[racktables-users] Re: auth problem
- From: Denis Ovsienko <pilot@xxxxxxxxxx>
- To: racktables-users@xxxxxxxxxxxxx
- Date: Thu, 17 Jul 2008 16:03:38 +0400
> Now: I've been having a look at your web site, but I didn't find
> references about the new security model, so I don't know how to
> manage it (allow user x with full rights, allow user y only certain
> tab, etc.). Did I overlook something?
A key concept of the new model is the "security context", which is a
sequence of tags. The tags can be:
- explicit: those listed for current entity by user
- implicit: all parent tags of the explicit tags
- automatic: injected internally
The default setting is to show the first two lists on each entity's
page, this can be changed on the "user interface" page. The security
context is a combination of all three lists above. For most of the
locations authorization is done only once and itself is an evaluation
of the context against the RackCode. Each allow/deny rule is matched
against the meta-list of tags and if the rule condition evaluates to
true, the allow/deny decision is returned.
It's very easy to mimic the former UserPermission syntax, because the
automatic tag list always contains autotags for the current page and
tab, e.g.:
{$page_object}
{$tab_ipv4}
These cannot be forged, because ordinary tag names cannot start with
dollar sign.
Given all of the above, an example of permitting everybody to browse
all objects and someone to manage IP addresses of any object is as
simple as:
allow {$page_object} and {$tab_default}
allow {$username_someuser} and {$page_object} and {$tab_ipv4}
If no rule matched, the default decision is to deny access, so
real-world configurations will likely have more rules.
I hope it helps.
--
DO4-UANIC
Other related posts:
