LOGIN / SIGN UP

#231 Fine grained ACL

Reported by: Christian Bryn (bryn) Assigned to: Claes Nästén (pekdon)
Phase: Component: accesscontrol
Type: enhancement Status: new
Priority: 4: Low
Watchers:

Description

Helloooo,

I know there is already a ticket for access control/user configuration, but I'd like to explicitly add a task for fine grained ACL (roles).

After having configured ganeti-manager to work against LDAP (preferably), I'd like to be able to, i.e., give person X access to log in and stop, start and reboot VM foo and bar (but not gazonk). Adding this info to ganeti-manager config is good, having the option to add this in LDAP as well/instead would be even better (ganeti-manager specific fields in LDAP) ;-)

Let me know if you'd like to discuss more etc.

- Christian d:-)

2010-03-17

2Claes Nästén (pekdon)
19:24:42

Suggestion is to introduce the following tags that will provide ACL control linked to users/groups/roles and grouping of instances and nodes.

Instance level ACL: 

 ACL_user-employee1 = view, reboot
 ACL_group-team1 = view, start, stop, reboot

Instance level grouping: 

 Groups = team1, team2

Node level ACL: 

 ACL_role = view, create, reinstall, remove

Node level grouping: 

 Groups = team1

Will look into and create separate tasks for implementing the ACL support and tag management.

2010-01-11

2Claes Nästén (pekdon)
11:21:02

Also, is the role definition supposed to be in LDAP as separate objects?

11:15:55

My idea was to have this information as ganeti tags on the specific nodes, a specification of that together with a mapping to LDAP attributes (and schema) will be greatly appriciated.