-
-
Save stephdl/e92cf3fc459c761b29b4c3a615b678b2 to your computer and use it in GitHub Desktop.
| BACKEND | |
| -[ ] define nsAPI_cmnd_alias in /etc/sudoers.d/10_servermanager_api | |
| https://gist.github.com/ba0d97eb578664f42852d63d630e8949 | |
| https://github.com/NethServer/nethserver-cockpit/compare/master...DavidePrincipi:sudoers | |
| example: | |
| Cmnd_Alias NSAPI_SYSTEM_TLS = \ | |
| /usr/libexec/nethserver/api/system-certificate/read, \ | |
| /usr/libexec/nethserver/api/system-certificate/update, \ | |
| /usr/libexec/nethserver/api/system-certificate/validate | |
| -[ ] make the map between role and cmndalias and expand to /etc/sudoers.d/50_servermanager_perms | |
| # /usr/libexec/nethserver/api/system-authorization/read | jq | |
| { | |
| "system": [ | |
| "storage", x | |
| "disk-usage", x | |
| "certificates", x | |
| "dns", x | |
| "dhcp", x | |
| "backup", x | |
| "services", x | |
| "users-groups", x | |
| "network", x | |
| "ssh", x | |
| "tls-policy", x | |
| "trusted-networks", x | |
| "logs", x | |
| "terminal", x | |
| "subscription" x | |
| ], | |
| "status": { | |
| "isRoot": 1, | |
| "isAdmin": 1 | |
| }, | |
| "applications": [ | |
| "nethserver-firewall-base", | |
| "nethserver-httpd" | |
| ] | |
| } | |
| proposal : | |
| - nethserver-firewall-base => Cmnd_Alias NSAPI_APP_NETHSERVER_FIREWALL_BASE | |
| - users-groups => Cmnd_Alias NSAPI_SYSTEM_USERS_GROUPS | |
| template expansion | |
| %famille ALL=NOPASSWD: READ, WRITE, WRITE2 | |
| -[ ] make a catch all API for future applications | |
| - name proposal : Cmnd_Alias NSAPI_SUPER_ADMINISTRATOR | |
| - all API must be delegated, proposal | |
| - each dev push an array with all his delegation path and we expand it inside a template | |
| - we use a File::Find to find all subfolders and glob to find all api files, then we expand it | |
| - the sudoers file must be expanded after each rpm installation, proposal: | |
| expand sudoers file with runlevel-adjust | |
| expand sudoers with each rpm nethserver-*-update | |
| UI | |
| -[ ] store to esmith database under config/cockpit.socket/delegation | |
| cockpit.socket=service | |
| delegation=othergroup1:SYS_SUPER,group2:SYS_STORAGE:SYS_NETWORK | |
| or | |
| cockpit.socket=service | |
| famille_delegation=SYS_STORAGE:SYS_NETWORK | |
| teacher_delegation=SYS_USER | |
| -[ ] read role from esmith api | |
| -[ ] remove /etc/nethserver/cockpit/authorization/roles.json | |
| -[ ] make a catch all API inside the UI | |
| proposal : | |
| - one or two checkbox (system and application) | |
| - option 'administrator' inside the two dropdown |
https://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L51
NSAPI_SUPER_ADMINISTRATOR
A shorter NSAPI_ADMIN ? So we have a "global" NSAPI_ prefix, and some "namespace" prefixes:
- ADMIN, the catchall symbol with future powers
- SYSTEM, for individual nethserver-cockpit pages
- APP, for individual additional applications
- PUBLIC, for everyone's availability
all API must be delegated, proposal
I'd prefer a static file list, at least for SYSTEM. For NSAPI_ADMIN we need something dynamic. In the end NSAPI_ADMIN expands to
Cmnd_Alias NSAPI_ADMIN = NSAPI_SYSTEM_PAGE1, NSAPI_SYSTEM_PAGE2, NSAPI_APP_APP1, NSAPI ...
Note that:
- the list of system modules is static,
- the list of installed apps can be easily calculated:
glob("$path*.json"), see system-apps/read
https://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L62
the sudoers file must be expanded after each rpm installation, proposal:
the runlevel-adjust hack works, we used it in the past too, but I'd evaluate also to add template expansion declaration in each package. For ns8 we could define hook events with pre-install / post-install semantics.
store to esmith database under config/cockpit.socket/delegation
I'd go with the first option, delegation prop (or PermissionsList?)
https://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L76
make a catch all API inside the UI
I'd like to leave it untouched, except for the dropdown menu elements.
https://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L13
Here we must remove internal
sudocalls: if possible, we must invokesudoas a wrapper withnethserver.exec(), as usual.The code must be refactored to rely on
esmith::ConfigDB, as usual.