[Kimchi-devel] RFC: Design of Authorization in Kimchi
Wen Wang
wenwang at linux.vnet.ibm.com
Mon Jul 7 09:45:47 UTC 2014
Hi all,
Due to the fact that Kimchi needs authorization feature to be designed.
I an posting my point of view below of how I thought about doing it,
including how I plan doing it in the front-end and request for help for
the back end support.
Kimchi changed to a traditional login patten in last release that makes
Kimchi more secure to use. It Before login, the front-end can hardly get
any html information before user actually login. As we discussed, root
user will have full access to Kimchi whereas the non-root user will have
restricted privileges. It will be easier and more decent to show the
proper tabs to certain users that distinguished by the back-end. Now the
tabs are generated by an xml file generated from the back-end that show
all 5 tabs. We probably need to have the '*Host*' and '*template*'
tab_removed_ for non-root users, which is recommended to be done in the
back-end.
Also there need to be information provided to the front-end like the
user-name, user-role as well as user-group, etc. that indicate user
identity after login. The browser need the information to give certain
privileges to certain users and disable the unnecessary functions. My
suggestion is to have these 3 parameters passed: ***user-name,
user-role* as well as *user-group*. There is a better extendibility to
user the user-role other than isRoot so that we can define more roles in
the future. As fact that we have only defined two roles now, the
user-role parameter can be divided into root and guest based on user is
root or non-root. These message can get from *sessiondada*, *cookie *or
passed according to a query. the way passing the info of the user is
still under discussion. Request for your advises.
Best Regards
Wang Wen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20140707/13f5c819/attachment.html>
More information about the Kimchi-devel
mailing list