diff options
| author | Michael DeHaan <mdehaan@redhat.com> | 2008-08-27 16:57:10 -0400 |
|---|---|---|
| committer | Michael DeHaan <mdehaan@redhat.com> | 2008-08-27 16:57:10 -0400 |
| commit | c3cb47903f10493d78fa575db1a085e3091ad84b (patch) | |
| tree | 5d1800a5b14fdada21e2562d4e9f288da930ea10 /config | |
| parent | 77eb177fc063847c172eb777ffe67becadddd7ee (diff) | |
| download | cobbler-c3cb47903f10493d78fa575db1a085e3091ad84b.tar.gz cobbler-c3cb47903f10493d78fa575db1a085e3091ad84b.tar.xz cobbler-c3cb47903f10493d78fa575db1a085e3091ad84b.zip | |
First pass at what an ACL's config file might look like. This will be used by authz_ownership and authz_configfile
Diffstat (limited to 'config')
| -rw-r--r-- | config/acls.conf | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/config/acls.conf b/config/acls.conf new file mode 100644 index 00000000..09b82a71 --- /dev/null +++ b/config/acls.conf @@ -0,0 +1,66 @@ +# the acls.conf file lists specific custom operations to deny to users of certain groups +# when using the authz_configfile or authz_ownership modules. +# +# the denial control flow is: +# +# Authentication module -> Authorization module -> ACL list + + +# Deny nothing from users in the "admin" or "admins" groups + +admin: ~ +admins: ~ + +# Deny nothing from users whose groups are not found in this file: + +unmatched: ~ + +# Example1: users in the group "jradmin" can create/edit/modify systems as long as +# the authorization module lets them. However they do not have permission to create +# new distributions, profiles, image records, or repos. The authorization modules chosen +# in /etc/cobbler/modules.conf are responsible for chosing the group mapping. + +jradmin: + "new_distro": ~ + "new_profile": ~ + "new_image": ~ + "new_repo": ~ + "copy_distro": ~ + "copy_profile": ~ + "copy_image": ~ + "copy_repo": ~ + "remove_distro": ~ + "remove_profile": ~ + "remove_image": ~ + "remove_repo": ~ + "modify_distro": ~ + "modify_profile": ~ + "modify_image": ~ + "modify_repo": ~ + "write_kickstart_templates" : ~ + +# Example2: users in group "less trusted" can only modify existing systems that some one +# else creates. If the ownership module is in use, they must also be in the ownership list +# in addition, they cannot manipulate network details of the systems they own. + +lesstrusted: + "new_*": ~ + "copy_*": ~ + "remove_*": ~ + "modify_distro": ~ + "modify_profile": ~ + "modify_image": ~ + "modify_repo": ~ + "modify_system": + - "mac-address-*" + - "ip-address-*" + - "hostname-*" + - "gateway-*" + - "subnet-*" + "save_distro": ~ + "save_profile": ~ + "save_image": ~ + "save_repo": ~ + "rename_*": ~ + "sync" : ~ + "write_kickstart_templates" : ~ |