[racktables-users] Permissions Assistance
- From: "Don Greer" <Don.Greer@xxxxxxxxxxxxxxxxx>
- To: <racktables-users@xxxxxxxxxxxxx>
- Date: Mon, 28 Sep 2009 16:01:02 -0500
Folks,
I am attempting to implement RackTables in a production shared colo/DC
environment. One of my goals is to allow customers to look at and
modify their own equipment (Objects) and network information.
After some serious struggling, I think I have the basics of the
RackCode based permissions system down. Here's what I've come up with:
# User Specific Permissions
allow {$userid_1}
allow {Administrators}
# Customer Access Permissions
# Global Permissions for Customers
deny {$tab_tags}
deny {$page_ipv4space} and {$tab_manage}
deny {$page_rack} and ( {$tab_tags} or {$tab_design} or {$tab_edit} )
deny not {customer admin} and not {$tab_default}
allow {$tab_default} and ( {$page_index} or {$page_rackspace} or
{$page_ipv4space} or {$page_ipaddress} )
# Customer Specific Permissions
allow {Cust1 Users} and {Cust1 Assets}
allow {Cust2 Users} and {Cust2 Assets}
For this, I have the following tags:
Administrative Groups
Administrators (4)
customer admin (4)
customer viewer (2)
Assets
Cust1 Assets (18)
Cust2 Assets (9)
Customers
Cust1 Users (2)
Cust2 Users (4)
The users are as follows:
Cust1Viewer (customer viewer, Cust1 Users)
Cust1Admin (customer admin, Cust1 Users)
...
This works as intended in some places, but I've found several places
that present problems:
1. While I can allow users to get into $page_ipv4space and
$page_ipv4, I cannot allow them into $page_ipaddress because the
ownership of a network does not propagate to individual addresses.
Allowing access to ANY $page_ipaddress page will allow them to manually
change the "ip=" value and edit other customer's addresses (Not a Good
Thing (tm)).
2. There is no method by which to force the filters on individual
pages (or pull-downs) such that users ONLY see their Objects, racks,
etc. associated with a specific tag. This IS handled in a round-about
way on $page_rackspace, where racks owned by people other than the user
are blacked out, but as we grow the datacenter, that too will become a
bit of a needle-in-the-haystack problem. Utilizing the page filters in
a forceful way (e.g. administratively turning on a filter for "Cust1
Assets" on pages being access by "Cust1 Users") would work much better
and present a cleaner interface for the end user. Ideally this would
also be applied to the pull-downs for Objects, interfaces, etc.
3. There's no way (I think) to force a tag on objects created by a
user or allow inheritance of permissions in some way. For instance, I'd
like to force any Object created by "Cust1 Users" to have the tag "Cust1
Assets" forced on. This would allow the user to create his objects for
the equipment he is wanting installed in his cabinet prior to shipping,
alleviating my staff from having to do all this manually. The customer
can then ship the equipment to us and we already know where it goes, how
it's cabled, etc.
There are several other things that have cropped up, but these are the
major issues that are going to prevent me from fully implementing this
package in this environment.
Can somebody tell me if there are solutions for any of these problems?
The documentation on RackCode is a bit thin :^) so I'm not sure if I'm
simply missing some features or if these things literally don't exist.
I may try scratching my own itch here, but I gotta tell you it'll take
me forever because I haven't written any serious code in over a decade.
TIA
Don
Other related posts:
