mcomaster icon indicating copy to clipboard operation
mcomaster copied to clipboard

Published 20 hours ago verified publisher icon ajf8

Access to agents/nodes through authorization roles

Open dieterdemeyer opened this issue 11 years ago • 12 comments

I was wondering if the following feature would be hard to implement: Authentication + authorization for multiple users.

I could certainly use it with my MCollective setup but don't know if you would be willing to implement it... It would be nice to assign a certain role to a specific user or multiple users. After logging in, a user would only be allowed to use an agent or access certain nodes based on a specific role (perhaps based on a regular expression through configuration in application.yml) .

What do you think of this idea ?

dieterdemeyer avatar May 21 '13 17:05 dieterdemeyer

I was planning to do work (without deciding what) on authentication/authorization, as it's pretty much essential for this kind of software. Input is good, that's partly why I left all but basic authentication out of the first release. It is probably a fair bit of work, so not sure how quickly it will happen ;)

What kind of authentication/authorization backends would you ideally use?

ajf8 avatar May 21 '13 18:05 ajf8

Haven't really thought about that part yet... MySQL perhaps ? Or maybe start simple with files in config directory, like application.yaml ?

Don't feel pressured to implement this, would be very nice to have but not by tomorrow :) I can imagine it's quite an amount of work..

dieterdemeyer avatar May 21 '13 18:05 dieterdemeyer

Internal auth backend like mysql or sqlite (which, if just used for authorization, should work just fine) sounds good, and you would have to implement some kind of role delegation system/interface. In larger environments LDAP is often used, so I would opt for that. Role delegation + LDAP through HTTP basic auth, however, works just fine and is usually easy to implement - IMHO Apache/Nginx HTTP basic auth, which is already a pluggable auth mechanism (supporting PAM, MySQL, flatfile etc-etc), is totally OK to rely on for external auth sources. /rant :)

epleterte avatar Jun 07 '13 11:06 epleterte

Hi, Just wanted to know if there is any progress made on this... Thx.

dieterdemeyer avatar Nov 05 '13 14:11 dieterdemeyer

I think the best way would be to use ldap authentication, and create a model to map permissions to user/groups on ldap.

We could also have some "validated" mcollective commands, that are the only option available for a kind of user group. this way we could expose the mcollective power, without the danger of people operating it from web, without understanding it concepts.

Example of validated commands: The Admin validate the command: Restart Service X on Application Cluster Y, on Datacenter Z. This would create some mcollective options, like filtering on facts, classes and subcollectives for example. This will create a button for operation team with the validated action. So when the operation team login, they only have permission to see and run validated actions. They will click "Restart Service X on Aplication Cluster Y, on Datacenter Z", and it will do the job without the risk of exposing all the mcollective power to people who does not know properly how to use it, but need to use it for some pre-defined actions.

lmello avatar May 26 '14 13:05 lmello

I am thinking about creating a simple mcollective web client to do what i described above. Or if people think adding support for users and groups and that kind of thing is good for mcomaster i could check if it is possible to merge the ideas.

lmello avatar May 26 '14 13:05 lmello

@lmello I ended up doing the same. Just built a Sinatra dashboard for various tasks,, I can probably give you the basic code action, which makes it pretty easy. It's ruby, if you like.

matthewbarr avatar May 26 '14 13:05 matthewbarr

@matthewbarr I would really appreciate to contribute on that project. My Email: [email protected]

lmello avatar May 26 '14 17:05 lmello

I know this is a long time after the report was opened and not much development happened for a while, so I understand if you're not interested - but this has been implemented recently as well as some other features.

It's not perfect, but we've got something similar to the puppetlabs actionpolicy extension, but in mcomaster. And a web interface for administrators to add/remove/edit policies.

If you want to try it I'd recomment the excellent vagrant installation @lmello created, in the repository.

ajf8 avatar Aug 20 '14 20:08 ajf8

I had tested and the active policies are not listed anywhere and it unmark the enable policies check box after I change to another place on the app and go back to the admin page.

lmello avatar Sep 02 '14 19:09 lmello

Hi Leonardo,

Do you see anything in web developer tools or the mcomaster log like failed REST calls or failed database queries?

Also check you have the latest rails DB migrations.

Thanks,

ajf8 avatar Sep 02 '14 21:09 ajf8

@ajf8
Sorry for the delay, I could check that in one to two weeks. I am delivering one large project at work, and everything is delayed because of that. :-/

lmello avatar Sep 04 '14 20:09 lmello