[Kimchi-devel] [PATCH 2/2] authorization: Add "mode" attribute to describe user view

Aline Manera alinefm at linux.vnet.ibm.com
Fri Jul 11 17:55:17 UTC 2014 


On 07/11/2014 08:28 AM, Aline Manera wrote:
>
>
> On 07/11/2014 03:31 AM, Wen Wang wrote:
>> Thanks Aline, I think there might be some issues by changing the xml
>> file manually. From the *tabs.xml* we get the mode that a user should
>> have but it doesn't change when we change user. I have applied your code
>> and it's something like this:
>>
>>
>>
>> Either using a guest or root we can only get the permitted tabs of the
>> guest. Can we have the kimchi/config/ui/tabs.xml changed automatically
>> according to the logged in user. Role distinguishing can be done in the
>> back-end and add the right mode to this xml file automatically? Or else
>> we might need to find other ways to transfer the user roles.
>>
>
>  From what we have discussed in "[Kimchi-devel] RFC: Design of
> Authorization in Kimchi" I understood the "mode" attribute will only be
> used for a "user" role and ignored if the user has a "admin" role as
> he/she has full control on kimchi
>
> Example, in JS would have a code like:
>
> if "admin" in roles:
>      # upload all tabs
>
> elif "user" in roles:
>      # read mode attribute
>
> But thinking in the future roles we will have we will need to do what
> you proposed by changing tabs.xml automatically.
> I will send a V2 patch with that
>

It will not work for us!

Creating the tabs.xml automatically implies in having multiples tabs.xml 
file - at least one file per user.

So I suggest turn back to my first proposal and list on xml the "mode" 
per "role"
As more roles are added, we just need to update this file to add a new 
element *access*

<tab *id=host*>
     <*access* role="admin" mode="admin"/>
     <*access* role="user" mode="none"/>

     <title>Host</title>
     <path>tabs/host.html</path>
</tab>
<tab *id=guests*>
     <*access* role="admin" mode="admin"/>
     <*access* role="user" mode="byinstance"/>

     <title>Guests</title>
     <path>tabs/guests.html</path>
</tab>

Then we change /login to return the role per tab:

POST /login {username: ..., password: ...}
{ username: ...,
   roles: {host: admin, templates: user, ...}
}

So according to roles we can get the mode each tab is configured.

user_access = login.roles
for tab in user_access:
     get mode from xml according to tab and role

I will send an RFC patch with that soon.
Hope it solves our issues.


> Thanks for the review.
>
>
>> Best regards
>> Wang Wen
>>
>> On 7/11/2014 10:16 AM, alinefm at linux.vnet.ibm.com wrote:
>>> From: Aline Manera<alinefm at linux.vnet.ibm.com>
>>>
>>> Kimchi has 2 user roles: "admin" with full control of Kimchi features
>>> and "user" with limited access
>>> To describe how each tab should be displayed for a user, the "mode"
>>> attribute should be added.
>>> The "mode" attribute values are:
>>>
>>> - none: do not show the tab;
>>> - admin: full instance access;
>>> - read-only:  read-only access;
>>> - byInstance: each resource will have its configuration sent by the
>>>    backend;
>>>
>>> The user will only be able to manage the guests he/she is assigned for,
>>> because that the guest tab has 'mode' == admin
>>> As a user can edit a guest, he/she may need to know which networks
>>> and storage pools are configured, so set network and storage tab 'mode'
>>> to read-only.
>>> And as user should not perform any operation on host or templates, set
>>> their 'mode' attributes to 'none'.
>>>
>>> Signed-off-by: Aline Manera<alinefm at linux.vnet.ibm.com>
>>> ---
>>>   config/ui/tabs.xml | 10 +++++-----
>>>   1 file changed, 5 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/config/ui/tabs.xml b/config/ui/tabs.xml
>>> index b045521..b8e7bd6 100644
>>> --- a/config/ui/tabs.xml
>>> +++ b/config/ui/tabs.xml
>>> @@ -1,22 +1,22 @@
>>>   <?xml version="1.0" encoding="utf-8"?>
>>>   <tabs>
>>> -    <tab>
>>> +    <tab mode="none">
>>>           <title>Host</title>
>>>           <path>tabs/host.html</path>
>>>       </tab>
>>> -    <tab>
>>> +    <tab mode="admin">
>>>           <title>Guests</title>
>>>           <path>tabs/guests.html</path>
>>>       </tab>
>>> -    <tab>
>>> +    <tab mode="none">
>>>           <title>Templates</title>
>>>           <path>tabs/templates.html</path>
>>>       </tab>
>>> -    <tab>
>>> +    <tab mode="read-only">
>>>           <title>Storage</title>
>>>           <path>tabs/storage.html</path>
>>>       </tab>
>>> -    <tab>
>>> +    <tab mode="read-only">
>>>           <title>Network</title>
>>>           <path>tabs/network.html</path>
>>>       </tab>
>>
>>
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>

More information about the Kimchi-devel mailing list