User Avatar support in the Foreman, keep it or drop it?


we used to have gravatar support once but it was dropped in 2018 as it didn’t meet FIPS requirements. We still have limited support for getting user avatars to Foreman. In a nutshell, user must use LDAP as external auth source. Foreman can then fetch jpegPhoto binary data, stores it on FS and can serve such images. Well, that worked until recently, we’re now missing ProxyPass definition in our apache config (one-liner to fix). If we fix it and user sets that up, as a reward, they can see user avatar in the Administer → Users list page. We don’t display it anywhere else. I’d personally say that

  1. this is not overly useful and we would have to add the picture to more places like: top right menu, audits list, host detail page (owner)
  2. it would be only useful if people could upload the picture directly without necessity to use LDAP for it
  3. if we have this for users, we should also add it for user groups since they can also be host owner
  4. if we allow to do this through WebUI, we should also make this possible through API, CLI and possibly foreman ansible modules

That’s quite some work and I’m afraid we don’t have resources for the improvements listed above. If there’s someone willing to work on this, please respond. If we keep this as is, it’s additional code to maintain and source of problems for some environments (the avatar filename is based on SHA1 hash).

Therefore I propose to drop this functionality. Let’s have a poll on this, we’ll close it in a month from now.

  • Feel free to drop the avatar functionality
  • Please keep it as it is, it’s valuable

0 voters

Please also share any further details below in comments. Thank you!

I as currently the only one voted for keeping it.

I really like the feature in larger environments as I am bad at names but good with faces, so it makes it easier for me to address the correct person. I am also happy with the “get it from LDAP” feature as this is how I feel it should be in a professional environment. In our active directory everyone’s picture is stored which gets taken on the first day and enforced as avatar where this feature is available. I have seen similar policies at some customers, others allow the upload of any picture from the client.

So from your list of improvements I would only like to see the first, others are not necessary (at least immediately) as I see this as a totally different feature.

1 Like

We ended up creating a plugin to do the avatar retrieval and storage using Rake tasks at Linköping University - because it turns out that lots of us are also much better with faces than with names.
For us, points 2-4 wouldn’t offer any real benefit, but the changes listed in point 1 would make using Foreman easier for several of our admins.


As it seems this is useful for some users (poll not closed yet, vote if you haven’t!), would it make sense to take this functionality and merge it to your plugin? I saw it is a bit specific, but also adds nice functionality. I think there would be a better chance of having more people contributing to that functionality if it’s at single place.

I also hear what you both are saying about the suggested new functionality. Adding just 1 is probably useful for all users currently using the LDAP feature. 2-4 is more for adding full avatar support, even for people not using it today.

@ananace any thoughts on the above?

Extracting the full avatar capability into a plugin certainly sounds like it could be one solution - hopefully leaving the placeholder silhouette in the UI (since that leaves a good place in DOM to replace with the actual avatar), shouldn’t be too difficult for us to retool onto a general-purpose avatar plugin as well as some Linköping University -specific code to automatically download our employee avatars like we do at the moment.

1 Like

As part of the extraction, we should be able to introduce pagelets and sockets where necessary.

Sorry to resurrect an old thread, but could you tell me what the missing one-liner is? I understand it pertains to /images.

In /etc/httpd/conf.d/05-foreman-ssl.conf there are already some lines similiar to it, so just add there ProxyPass /images ! to send this to puma.

I created a PR for it: Add ProxyPass for /images to support avatars by dgoetz · Pull Request #1154 · theforeman/puppet-foreman · GitHub

1 Like

Sorry, it took me some time to restore the old reproducer where I had the fix applied. I can confirm, it is indeed what Dirk proposes. While I think we can merge the fix, I don’t think this feature is high priority. Given it was broken for such long time. I think we should drop it whenever we encounter any maintenance effort in this codebase.