclear for me how to do integration with users which has another semantic.
Josef
Klaus
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
-
Josef Reidinger -
Klaus Kaempf