Auth testing for Foreman 15 » History » Revision 2

« Previous | Revision 2/7 (diff) | Next »
Dominic Cleal, 03/28/2014 12:49 PM

Call for testing: authorization system for Foreman 1.5

  • Start date: 28th March 2014
  • End date: 30th April 3014

In Foreman 1.5, the authorization system that controls users' access to resources has had a massive overhaul, making it much more flexible and powerful. As part of our preparations for the Foreman 1.5 release at the end of April, we want to invite our users to help test the upgrade path and identify any issues before we make the release.

What's changed?

In Foreman 1.4, the authorization system was linked to users with a number of filters to permit or restrict access to hosts by ownership, domain, compute resource, host group and facts. Permissions were granted to a role and the role assigned to a user - so a user with an "edit_hosts" permission on a role would be able to edit all hosts that they were able to see, as defined by the filters (if any).

The first key change in Foreman 1.5 is that these user filters are now part of the role and have been changed to use the standard search syntax used throughout the Foreman UI and API. When creating a role to edit hosts, the permissions can now be associated with a filter, so a user is only able to edit hosts that match the defined filter (e.g. where the name is "", the host group is "My sub-organization" or a parameter has a certain value). Multiple filters can be added with different permissions, allowing a more nuanced set of permissions to be assigned via a single role.

The second key change is an improvement in user group support. User groups were only useful for defining group ownership of hosts in Foreman 1.4, but now they can be assigned roles which are inherited by all of the group's members (including other nested groups). The admin flag, which previously could only be set on a user and gives complete, unrestricted access to Foreman, can now be set on a user group too.

Work is still progressing on #813 to hopefully land in Foreman 1.5, which will allow user groups to be linked to LDAP groups, making membership management much easier where a directory service is already deployed.

What needs testing?

Upgrade and migration

We urgently need more testing of the upgrade path from Foreman 1.4 to 1.5. An automatic upgrade is provided during the db:migrate in Foreman 1.5 from the per-user filters to pre-defined roles, but we need to ensure this works well in large and complex environments.

For this, we'd like testers to either try a clean installation of Foreman 1.5 (nightlies) on a test VM, to then import their Foreman 1.4 production database from a backup then run the DB migrations to update it, or to take a clone of the whole Foreman 1.4 system and do an upgrade in-situ to Foreman 1.5. We strongly discourage upgrading of production installations to nightlies - wait for the release candidates at least!

Please see the instructions further down the page on getting Foreman 1.5/nightlies.

How to upgrade and test

Since Foreman 1.5 is pre-release candidate, we recommend using our nightly packages. These are smoke tested before being published, so should always be functional (in that they install), but may contain a number of bugs.

Please check the known issues below, particularly if you're filing a new bug.

When you're ready to file a bug, use:

Please mention that you're using Foreman nightlies, either in the text or by setting the "Found in release" field.

RPM users

  1. Get the nightly foreman-release.rpm from here:
  2. Follow the usual installation instructions to install and run foreman-installer:

Updated by Dominic Cleal about 10 years ago · 2 revisions