Cockpit granular rights don't work?


I tried to delegate some users the right to administrate users and email in Cockpit but while the users can log in they are denied everything.

I set up a group and assigned those users to that group.


Is there something obvious I’m missing ?

cc @giacomo @davidep :blush:

1 Like

I don’t think so, you could access the browser console and see if there is any error.
You can also cut&paste the commands as the user and see what happens.

I know that @davidep and @stephdl are working on this part.
Maybe they can help more.

1 Like

yes the console of the browser will give you the hints of your issue, I dont remember if the mail part has been tested with delegation.

We are currently working on the v2 of the delegation and we will test it

1 Like

For what I tested it is ok with nethserver-mail and the V2 delegation except for the access to log, since it is restricted to root we cannot delegate it to be read by everybody, even delegated. This will be true for all application in cockpit

cc @davidep @giacomo

davidep if you want to look to the branch sudoers in nethserver-cockpit, I think I closed the circle, except for the option in the UI to delegate all system/application

I did some automatism to find API and expand them automatically if an app is delegated at least one time, or all API for the ‘domain admins’ group, feel free to comment

Is this an acceptable limitation? IMHO yes, because usually you want just delegate only common operation like creating or disabling mail addresses.

the log page is displayed, but the log console is empty, with errors in web tools console, maybe we could do in each app a test to display this page, are you root, before to display

just feed for thought

I agree with this approach!

As this requires to rework all “Logs” pages, we can consider also to implement them with the “logviewer” nethgui helper, and delegate it properly with sudoers config.

Card (edited)


Thanks for looking into is !

I see. I guess that that V2 delegation is not available yet ?

Here is the output of the browser console just after logging in with a user with limited rights :

I can’t get what could be “unsafe” for allow log view for users delegated to access for server management.
I mean…
Let’s consider HR Manager, who should add users or disable due to staff changes. When a user is created, but some errors come, it should be able to go to log and search for info, for forward it to IT manager…
Or consider the File Server Manager, who decides quota or granular ACL. Log should be accessible.
I used too much coffe for consider this scenario… viable?

It seems that we will delegate the group of the user to read the logs, wip