From: Leonardo Garcia <lagarcia(a)br.ibm.com>
Current, in Kimchi, no real authorization support is implemented. We do
have authentication support, and, apart from that, no other kind of
control is provided in order to authorize or not a Kimchi user to access
its features. IOW, today, a user can access everything or nothing Kimchi
provides.
This patch series tries to implement an initial support for user
authorization in Kimchi back-end. Some has already been discussed in the
community about this feature [1, 2, 3]. The RFC proposed in [2] and the
WIP sent in [3] seems to be diverging from the simple proposal first put
in [1] and sustained in replies to [2]. So, the purpose of this patch
series is to try to be, as much as possible, compliant to [1] and keep
things as simple as possible.
In summary, that means we will identify users as having sudo rights or
not. This information will be passed to the UI by the /login REST API
during logging in. With this information the UI will be able to decide
which components (tabs, buttons, etc.) it will show to the user.
Additionally, an infrastructure was also built in order to identify a
REST API as one that needs sudo rights or not to be accessed. So, if the
UI, for some reason, tries to access a REST API in a session whose user
does not have sudo rights, the REST API call will return HTTP error 401.
[1]
https://github.com/kimchi-project/kimchi/wiki/authorization
[2]
http://lists.ovirt.org/pipermail/kimchi-devel/2014-January/001218.html
[3]
http://lists.ovirt.org/pipermail/kimchi-devel/2014-January/001898.html
Leonardo Garcia (4):
Code cleanup.
Find out user groups and sudo status during login.
Enhance UrlSubNode decorator and kimchiauth tool to check for sudo
rights.
Limit user access to REST API /host.
src/kimchi/auth.py | 85 ++++++++++++++++++++++++++++++++++++---------
src/kimchi/control/host.py | 2 +-
src/kimchi/control/utils.py | 9 ++++-
src/kimchi/root.py | 4 +--
src/kimchi/server.py | 7 +++-
5 files changed, 86 insertions(+), 21 deletions(-)
--
1.8.5.3