Delegation of roles in cockpit

Feature
1

I would like to present the team work we did on the delegation part, first thank to @giacomo and @edoardo_spadoni for their supports and tips

the delegation of roles is group based, root and members of domains admin group should have the full access permission, other groups are at the beginning only granted to the dashboard, settings (only password change) and about pages.

The only difference between root and the domains admin group is about the delegation part, only root can delegate the roles, we worried about permission escalation if other administrators can grant permission to another group.

Inside the group panel you have two drop down menu like you can see on the screenshots

delegation for domain admins

Screenshot_2019-03-01%20Syst%C3%A8me%20-%20ns7loc8%20nethservertest%20org
Screenshot_2019-03-01 Système - ns7loc8 nethservertest org.png836×706 52.6 KB

delegation for sysadmins group

Screenshot_2019-03-01%20Syst%C3%A8me%20-%20ns7loc8%20nethservertest%20org(1)
Screenshot_2019-03-01 Système - ns7loc8 nethservertest org(1).png836×742 48.4 KB

we made a wiki page for those who want to dive inside more

Testing

  • Install nethserver-cockpit from testing with either samba AD or openldap
  • Create a group and delegate roles
  • API are pushed to the sudoers file /etc/sudoers.d/30_nethserver_cockpit_roles once saved
  • Roles are saved in /etc/nethserver/cockpit/authorization/roles.json
14 Likes
3

I get this:

Resolving Dependencies
→ Running transaction check
—> Package nethserver-cockpit.noarch 0:0.3.0-1.73.g9083c4b.ns7 will be installed
nethserver-testing/7/x86_64/filelists_db | 197 kB 00:00:00
→ Processing Dependency: nethserver-subscription for package: nethserver-cockpit-0.3.0-1.73.g9083c4b.ns7.noarch
→ Processing Dependency: nethserver-cockpit-lib for package: nethserver-cockpit-0.3.0-1.73.g9083c4b.ns7.noarch
→ Processing Dependency: /usr/libexec/nethserver/api/lib/helper_functions.pl for package: nethserver-cockpit-0.3.0-1.73.g9083c4b.ns7.noarch
Error: requested datatype filelists not available

4

Must be an offending repo (my bad). When I issue the below, all is fine.

yum install nethserver-cockpit --disablerepo=* --enablerepo=nethserver-testing

2 Likes
5

Hi Steph, I would like to test this package.

I know it has been widely tested and it’s ready for deploy also on Enterprise machines.
I cannot find instructions on how to install this package, could you please provide me instructions about how to install delegation?

I would like to use it to leave customers access with an admin user, but I want to hide “Software Center”, to avoid installation of packages that could cause the server to crash, or packages that this customer must not use.

6

It is part of nethserver-cockpit, no additional package.
To use it follow directions from documentation.

3 Likes