Auth testing for Foreman 15 » History » Revision 1

Revision 1/7 | Next »
Dominic Cleal, 03/28/2014 12:38 PM

Call for testing: authorization system for Foreman 1.5

Start date: 28th March 2014
End date: 30th April 3014

In Foreman 1.5, the authorization system that controls users' access to resources has had a massive overhaul, making it much more flexible and powerful. As part of our preparations for the Foreman 1.5 release at the end of April, we want to invite our users to help test the upgrade path and identify any issues before we make the release.

What's changed?

In Foreman 1.4, the authorization system was linked to users with a number of filters to permit or restrict access to hosts by ownership, domain, compute resource, host group and facts. Permissions were granted to a role and the role assigned to a user - so a user with an "edit_hosts" permission on a role would be able to edit all hosts that they were able to see, as defined by the filters (if any).

The first key change in Foreman 1.5 is that these user filters are now part of the role and have been changed to use the standard search syntax used throughout the Foreman UI and API. When creating a role to edit hosts, the permissions can now be associated with a filter, so a user is only able to edit hosts that match the defined filter (e.g. where the name is "", the host group is "My sub-organization" or a parameter has a certain value). Multiple filters can be added with different permissions, allowing a more nuanced set of permissions to be assigned via a single role.

The second key change is an improvement in user group support. User groups were only useful for defining group ownership of hosts in Foreman 1.4, but now they can be assigned roles which are inherited by all of the group's members (including other nested groups). The admin flag, which previously could only be set on a user and gives complete, unrestricted access to Foreman, can now be set on a user group too.

Work is still progressing on #813 to hopefully land in Foreman 1.5, which will allow user groups to be linked to LDAP groups, making membership management much easier where a directory service is already deployed.

Updated by Dominic Cleal about 10 years ago · 1 revisions