[Engine-devel] Local Authentication Feature

Doron Fediuck dfediuck at redhat.com
Sun Feb 10 16:02:39 UTC 2013



----- Original Message -----
> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> To: "Doron Fediuck" <dfediuck at redhat.com>
> Cc: "Juan Hernandez" <jhernand at redhat.com>, engine-devel at ovirt.org
> Sent: Sunday, February 10, 2013 5:37:10 PM
> Subject: Re: [Engine-devel] Local Authentication Feature
> 
> 
> 
> ----- Original Message -----
> > From: "Doron Fediuck" <dfediuck at redhat.com>
> > To: "Juan Hernandez" <jhernand at redhat.com>
> > Cc: engine-devel at ovirt.org
> > Sent: Sunday, February 10, 2013 5:26:52 PM
> > Subject: Re: [Engine-devel] Local Authentication Feature
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Juan Hernandez" <jhernand at redhat.com>
> > > To: engine-devel at ovirt.org
> > > Sent: Friday, February 8, 2013 7:50:36 PM
> > > Subject: [Engine-devel] Local Authentication Feature
> > > 
> > > Hello,
> > > 
> > > I would like to propose a new feature that allows authentication
> > > using
> > > the local user database. The details are here:
> > > 
> > > http://www.ovirt.org/Features/Local_Authentication
> > > 
> > > And the proposed change is available for review here:
> > > 
> > > http://gerrit.ovirt.org/11863
> > > 
> > > I appreciate feedback.
> > > 
> > > Thanks in advance,
> > > Juan Hernandez
> > > --
> > > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3,
> > > planta
> > > 3ºD, 28016 Madrid, Spain
> > > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red
> > > Hat
> > > S.L.
> > 
> > Hi Juan,
> > Very happy to see this one which actually closes an annoying gap!
> > One thing which is missing is user management- add/remove/change
> > users and groups. If we do not plan to handle it within ovirt, the
> > design should state it and explain how user management should work.
> 
> Shouldn't this be the same as in case of external directory service?
> i.e - you manage user/group at the directory service, and then you
> "populate" engine with it (by adding permissions to users/groups or
> adding explicitly new users/groups to engine?)
> 
> > Also, what happens when a user is removed from the local DB- will
> > all references to him be removed? Groups?
> 
> IMHO the behavior in this case should be as in case of current
> LdapBroker.
> 

This could be a decision but it's missing from the design.
The diff I see from current supported directory servers are that
they actually have their own management tools, which is not the
case for local DB. Again, you may state that the various userXXX
and groupXXX commandline utilities are the way to manage it, but
this is lacking from the design.




More information about the Devel mailing list