Created
July 1, 2019 06:27
-
-
Save stephdl/e92cf3fc459c761b29b4c3a615b678b2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BACKEND | |
| -[ ] define nsAPI_cmnd_alias in /etc/sudoers.d/10_servermanager_api | |
| https://gist.github.com/ba0d97eb578664f42852d63d630e8949 | |
| https://github.com/NethServer/nethserver-cockpit/compare/master...DavidePrincipi:sudoers | |
| example: | |
| Cmnd_Alias NSAPI_SYSTEM_TLS = \ | |
| /usr/libexec/nethserver/api/system-certificate/read, \ | |
| /usr/libexec/nethserver/api/system-certificate/update, \ | |
| /usr/libexec/nethserver/api/system-certificate/validate | |
| -[ ] make the map between role and cmndalias and expand to /etc/sudoers.d/50_servermanager_perms | |
| # /usr/libexec/nethserver/api/system-authorization/read | jq | |
| { | |
| "system": [ | |
| "storage", x | |
| "disk-usage", x | |
| "certificates", x | |
| "dns", x | |
| "dhcp", x | |
| "backup", x | |
| "services", x | |
| "users-groups", x | |
| "network", x | |
| "ssh", x | |
| "tls-policy", x | |
| "trusted-networks", x | |
| "logs", x | |
| "terminal", x | |
| "subscription" x | |
| ], | |
| "status": { | |
| "isRoot": 1, | |
| "isAdmin": 1 | |
| }, | |
| "applications": [ | |
| "nethserver-firewall-base", | |
| "nethserver-httpd" | |
| ] | |
| } | |
| proposal : | |
| - nethserver-firewall-base => Cmnd_Alias NSAPI_APP_NETHSERVER_FIREWALL_BASE | |
| - users-groups => Cmnd_Alias NSAPI_SYSTEM_USERS_GROUPS | |
| template expansion | |
| %famille ALL=NOPASSWD: READ, WRITE, WRITE2 | |
| -[ ] make a catch all API for future applications | |
| - name proposal : Cmnd_Alias NSAPI_SUPER_ADMINISTRATOR | |
| - all API must be delegated, proposal | |
| - each dev push an array with all his delegation path and we expand it inside a template | |
| - we use a File::Find to find all subfolders and glob to find all api files, then we expand it | |
| - the sudoers file must be expanded after each rpm installation, proposal: | |
| expand sudoers file with runlevel-adjust | |
| expand sudoers with each rpm nethserver-*-update | |
| UI | |
| -[ ] store to esmith database under config/cockpit.socket/delegation | |
| cockpit.socket=service | |
| delegation=othergroup1:SYS_SUPER,group2:SYS_STORAGE:SYS_NETWORK | |
| or | |
| cockpit.socket=service | |
| famille_delegation=SYS_STORAGE:SYS_NETWORK | |
| teacher_delegation=SYS_USER | |
| -[ ] read role from esmith api | |
| -[ ] remove /etc/nethserver/cockpit/authorization/roles.json | |
| -[ ] make a catch all API inside the UI | |
| proposal : | |
| - one or two checkbox (system and application) | |
| - option 'administrator' inside the two dropdown |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L51
A shorter NSAPI_ADMIN ? So we have a "global"
NSAPI_prefix, and some "namespace" prefixes:I'd prefer a static file list, at least for SYSTEM. For NSAPI_ADMIN we need something dynamic. In the end NSAPI_ADMIN expands to
Note that:
glob("$path*.json"), see system-apps/readhttps://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L62
the runlevel-adjust hack works, we used it in the past too, but I'd evaluate also to add template expansion declaration in each package. For ns8 we could define hook events with pre-install / post-install semantics.
I'd go with the first option,
delegationprop (orPermissionsList?)https://gist.github.com/stephdl/e92cf3fc459c761b29b4c3a615b678b2#file-think_tank_on_sudoers-L76
I'd like to leave it untouched, except for the dropdown menu elements.