[racktables-users] Re: Trying to understand how users work
- From: James Geiger <jpgeiger@xxxxxxxxx>
- To: Alexey Andriyanov <alan@xxxxxxxxxx>
- Date: Thu, 9 Aug 2012 10:21:07 -0400
Thanks.
So when I see an example like on this post:
//www.freelists.org/post/racktables-users/Permissions-Assistance
How does each next line relate to the one above?
On his permissions he has listed:
# Global Permissions for Customers
deny {$tab_tags}
deny {$page_ipv4space} and {$tab_manage}
deny {$page_rack} and ( {$tab_tags} or {$tab_design} or {$tab_edit} )
deny not {customer admin} and not {$tab_default}
allow {$tab_default} and ( {$page_index} or {$page_rackspace} or
{$page_ipv4space} or {$page_ipaddress} )
# Customer Specific Permissions
allow {Cust1 Users} and {Cust1 Assets}
allow {Cust2 Users} and {Cust2 Assets}
How do I read that? I figure a line such as
deny {$page_ipv4space} and {$tab_manage}
means access to the ipv4space page and deny access to the manage tab,
but how does that denial line get associated with the others?
You mention its a firewall rule sort of thing. Do I read it
downwards? Meaning anything below a line gets the rules from above?
So the first two lines for the admin user and Administrators group
have no restrictions above them while the all cust1 and 2 user lines
read the permissions above them, so in that case all the denials?
On Thu, Aug 9, 2012 at 9:36 AM, Alexey Andriyanov <alan@xxxxxxxxxx> wrote:
> Try to consider the permissions script as firewall rules.
>
> The current context (a packet in firewall terms) is sequentially compared to
> each rule (line in permissions script).
> If it matches, the action specified in rule takes place (allow or deny) and
> the process stops.
>
> The current context is a set of tags originated from the currently logged-in
> user, an entity being viewed, and navigation data (current page and tab
> name).
>
> So the rules like
>
> allow {$userid_1}
> allow {$username_jack}
>
> unconditionally allow any context containing tags {$userid_1} or
> {$username_jack}, which makes them the power-users.
>
> But the rule
>
> Allow {$username_user} and {$tab_default}
>
> allows anything to user named 'user' when he is on 'default' tab. The
> default tab never contains controls to modify the DB, so the user has
> read-only permissions if there is no other allowing rules below.
>
>
> 09.08.2012 16:32, James Geiger пишет:
>
>> I have been reading through the posts about user IDs and permissions
>> and don't quite understand how they work.
>>
>> To add a user I understand. I go to Main page : Configuration :
>> Local users and I enter the name and the password.
>>
>> What I am unsure of is the whole permissions part of the tool. How
>> does it work?
>>
>> On the Permissions section of the wiki:
>>
>> http://wiki.racktables.org/index.php/RackTablesAdminGuide#Permission_configuration_examples
>>
>> It has a simple example of adding a power user:
>>
>> Admin and power user
>>
>> allow {$userid_1}
>> allow {$username_jack}
>>
>> How does that mean jack is a power user? What makes the difference or
>> what is a power user?
>>
>> I have seen other examples from posts about adding read only users:
>>
>> Allow {$username_user} and {$tab_default}
>>
>> How does that mean the user is a read only?
>>
>> Does each line signify a new user permission?
>>
>
Other related posts:
