[Kimchi-devel] [Wok] Do not link user role with UI tabs

Wed Jan 18 14:18:47 UTC 2017

On 18/01/2017 10:51, Aline Manera wrote:
> Hi all,
>
> Today, Wok provides basic authorization level for all the application.
> When using PAM authentication, an user with root right (sudo ALL) will
> be considered a sysadmin and will have full control no Wok and its plugins.
> When using LDAP authentication, the users listed in "admin_users"
> parameter in wok.conf will be considered a sysadmin and then having full
> control on Wok and its plugins.
>
> Thinking about providing more granularity on authorization (ie, grant
> access to a normal user to create a VM on Kimchi, for example) the user
> role (sysadmin or normal user) was linked to the UI tabs (:-() instead
> of the API itself (you can see it on src/wok/auth.py)
>
> It can cause multiple issues, for example:
> - different plugins with the same tab name (the case of Ginger and
> Kimchi) will get the authorization settings merged
> - what about a tab making using of different APIs? The case of
> "Administration" tab on Ginger
>
> So, IMO the better solution would be to have that granularity (when it
> will be implemented) by API.
>
> So when a sysadmin may want to grant permission to a normal user to
> manage virtual machines, there would be an API like:
>
> POST /config/permission {api: <api>, username: <username>, role:
> admin|user}
>
> That will store the information in a DB (objectstore) and make use of it
> when responding to a request.
>
> with objectstore as session:
>     user_role = session.get('permission', <api>, <username>)
>
> The reason of this RFC is to change the USER_ROLES we have today in
> auth.py to only store if the user is an admin or not and make use of it
> in the whole application not linked to any tab. That means, all the
> self.role_key parameter will be removed and the UI will be changed as
> well to reflect that.
>
> What do you think about it?
>
> I plan to send a patch to remove the link between user role and tabs as
> soon as we get agreement on it and the patches about grant permissions
> will require more discussions.
>
> Regards,
> Aline Manera
>

That's a good approach IMO.

We could leverage the opportunity to add a PAM-specific configuration to 
wok for restricting access for only those users in group "wok" (not all 
users in that system may be allowed to access wok).

This is also a debian requirement for packaging and was implemented by 
this patch: 
https://github.com/lcorreia/wok/commit/9de9856188c2e826ddc90a07f549c7c7972f9529 

along with a wok-specific pam config file, like this: 
https://github.com/lcorreia/wok/blob/lcorreia/debianization-2.3.1/debian/wok.pam

Regards,
-- 
Lucio Correia