We have a top level oragnization for us to manage dhcpd,vmware,dns,tftp,etc
and require using a child organization for our devteams so they can use
functions inside foreman that depend on that higher level orchestration.To
that end I've spent a lot of time working with roles and permissions trying
to get everything locked down while still enabling some functionality for
my devteams
As it stands now with the current permissions system we get great
flexibility via search filters but there are a couple of problems:
- Filters are not across the board, they are bound to a given
resource/permission which means that disabled functionality or data can be
seen/used someplace else. - As a result of point 1, a user needs to filter the same thing several
times. - Lack of filters for certain resources like host_params make it do or die.
- Not enough granularity to disable things like the Operative System tab
in the edit host screen
Here's my scenario and what triggers these concerns.
Enterprise development environment comprised of more than 2000 systems with
at least 15 dev groups. My team is in charge of the actual datacenter and
we own the OS on each machine while the dev teams own the apps thus we have
a co-supported environment ( which sucks ). Several devteams are using
puppet already and some are not but we need to merge everything into a
single infrastructure. Our choice was foreman as it provides the needed
functionality to build a machine as well as controlling them with puppet
but we need a way to lock it down on a need to know basis.
Resource Permissions
Unlimited Search
Puppet class view_puppetclasses,
edit_puppetclasses, import_puppetclasses
test_ Edit
Host/managed edit_hosts, view_hosts
Toggle_check none Edit
Report view_reports
Toggle_check none Edit
Fact value view_facts
Toggle_check none Edit
Host class edit_classes
Toggle_check none Edit
Host Group destroy_hostgroups,
edit_hostgroups, create_hostgroups, view_hostgroups test_
Edit
(Miscellaneous) access_dashboard
Toggle_check none Edit
Audited/adapters/active record/audit view_audit_logs
Toggle_check none Edit
These permissions:
a) Allows the user to use puppet classes that he does not own.
b) Allows the user to modify host informatin such as Host, Network and
Operative systems which I don't want
c) Denies the user access to modify host parameters, either global or from
puppet; I'd like to allow this as long as they are not allowed to modify
params established by the parent organization and Global Parameters
d) With the way filters work, right now we are using the org's name as a
prefix for stuff like hostgroups and puppet classes but should they fail to
create one without that prefix foreman will not complain but they will be
unable to see it after creating it.
I was about to open a feature request for this but was encouraged to send
it here first for feedback.
Thanks