[Kimchi-devel] [PATCH 2/2] authorization: Add "mode" attribute to describe user view

Aline Manera alinefm at linux.vnet.ibm.com
Fri Jul 11 11:28:42 UTC 2014 


On 07/11/2014 03:31 AM, Wen Wang wrote:
> Thanks Aline, I think there might be some issues by changing the xml
> file manually. From the *tabs.xml* we get the mode that a user should
> have but it doesn't change when we change user. I have applied your code
> and it's something like this:
>
>
>
> Either using a guest or root we can only get the permitted tabs of the
> guest. Can we have the kimchi/config/ui/tabs.xml changed automatically
> according to the logged in user. Role distinguishing can be done in the
> back-end and add the right mode to this xml file automatically? Or else
> we might need to find other ways to transfer the user roles.
>

 From what we have discussed in "[Kimchi-devel] RFC: Design of 
Authorization in Kimchi" I understood the "mode" attribute will only be 
used for a "user" role and ignored if the user has a "admin" role as 
he/she has full control on kimchi

Example, in JS would have a code like:

if "admin" in roles:
     # upload all tabs

elif "user" in roles:
     # read mode attribute

But thinking in the future roles we will have we will need to do what 
you proposed by changing tabs.xml automatically.
I will send a V2 patch with that

Thanks for the review.


> Best regards
> Wang Wen
>
> On 7/11/2014 10:16 AM, alinefm at linux.vnet.ibm.com wrote:
>> From: Aline Manera<alinefm at linux.vnet.ibm.com>
>>
>> Kimchi has 2 user roles: "admin" with full control of Kimchi features
>> and "user" with limited access
>> To describe how each tab should be displayed for a user, the "mode"
>> attribute should be added.
>> The "mode" attribute values are:
>>
>> - none: do not show the tab;
>> - admin: full instance access;
>> - read-only:  read-only access;
>> - byInstance: each resource will have its configuration sent by the
>>    backend;
>>
>> The user will only be able to manage the guests he/she is assigned for,
>> because that the guest tab has 'mode' == admin
>> As a user can edit a guest, he/she may need to know which networks
>> and storage pools are configured, so set network and storage tab 'mode'
>> to read-only.
>> And as user should not perform any operation on host or templates, set
>> their 'mode' attributes to 'none'.
>>
>> Signed-off-by: Aline Manera<alinefm at linux.vnet.ibm.com>
>> ---
>>   config/ui/tabs.xml | 10 +++++-----
>>   1 file changed, 5 insertions(+), 5 deletions(-)
>>
>> diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml
>> index b045521..b8e7bd6 100644
>> --- a/config/ui/tabs.xml
>> +++ b/config/ui/tabs.xml
>> @@ -1,22 +1,22 @@
>>   <?xml version="1.0" encoding="utf-8"?>
>>   <tabs>
>> -    <tab>
>> +    <tab mode="none">
>>           <title>Host</title>
>>           <path>tabs/host.html</path>
>>       </tab>
>> -    <tab>
>> +    <tab mode="admin">
>>           <title>Guests</title>
>>           <path>tabs/guests.html</path>
>>       </tab>
>> -    <tab>
>> +    <tab mode="none">
>>           <title>Templates</title>
>>           <path>tabs/templates.html</path>
>>       </tab>
>> -    <tab>
>> +    <tab mode="read-only">
>>           <title>Storage</title>
>>           <path>tabs/storage.html</path>
>>       </tab>
>> -    <tab>
>> +    <tab mode="read-only">
>>           <title>Network</title>
>>           <path>tabs/network.html</path>
>>       </tab>
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

More information about the Kimchi-devel mailing list