I am wondering how you all currently organize your access to hosts in foreman? After learning that user groups themselves cant be added to hostgroups, locations or organizations, Im at a loss on how to effectively manage access. With around 400 users, 90,000 servers, across 5 orgs, 45 locations and 1200+ hostgroups, this seems like a nightmare scenario, when it comes to managing access. Outside of setting up some sort of scripting with the API, is there no effective means of easily doing this in the UI?
As it looks right now, we would need to literally set each individual user to each location or org. As there is no current method to manage users within hostgroups, then we would need to essentially make each host group a location, assign users to the location, then assign the hostgroup to the location. This would prevent access to servers under that hostgroup. But this seems all like way too much to manage with the size of infrastructure we have. Am I looking at this wrong?
In Administer > Roles, you can clone the “Edit hosts” role and save.
Then you can edit the filters.
The magic is that you can add a search that limits hosts to those of a particular hostgroup (or any other host search you like.)
Ohhhhh! Thank you so much! I forgot all about the search function of that. Ok. So… Theoretically, we could setup our own Roles, and have a role for each “location” or “hostgroup” simply by setting the search to whatever we need it to. Ok, not the most intuitive way to do it, but it should work. I still think allow user groups to be assigned to Orgs, Locs and Hostgroups would be a nice addition, but this should work. Thanks so much!
One example from a customer: We have LDAP sync from Active Directory for authentication. This also gives us usergroups. Then roles were defined for different permissions, but the filter in general for the hosts is based on the owner and the owner is set to the usergroup. This works great in the environment as the tooling ensures the owner is set correctly. Not sure if without it you end with many hosts assigned to users instead of the group, but I think it can be something to consider.
We are managing the whole access and role management via Ansible (foreman-ansible-modules).
That makes it fairly simple to manage, as creating a new role is just another list of permissions.
And the same as in Dirk’s case we are also using LDAP for AD, where we connect the roles to usergroups then, also managed via Ansible, which makes it more templatable.
It seems like some key functionalities might be missing if people need to rely on an Ansible playbook to manage Foreman, don’t you think?
We’re definitely using LDAP/AD and groups, which are great. But the fact that you can’t assign a group directly to a location or organization adds extra complexity. It forces us to manage things using a variety of different methods, as mentioned by others, above.
We’re doing the same thing as @Dirk - Custom roles attached to usergroups. But using the owner as a means to filter or manage security means have to manage the user for all 90,000 some servers. That is not a viable option.
Ok maybe some of you can assist me here. Im not understanding filters. Shouldnt this filter (assuming its the only role attached to the user) prevent the user from see any host except for hosts that match the search?
Wow. 7 hours later Ive resolved this. Apparently even if you apply another role to a user, they will ALWAYS still inherit the Default role. This isnt stated anywhere in the UI or documentation. I know a user without a role will always get that role, but I thought when you assigned them a new role, the default filters would go away. They dont. So I removed the host unlimited filter from the default role, and now it all works.
Glad to hear you got to the bottom of it. By default, the default role only grants permissions a rather limited set of permissions, it shouldn’t be giving permissions to view hosts, unless you changed it yourself.
The Default role’s description says Role that is automatically assigned to every user in the system. Adding a permission grants it to everybody, the docs[1] have a similar formulation Default role - View tasks and jobs invocations. - Foreman automatically assigns this role to every user in the system..
But if that’s easy to miss, we could think about moving it to a more prominent place.
Neither the ui nor the docs say that the default role would be removed when you assign another role to the user.
With all that being said, does this get you where you need to be or is there still something that you need to set up around this?
It’s working perfectly. I had meant to say that no where in the documentation does it say the default role settings will be removed when another role is added. That took us forever to figure out. We had thought the default role would be applied to any user/usergroup that did NOT have another role assigned. Not that it would be assigned in addition to another role. We made the mistake of changing the default role to allow view hosts and that was where we ran into problems.
