Nethserver-delegation needs testers

This module let you the abilities to delegate the Panels to a group of users or to a particular user. the known issues is that the Dashboard is not delegable, only the ‘root’, the 'admin 'or member of the ‘adm’ group can see the Dashboard…at least for now :smile:

sources are -> https://github.com/stephdl/nethserver-delegated-panel/tree/ns6

yum install http://mirror.de-labrusse.fr/nethserver/nethserver-delegated-panel/nethserver-delegated-panel-0.0.3-1.ns6.sdl.noarch.rpm

then when you want to give permissions, go to the User and Group panel, but you can follow also the below instructions.

  • User

for all panels

db accounts setprop stephane AdminPanels '*'
signal-event nethserver-delegated-panel-update 

for some panels

take a look to available panels

ls /usr/share/nethesis/NethServer/Module/*.php

/usr/share/nethesis/NethServer/Module/AdminTodo.php       /usr/share/nethesis/NethServer/Module/LocalNetwork.php     /usr/share/nethesis/NethServer/Module/Shutdown.php
/usr/share/nethesis/NethServer/Module/Dashboard.php       /usr/share/nethesis/NethServer/Module/LogViewer.php        /usr/share/nethesis/NethServer/Module/Ssh.php
/usr/share/nethesis/NethServer/Module/DateTime.php        /usr/share/nethesis/NethServer/Module/NetworkAdapter.php   /usr/share/nethesis/NethServer/Module/StaticRoutes.php
/usr/share/nethesis/NethServer/Module/FirstConfigWiz.php  /usr/share/nethesis/NethServer/Module/NetworkServices.php  /usr/share/nethesis/NethServer/Module/User.php
/usr/share/nethesis/NethServer/Module/FQDN.php            /usr/share/nethesis/NethServer/Module/Organization.php     /usr/share/nethesis/NethServer/Module/UserProfile.php
/usr/share/nethesis/NethServer/Module/Group.php           /usr/share/nethesis/NethServer/Module/PackageManager.php
/usr/share/nethesis/NethServer/Module/Hosts.php           /usr/share/nethesis/NethServer/Module/Pki.php

then add the wanted panels (remove the .php and separate by a comma)

 db accounts setprop stephane AdminPanels DateTime,Group,User,PackageManager
signal-event nethserver-delegated-panel-update 
  • Group

it is the same way…be aware that all users of this group will be allowed to do a nice and fun mess

for all panels

db accounts setprop FamilyGroup AdminPanels '*'
signal-event nethserver-delegated-panel-update 

for some panels
take a look to available panels

ls /usr/share/nethesis/NethServer/Module/*.php

/usr/share/nethesis/NethServer/Module/AdminTodo.php       /usr/share/nethesis/NethServer/Module/LocalNetwork.php     /usr/share/nethesis/NethServer/Module/Shutdown.php
/usr/share/nethesis/NethServer/Module/Dashboard.php       /usr/share/nethesis/NethServer/Module/LogViewer.php        /usr/share/nethesis/NethServer/Module/Ssh.php
/usr/share/nethesis/NethServer/Module/DateTime.php        /usr/share/nethesis/NethServer/Module/NetworkAdapter.php   /usr/share/nethesis/NethServer/Module/StaticRoutes.php
/usr/share/nethesis/NethServer/Module/FirstConfigWiz.php  /usr/share/nethesis/NethServer/Module/NetworkServices.php  /usr/share/nethesis/NethServer/Module/User.php
/usr/share/nethesis/NethServer/Module/FQDN.php            /usr/share/nethesis/NethServer/Module/Organization.php     /usr/share/nethesis/NethServer/Module/UserProfile.php
/usr/share/nethesis/NethServer/Module/Group.php           /usr/share/nethesis/NethServer/Module/PackageManager.php
/usr/share/nethesis/NethServer/Module/Hosts.php           /usr/share/nethesis/NethServer/Module/Pki.php

then add the wanted panels (remove the .php and separate by a comma)

db accounts setprop FamilyGroup AdminPanels DateTime,Group,User,PackageManager
signal-event nethserver-delegated-panel-update 

Once it is done go to https//IP_OR_HOST:980 and perform a login with the user credentials

@giacomo @davidep what about of this

8 Likes

Nice! I can see this in an environment where only certain users are permitted to perform certain tasks.

Thank you @stephdl! I think such implementation it’s a big improvements, at least I can study the logic about the web gui permission :wink:

I fear someone will request a GUI for this, but for now I’m good with the CLI!
What do you think @Paulo_Rodrigues?

1 Like

The logic is easy, writing code in php is not so easy :smile:

The panels could be allowed to users with a SELECTOR_MULTIPLE, an array of *.php from the Module folder ought to feed the AdminPanelsDatasource

after that either we use the User and Group panel for displaying the new Module, or we provide a specific Menu only for the contribs

A matter of choice

as Steph said in another topic, if someone needs something, instead of waiting and begging, he’d start to doing himself… :wink:

that’s how things must work

Sorry @stephdl but I have an error after the signal-event

 Nov  5 17:40:52 localhost esmith::event[10231]: Action: /etc/e-smith/events/nethserver-delegated-panel-update/S00initialize-default-databases SUCCESS [2.295716]
Nov  5 17:40:52 localhost esmith::event[10231]: expanding /usr/share/nethesis/NethServer/Authorization/base.json
Nov  5 17:40:52 localhost esmith::event[10231]: ERROR: No templates were found for /usr/share/nethesis/NethServer/Authorization/base.json.
Nov  5 17:40:52 localhost esmith::event[10231]:  at /etc/e-smith/events/actions/generic_template_expand line 64
Nov  5 17:40:52 localhost esmith::event[10231]: [WARNING] expansion of /usr/share/nethesis/NethServer/Authorization/base.json failed
Nov  5 17:40:52 localhost esmith::event[10231]: Action: /etc/e-smith/events/actions/generic_template_expand FAILED: 1 [0.325607]
Nov  5 17:40:52 localhost esmith::event[10231]: Event: nethserver-delegated-panel-update FAILED

Check also

[root@localhost ~]# db accounts show alessio
alessio=user
    AdminPanels=Dashboard,User,Group

I noted also that there is the same error during the installation

Nov  5 17:40:05 localhost /etc/e-smith/events/nethserver-delegated-panel-update/S00initialize-default-databases[9208]: /var/lib/nethserver/db/accounts: OLD alessio@=pseudonym|Access|public|Account|alessio|ControlledBy|system|_prevAccount|alessio
Nov  5 17:40:05 localhost /etc/e-smith/events/nethserver-delegated-panel-update/S00initialize-default-databases[9208]: /var/lib/nethserver/db/accounts: NEW alessio@=pseudonym|Access|public|Account|alessio|ControlledBy|system
Nov  5 17:40:05 localhost esmith::event[9207]: Migrating existing database tc
Nov  5 17:40:05 localhost esmith::event[9207]: Migrating existing database configuration
Nov  5 17:40:05 localhost esmith::event[9207]: Action: /etc/e-smith/events/nethserver-delegated-panel-update/S00initialize-default-databases SUCCESS [0.397227]
Nov  5 17:40:05 localhost esmith::event[9207]: expanding /usr/share/nethesis/NethServer/Authorization/base.json
Nov  5 17:40:05 localhost esmith::event[9207]: ERROR: No templates were found for /usr/share/nethesis/NethServer/Authorization/base.json.
Nov  5 17:40:05 localhost esmith::event[9207]:  at /etc/e-smith/events/actions/generic_template_expand line 64
Nov  5 17:40:05 localhost esmith::event[9207]: [WARNING] expansion of /usr/share/nethesis/NethServer/Authorization/base.json failed
Nov  5 17:40:05 localhost esmith::event[9207]: Action: /etc/e-smith/events/actions/generic_template_expand FAILED: 1 [0.108379]
Nov  5 17:40:05 localhost esmith::event[9207]: Event: nethserver-delegated-panel-update FAILED
Nov  5 17:40:05 localhost esmith::event[9210]: Event: runlevel-adjust
Nov  5 17:40:06 localhost esmith::event[9210]: No active fetchmail accounts. Exiting gracefully

Any hint?

valid, I made a mistake, the template is located at : /usr/share/nethesis/NethServer/Authorization/base.json/base.json instead of /usr/share/nethesis/NethServer/Authorization/base.json

1 Like

should be corrected install yum install nethserver-delegated-panel-0.0.2-1.el6.noarch.rpm

1 Like

I have almost done the Panel for the contribs, thanks to @Ctek for giving me the way :smile:

@davidep I can be wrong but I’m not sure that permissions for the DashBoard are located in /usr/share/nethesis/NethServer/Authorization/base.json, I cannot instantiated the permissions for a user.

All Panels can be delegated except the Dashboard !!!

Dashboard is quite different from other modules. It instantiates its contents depending on the “admin” condition.

Thank @davidep, can you explain why the authorisation doesn’t depend of base.json file ?..other modules can be also quite sensible from a security point of view and they don’t have this kind of authorisation.

Like this we can not delegate the dashboard :frowning:

It’s not easy to explain… Well, first of all, for “historical reasons”. Dashboard is the default module. A Location header is sent if the module name is missing in the request URL.

Before the “dependency injection” refactor it was not possible to calculate the redirect on the User object in index.php, because User was not instantiated.

Perhaps we can now arrange the things differently and obtain two distinct default dashboard modules: the Admin’s one and the User’s one.

Another approach could be invoking the Authorization procedures to make the Dashboard plugins behave like the root level modules and allow granting/delegating them.

@davidep
Just an idea, maybe i’m off track here…
Wouldn’t be easier to create a meta module that is substitute for dashboard ? This way there is not need to refactor all the code for the dasboard.

BR
Bogdan

Install the version nethserver-delegated-panel-0.0.3-1.ns6.sdl.noarch.rpm a plugin is now available in the User and Group panel —> see the first post for installing it.

either you can allow all modules for a group or an user, but you can also specify which modules you want to be allowed.

as always, let me know your thoughts.

3 Likes

New bounty created! :smile_cat:

It’s time to move in with this!

2 Likes

I need to try nethserver-delegated-panel on NS7, a templated file /usr/share/nethesis/NethServer/Authorization/base.json is still needed

1 Like

I see two possible ways of doing it:

  1. The quicker: define a template for base.json in your package, and bind nethserver-httpd-update event to re-expand it when the RPM restore its original state

  2. The smartest: add another .json file (being template or not) under the same dir with additional rules that refine or override the rules from base.json.

In both cases be aware of the bug/limitation of PolicyRule I said above:

Well I need to rewrite it quite entirely for NS7

For NS6 ONLY

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.0.4-1.ns6.sdl.noarch.rpm

after that you can choose which panels are available for what groups or users

1 Like

bump kamikazes needed