Well, really what I want is for all externally authenticated users to get
particular permissions without requiring someone to go in to the UI and
grant them. So, what I was thinking was to create a role (I called it
Kerberos) and a usergroup (also Kerberos) and put all EXTERNAL users in the
Kerberos group, but I can't figure out how to make that automatic (or even
scriptable, since it seems those parts of the api / hammer aren't working
right now).
NOTE: I looked at giving the anonymous role the permissions I want, but
then my read-only service account has elevated permissions, and I
definitely don't want that.
Anyone have any ideas?
+1 as I have this same exact question.
Thanks,
L.
···
On Wed, Jul 23, 2014 at 2:17 PM, Holt Wilkins wrote:
> Well, really what I want is for all externally authenticated users to get
> particular permissions without requiring someone to go in to the UI and
> grant them. So, what I was thinking was to create a role (I called it
> Kerberos) and a usergroup (also Kerberos) and put all EXTERNAL users in the
> Kerberos group, but I can't figure out how to make that automatic (or even
> scriptable, since it seems those parts of the api / hammer aren't working
> right now).
>
> NOTE: I looked at giving the anonymous role the permissions I want, but then
> my read-only service account has elevated permissions, and I definitely
> don't want that.
>
> Anyone have any ideas?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
In Foreman 1.6 this will be possible, thanks to:
http://projects.theforeman.org/issues/5241
http://projects.theforeman.org/issues/3892
http://projects.theforeman.org/issues/813
User groups will have a corresponding "external user group" linked to
the authentication source, and Foreman will pull in a list of users to
update the user group with.
#3892 is for Apache type authentication, so Foreman can obey
REMOTE_USER_GROUP_* environment variables and populate group membership
based on those.
#813 is for LDAP auth sources, so Foreman will load the members from an
LDAP group and make them members of the user group.
Cheers,
···
On 23/07/14 19:17, Holt Wilkins wrote:
> Well, really what I want is for all externally authenticated users to
> get particular permissions without requiring someone to go in to the UI
> and grant them. So, what I was thinking was to create a role (I called
> it Kerberos) and a usergroup (also Kerberos) and put all EXTERNAL users
> in the Kerberos group, but I can't figure out how to make that automatic
> (or even scriptable, since it seems those parts of the api / hammer
> aren't working right now).
–
Dominic Cleal
Red Hat Engineering
