Mailinglist Archive: yast-devel (128 mails)

< Previous Next >
[yast-devel] Re: Webyast - roles management
  • From: Josef Reidinger <jreidinger@xxxxxxx>
  • Date: Wed, 24 Feb 2010 15:29:23 +0100
  • Message-id: <201002241529.23682.jreidinger@xxxxxxx>

Hi,
I found a plugin that seems to do what you want.
http://code.google.com/p/rolerequirement/

Thanks for source. I read it, but I think that it give check to much
high-level. We have permissions on layer which communicate with dbus as
permission is mapped (name of permission is constructed from dbus call) to dbus
call

... and it seems to be maintained.

quote from first paragraph:
"NOTE: I am no longer maintaining this project. Please see the note on the
github page (http://github.com/timcharper/roll_requirement) for more
information.

Thanks, Tim"

:)


You are talking about roles in the context of web-yast not in
the context of the underlying OS, right?

in context of web-yast

Or do you plan to allow web-yast users to change the OS config
by using yast, read/write to system files etc.?

Now webyast users = users in OS. But it can change in future. Klaus can give
you more information on this topic.


From a security point of view it is important to have a complete code
coverage of RBAC to avoid bypassing the ACLs by using another interface
(RESTful vs. UI vs. ...) or delegate an automatic and user-defined task
to the web-application which is then executed with the role of the web-app not
with the role of the web-yast user (something equal to a cron job).

Because RBAC is just interface and inside it is about distribution permissions,
It works like now..users has individual permissions. Just administrator manage
it with roles, do not directly touch each permissions. So another interface
cannot bypass this permissions.

Josef


Bye
Thomas


Am Dienstag 23 Februar 2010 19:02:54 schrieb Josef Reidinger:
Hi,
I get this task and I think it is time to little discussion what is
possible and how it should be done. (how it looks I think is decided - it
is similar to groups).

Roles is something like mark which grants user set of actions. So e.g. role
HR admin can add/remove users and edits its details it is one role but it
contains more permissions.

At first I investigate little how lib/yast_roles.rb work...and it doesn't
work. I try play with polkit and if you ask for user which doesn't have
UID it fails. Problem is that roles doesn't have UID. So roles must be
stored beside.

My proposal how it could work.

We have defined list of roles in one yaml file. owned by yastws, strict
permissions. This list contain role and its permissions. Then we have
second list which assign to role its users.
If user get into role it get permissions of this role.
If user remove from role all permissions is removed and again all roles is
applied. If role is modified then all users in this role has removed
permissions and all roles is again applied (the longest variant but roles
should change only rare).

So permission module is changed that it act on roles not on users for
appliance. For non-appliance usage it acts on users. ( I plan create two
package to easier maintenance).

I welcome any comments, hints or questions

Josef





--
Josef Reidinger
YaST team
maintainer of perl-Bootloader, YaST2-Repair, parts of webyast
--
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References