[racktables-users] Re: Permissions Assistance
- From: "Jeroen Benda" <Jeroen.Benda@xxxxxxxxxx>
- To: <racktables-users@xxxxxxxxxxxxx>
- Date: Tue, 29 Sep 2009 10:29:39 +0200
I've been working on this as well as we are implementing the tool over
many datacenters and are worried about the needle-haystack problem as
well. In addition we're trying to implement permissions for network
admins, server admins etc. I found that the following will work for
limiting the objects in most views. Put something like this in your
local.php (this is what we have, the $lgcn thing is because we have AD
integration. It basically means if a user is member of the group
RCK_Admins_SITE1 than their tag should be SITE1.). It works for
Rackspace and objects. For some strange reason though, it does not work
for search (we are at 17.1 still) where the filtering is not used.
global $auto_tags, $sic;
if (in_array(array('tag'=>'$lgcn_RCK_Admins_SITE1'),$auto_tags)) {
$sic['cfe'] = '({SITE1})';
}
etc
You can figure out the rest I assume.
I've also modified the main page to only show the menu graphics that the
user is allowed to do (see bottom of my email).
The following is part of our config that allows read only users,
$lgcn_RCK_Read_Only, to see everything but do nothing
$lgcn_RCK_Admins_SITE1 users are allowed to only see SITE1 objects (and
do nothing with them)
allow {$userid_1}
allow {$lgcn_RCK_Admins}
deny {$page_config}
allow {$page_search}
allow {$page_depot} and {$tab_default}
allow {$lgcn_RCK_Read_Only} and {$tab_default}
allow {$lgcn_RCK_Admins_SITE1} and ({$page_index} or {$page_row} or
{$page_rackspace}) and {$tab_default}
allow {$lgcn_RCK_Admins_SITE1} and {SITE1} and {$tab_default}
Hope this helps,
Jeroen
// Main menu.
function renderIndex ()
{
$col = 4;
?>
<table border=0 cellpadding=0 cellspacing=0 width='100%'>
<tr>
<td>
<div style='text-align: center; margin: 10px; '>
<table width='100%' cellspacing=0 cellpadding=30 class=mainmenu
border=0>
<tr>
<?php
if (permitted('rackspace')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'rackspace'))."'>Rackspace<br>\n";
printImageHREF ('rackspace');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
if (permitted('depot')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'depot'))."'>Objects<br>\n";
printImageHREF ('objects');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
if (permitted('ipv4space')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'ipv4space'))."'>IPv4 space<br>\n";
printImageHREF ('ipv4space');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
if (permitted('files')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'files'))."'>Files<br>\n";
printImageHREF ('files');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
if ($col>0) {
print " <td colspan='{$col}'> </td>\n";
}
?>
</tr>
<tr>
<?php
$col = 4;
if (permitted('config')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'config'))."'>Configuration<br>\n";
printImageHREF ('config');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
if (permitted('reports')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'reports'))."'>Reports<br>\n";
printImageHREF ('reports');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
if (permitted('ipv4slb')) {
print " <td>\n";
print " <h1><a
href='".makeHref(array('page'=>'ipv4slb'))."'>IPv4 SLB<br>\n";
printImageHREF ('ipv4slb');
print "</a></h1>\n";
print " </td>\n";
$col--;
}
print " <td colspan='{$col}'> </td>\n";
?>
</tr>
</table>
</div>
</td>
</tr>
</table>
<?php
}
________________________________
From: racktables-users-bounce@xxxxxxxxxxxxx
[mailto:racktables-users-bounce@xxxxxxxxxxxxx] On Behalf Of Don Greer
Sent: Monday, September 28, 2009 23:01
To: racktables-users@xxxxxxxxxxxxx
Subject: [racktables-users] Permissions Assistance
Folks,
I am attempting to implement RackTables in a production shared colo/DC
environment. One of my goals is to allow customers to look at and
modify their own equipment (Objects) and network information.
After some serious struggling, I think I have the basics of the
RackCode based permissions system down. Here's what I've come up with:
# User Specific Permissions
allow {$userid_1}
allow {Administrators}
# Customer Access Permissions
# Global Permissions for Customers
deny {$tab_tags}
deny {$page_ipv4space} and {$tab_manage}
deny {$page_rack} and ( {$tab_tags} or {$tab_design} or {$tab_edit} )
deny not {customer admin} and not {$tab_default}
allow {$tab_default} and ( {$page_index} or {$page_rackspace} or
{$page_ipv4space} or {$page_ipaddress} )
# Customer Specific Permissions
allow {Cust1 Users} and {Cust1 Assets}
allow {Cust2 Users} and {Cust2 Assets}
For this, I have the following tags:
Administrative Groups
Administrators (4)
customer admin (4)
customer viewer (2)
Assets
Cust1 Assets (18)
Cust2 Assets (9)
Customers
Cust1 Users (2)
Cust2 Users (4)
The users are as follows:
Cust1Viewer (customer viewer, Cust1 Users)
Cust1Admin (customer admin, Cust1 Users)
...
This works as intended in some places, but I've found several places
that present problems:
1. While I can allow users to get into $page_ipv4space and
$page_ipv4, I cannot allow them into $page_ipaddress because the
ownership of a network does not propagate to individual addresses.
Allowing access to ANY $page_ipaddress page will allow them to manually
change the "ip=" value and edit other customer's addresses (Not a Good
Thing (tm)).
2. There is no method by which to force the filters on individual
pages (or pull-downs) such that users ONLY see their Objects, racks,
etc. associated with a specific tag. This IS handled in a round-about
way on $page_rackspace, where racks owned by people other than the user
are blacked out, but as we grow the datacenter, that too will become a
bit of a needle-in-the-haystack problem. Utilizing the page filters in
a forceful way (e.g. administratively turning on a filter for "Cust1
Assets" on pages being access by "Cust1 Users") would work much better
and present a cleaner interface for the end user. Ideally this would
also be applied to the pull-downs for Objects, interfaces, etc.
3. There's no way (I think) to force a tag on objects created by a
user or allow inheritance of permissions in some way. For instance, I'd
like to force any Object created by "Cust1 Users" to have the tag "Cust1
Assets" forced on. This would allow the user to create his objects for
the equipment he is wanting installed in his cabinet prior to shipping,
alleviating my staff from having to do all this manually. The customer
can then ship the equipment to us and we already know where it goes, how
it's cabled, etc.
There are several other things that have cropped up, but these are the
major issues that are going to prevent me from fully implementing this
package in this environment.
Can somebody tell me if there are solutions for any of these problems?
The documentation on RackCode is a bit thin :^) so I'm not sure if I'm
simply missing some features or if these things literally don't exist.
I may try scratching my own itch here, but I gotta tell you it'll take
me forever because I haven't written any serious code in over a decade.
TIA
Don
Other related posts:
