Call for testing: authorization system for Foreman 1.5

  • Start date: 28th March 2014
  • End date: 18th April 2014

In Foreman 1.5, the authorization system that controls users' access to resources has had a massive overhaul, making it much more flexible and powerful. As part of our preparations for the Foreman 1.5 release at the end of April, we want to invite our users to help test the upgrade path and identify any issues before we make the release.

What's changed?

In Foreman 1.4, the authorization system was linked to users with a number of filters to permit or restrict access to hosts by ownership, domain, compute resource, host group and facts. Permissions were granted to a role and the role assigned to a user - so a user with an "edit_hosts" permission on a role would be able to edit all hosts that they were able to see, as defined by the filters (if any).

The first key change in Foreman 1.5 is that these user filters are now part of the role and have been changed to use the standard search syntax used throughout the Foreman UI and API. When creating a role to edit hosts, the permissions can now be associated with a filter, so a user is only able to edit hosts that match the defined filter (e.g. where the name is "foo.example.com", the host group is "My sub-organization" or a parameter has a certain value). Multiple filters can be added with different permissions, allowing a more nuanced set of permissions to be assigned via a single role.

The second key change is an improvement in user group support. User groups were only useful for defining group ownership of hosts in Foreman 1.4, but now they can be assigned roles which are inherited by all of the group's members (including other nested groups). The admin flag, which previously could only be set on a user and gives complete, unrestricted access to Foreman, can now be set on a user group too.

Work is still progressing on #813 to hopefully land in Foreman 1.5, which will allow user groups to be linked to LDAP groups, making membership management much easier where a directory service is already deployed.

What needs testing?

Upgrade and migration

We urgently need more testing of the upgrade path from Foreman 1.4 to 1.5. An automatic upgrade is provided during the db:migrate in Foreman 1.5 from the per-user filters to pre-defined roles, but we need to ensure this works well in large and complex environments.

For this, we'd like testers to either try a clean installation of Foreman 1.5 (nightlies) on a test VM, to then import their Foreman 1.4 production database from a backup then run the DB migrations to update it, or to take a clone of the whole Foreman 1.4 system and do an upgrade in-situ to Foreman 1.5. We strongly discourage upgrading of production installations to nightlies - wait for the release candidates at least!

Please see the instructions further down the page on getting Foreman 1.5/nightlies.

Check that your user filters have migrated in a sane manner - it may require some tidyup and deduplication where you have similar permissions for multiple users - and that your users still have access to the resources they should, and no more!

New filter system

Try out the new roles and filters system, particularly with the search functionality, which you should be able to use to set up complex sets of filters for your user roles.

Improved user group features

Try the improved user groups, being able to assign roles and admin flags to groups of users and being able to nest user groups to create more complex setups.

(Later!) LDAP user group integration

This hasn't been merged yet! Once #813 has been closed, it will be available in nightlies.

Try setting up LDAP authentication sources and then linking your user groups to a group defined in LDAP. Check that group membership lists update correctly and that users who are added to the group get access, and when removed, it ceases. Check that combined with roles assigned to your groups that they get access to the resources you define.

How to upgrade and test

Since Foreman 1.5 is pre-release candidate, we recommend using our nightly packages. These are smoke tested before being published, so should always be functional (in that they install), but may contain a number of bugs.

Please check the known issues below, particularly if you're filing a new bug.

When you're ready to file a bug, use:

Please mention that you're using Foreman nightlies, either in the text or by setting the "Found in release" field.

RPM users

  1. Get the nightly foreman-release.rpm from here: http://yum.theforeman.org/nightly/el6/x86_64/foreman-release.rpm
  2. Follow the usual installation instructions to install and run foreman-installer: http://theforeman.org/manuals/1.5/index.html#2.Quickstart
  3. Use the database backup and restore instructions to copy your Foreman 1.4 production database to the new server: http://theforeman.org/manuals/1.5/index.html#5.5.1Backup
  4. Run foreman-rake db:migrate && foreman-rake db:seed and then service foreman restart

Debian and Ubuntu users

  1. Use the "nightly" component in sources.list, i.e. echo "deb http://deb.theforeman.org/ wheezy nightly" > /etc/apt/sources.list.d/foreman.list
  2. Follow the usual installation instructions to install and run foreman-installer: http://theforeman.org/manuals/1.5/index.html#2.Quickstart
  3. Use the database backup and restore instructions to copy your Foreman 1.4 production database to the new server: http://theforeman.org/manuals/1.5/index.html#5.5.1Backup
  4. Run foreman-rake db:migrate && foreman-rake db:seed and then service apache2 restart

Where to go for help?

#theforeman on IRC or the foreman-users mailing list are best, see http://theforeman.org/support.html