Organizing access in Foreman seems overly tedious?

I am wondering how you all currently organize your access to hosts in foreman? After learning that user groups themselves cant be added to hostgroups, locations or organizations, Im at a loss on how to effectively manage access. With around 400 users, 90,000 servers, across 5 orgs, 45 locations and 1200+ hostgroups, this seems like a nightmare scenario, when it comes to managing access. Outside of setting up some sort of scripting with the API, is there no effective means of easily doing this in the UI?

As it looks right now, we would need to literally set each individual user to each location or org. As there is no current method to manage users within hostgroups, then we would need to essentially make each host group a location, assign users to the location, then assign the hostgroup to the location. This would prevent access to servers under that hostgroup. But this seems all like way too much to manage with the size of infrastructure we have. Am I looking at this wrong?

I think custom roles may help you here.

In Administer > Roles, you can clone the “Edit hosts” role and save.
Then you can edit the filters.
The magic is that you can add a search that limits hosts to those of a particular hostgroup (or any other host search you like.)

You could use this to have quite granular management of which users can see which hosts.

The final step is to assign your new role to the user, and then you should be good to go.

Ohhhhh! Thank you so much! I forgot all about the search function of that. Ok. So… Theoretically, we could setup our own Roles, and have a role for each “location” or “hostgroup” simply by setting the search to whatever we need it to. Ok, not the most intuitive way to do it, but it should work. I still think allow user groups to be assigned to Orgs, Locs and Hostgroups would be a nice addition, but this should work. Thanks so much!

1 Like

One example from a customer: We have LDAP sync from Active Directory for authentication. This also gives us usergroups. Then roles were defined for different permissions, but the filter in general for the hosts is based on the owner and the owner is set to the usergroup. This works great in the environment as the tooling ensures the owner is set correctly. Not sure if without it you end with many hosts assigned to users instead of the group, but I think it can be something to consider.

1 Like

We are managing the whole access and role management via Ansible (foreman-ansible-modules).
That makes it fairly simple to manage, as creating a new role is just another list of permissions.

And the same as in Dirk’s case we are also using LDAP for AD, where we connect the roles to usergroups then, also managed via Ansible, which makes it more templatable.

It seems like some key functionalities might be missing if people need to rely on an Ansible playbook to manage Foreman, don’t you think?

We’re definitely using LDAP/AD and groups, which are great. But the fact that you can’t assign a group directly to a location or organization adds extra complexity. It forces us to manage things using a variety of different methods, as mentioned by others, above.

We’re doing the same thing as @Dirk - Custom roles attached to usergroups. But using the owner as a means to filter or manage security means have to manage the user for all 90,000 some servers. That is not a viable option.

1 Like

Ok maybe some of you can assist me here. Im not understanding filters. Shouldnt this filter (assuming its the only role attached to the user) prevent the user from see any host except for hosts that match the search?

I cannot seem to get it to display only certain hosts. No matter what filter I put in Host, it always displays ALL hosts for the person.

I assume I am using this incorrectly?

Wow. 7 hours later Ive resolved this. Apparently even if you apply another role to a user, they will ALWAYS still inherit the Default role. This isnt stated anywhere in the UI or documentation. I know a user without a role will always get that role, but I thought when you assigned them a new role, the default filters would go away. They dont. So I removed the host unlimited filter from the default role, and now it all works.

3 Likes

Glad to hear you got to the bottom of it. By default, the default role only grants permissions a rather limited set of permissions, it shouldn’t be giving permissions to view hosts, unless you changed it yourself.

The Default role’s description says Role that is automatically assigned to every user in the system. Adding a permission grants it to everybody, the docs[1] have a similar formulation Default role - View tasks and jobs invocations. - Foreman automatically assigns this role to every user in the system..

But if that’s easy to miss, we could think about moving it to a more prominent place.

Neither the ui nor the docs say that the default role would be removed when you assign another role to the user.

With all that being said, does this get you where you need to be or is there still something that you need to set up around this?

[1] - Administering Foreman

Yes! you can stack roles to manage common permissions , like :slight_smile: ansible-foreman/inventory/opn/group_vars/tfm/role.yml at github · LOXDA/ansible-foreman · GitHub
then mix it up to more filtered one per group :
ansible-foreman/inventory/opn/group_vars/tfm/usergroup.yml at github · LOXDA/ansible-foreman · GitHub

It’s working perfectly. I had meant to say that no where in the documentation does it say the default role settings will be removed when another role is added. That took us forever to figure out. We had thought the default role would be applied to any user/usergroup that did NOT have another role assigned. Not that it would be assigned in addition to another role. We made the mistake of changing the default role to allow view hosts and that was where we ran into problems.

Thanks for the reply!

@Jeff_Sparrow FYI: Anet is working on docs that describe the default role: Turn 'deployment considerations' into 'deployment path' by asteflova · Pull Request #3456 · theforeman/foreman-documentation · GitHub

2 Likes