Delegation of roles in cockpit


(Stéphane de Labrusse) #1

I would like to present the team work we did on the delegation part, first thank to @giacomo and @edoardo_spadoni for their supports and tips

the delegation of roles is group based, root and members of domains admin group should have the full access permission, other groups are at the beginning only granted to the dashboard, settings (only password change) and about pages.

The only difference between root and the domains admin group is about the delegation part, only root can delegate the roles, we worried about permission escalation if other administrators can grant permission to another group.

Inside the group panel you have two drop down menu like you can see on the screenshots

delegation for domain admins

delegation for sysadmins group

we made a wiki page for those who want to dive inside more


  • Install nethserver-cockpit from testing with either samba AD or openldap
  • Create a group and delegate roles
  • API are pushed to the sudoers file /etc/sudoers.d/30_nethserver_cockpit_roles once saved
  • Roles are saved in /etc/nethserver/cockpit/authorization/roles.json

(Giacomo Sanchietti) pinned #2

(HF) #3

I get this:

Resolving Dependencies
–> Running transaction check
—> Package nethserver-cockpit.noarch 0:0.3.0-1.73.g9083c4b.ns7 will be installed
nethserver-testing/7/x86_64/filelists_db | 197 kB 00:00:00
–> Processing Dependency: nethserver-subscription for package: nethserver-cockpit-0.3.0-1.73.g9083c4b.ns7.noarch
–> Processing Dependency: nethserver-cockpit-lib for package: nethserver-cockpit-0.3.0-1.73.g9083c4b.ns7.noarch
–> Processing Dependency: /usr/libexec/nethserver/api/lib/ for package: nethserver-cockpit-0.3.0-1.73.g9083c4b.ns7.noarch
Error: requested datatype filelists not available

(HF) #4

Must be an offending repo (my bad). When I issue the below, all is fine.

yum install nethserver-cockpit --disablerepo=* --enablerepo=nethserver-testing