Inheritance for locations / organizations + Katello

I added a PR to add inheritance for locations / organizations (https://github.com/theforeman/foreman/pull/1105) and want to get some feedback.

The idea is something like this:

Europe
Europe/UK
Europe/Israel
Europe/Israel/BuildingA
Europe/Israel/BuildingA/Rack12

The current implementation is cumulative or whitelisting, which means that location 'Rack12' has all the associated objects available (Smart Proxies, Domains, Hostgroups, etc) as does 'BuildingA' which inherits from 'Israel' which inherited from 'Europe'.

This is opposite of subtraction or or blacklisting was says that 'Rack12' has a subset of the associated objects of 'BuildingA' which is a subset of 'Israel' which is a subset of 'Europe'

Note that with by combining a location and an organization, you can limit more precisely. For example, organization 'QA' only has access to location 'Europe/Israel/BuildingA/Rack12'.

My two questions:

1. Is the cumulative/whitelisting model what we want?

2. How will this feature in Foreman affect the Katello plugin?

Regards,

Joseph

> I added a PR to add inheritance for locations / organizations
> (https://github.com/theforeman/foreman/pull/1105) and want to get some
> feedback.
>
> The idea is something like this:
>
> Europe
> Europe/UK
> Europe/Israel
> Europe/Israel/BuildingA
> Europe/Israel/BuildingA/Rack12
>
> The current implementation is cumulative or whitelisting, which means that
> location 'Rack12' has all the associated objects available (Smart Proxies,
> Domains, Hostgroups, etc) as does 'BuildingA' which inherits from 'Israel'
> which inherited from 'Europe'.
>
> This is opposite of subtraction or or blacklisting was says that 'Rack12' has
> a subset of the associated objects of 'BuildingA' which is a subset of
> 'Israel' which is a subset of 'Europe'
>
> Note that with by combining a location and an organization, you can limit
> more precisely. For example, organization 'QA' only has access to location
> 'Europe/Israel/BuildingA/Rack12'.
>
> My two questions:
>
> 1) Is the cumulative/whitelisting model what we want?

Sounds reasonable to me. The only reason I coudl think of for the substraction
variant is accounting: what hosts I run in Europe/Israel, but that should
be quite easy to compute. The permissions role of orgs/locations sounds
more important to me, where whitelisting works much better.

>
> 2) How will this feature in Foreman affect the Katello plugin?

Long long time ago, we were talking about KT environments being
just a subset of organization (but the inheritance was missing
those days). With inheritance, it seems that
the KT environments could be modeled with the sub-org.

>
> Regards,
>
> Joseph

– Ivan

So if I get it right, when I'm a user with access to Europe/Israel, I select
it as current location and I run Host.all then Taxonomix concern will find me
all hosts that are in one of these:
Europe/Israel,
Europe/Israel/BuildingA,
Europe/Israel/BuildingA/Rack12

Would this apply to all models using Taxonomix? That would mean to load and
apply all filters for one of those locations. So let's say I have a filter
allowing me to :edit_hosts searched by "name ~ test*" in location
Europe/Israel/BuildingA. That would mean I can edit even hosts in
Europe/Israel and Europe/Israel/BuildingA/Rack12.

What would happen if I add unlimited filter in Europe/Israel/BuildingA/Rack12?
It would grant me any permission on Europe/Israel since all found filters are
combined with "OR" condition.

We could change the way how filters are being found. But if we find filters just
for current location and we display objects from other location, what
permission should we enforce on them?

On second thought, after the deep-dive today, I'm going to do another branch in which the inheritance using descendants rather than ancestors. This would mean that if the current Location is Europe, then I would see all hosts that are descendants of Europe which in our example includes Europe/UK, Europe/Israel, Europe/Israel/BuildingA, etc. If the location is Rack12, then it would only include hosts in Rack12. This seems more intuitive than the current implementation.

Joseph

I think that environment is orthagonal to location. I may have Dev and
Prod both in Europe/Israel/BuildingA

– bk

What do you mean by inheritance here? I would suggest that

Europe/Israel/BuildingA

See all the settings of Israel and Europe.

If I am searching, I agree that if I select Building A I do not want to
see hosts in

Europe/Israel/BuildingB

– bk

> From: "Bryan Kearney" <bryan.kearney@gmail.com>
> To: foreman-dev@googlegroups.com
> Sent: Tuesday, January 21, 2014 2:03:38 PM
> Subject: Re: [foreman-dev] inheritance for locations / organizations + Katello
>
> What do you mean by inheritance here? I would suggest that
>
> Europe/Israel/BuildingA
>
> See all the settings of Israel and Europe.
>
> If I am searching, I agree that if I select Building A I do not want to
> see hosts in
>
>
> Europe/Israel/BuildingB
>
> – bk

But would Building A see Israel hosts?
Would Building A see Israel domains?

Are there some things that trickle down to children and others that trickle up to parents?

By inheritance, I mean that a location inherits the settings for a parent location and can add to them but not subtract. This is the current implementation and the method used for defining hostgroup definitions based on a parent.

I'm thinking of the opposition direction where a parent "inherits" from its descendants (rather than ancestors). For example, location Israel will see all subnets in Israel, BuildingA, and Rack12, even if a subnet is not defined explicitly on location Israel. Currently, this is not the case. Israel can't see what's in its children (descendants), but Israel/BuildingA/Rack12 can see all subnets in its parents (ancestors)

I had assumed these were defaults. So, you would put things in Europe if
you want all locations in Europe to use it.

– bk