I’m thinking to add the sudo access delegation for groups and users(all rights and specific commands)
good idea, maybe a bit beyond the topic of this module
The use case is User wants to change his password, by accessing the Server Manager.
If no URL path is provided, Nethgui redirects to Dashboard. This is quite hardcoded. Then Dashboard decides what to do. If User is an admin the Dashoboard is shown, otherwise a redirect to UserProfile is returned.
The FirstConfigWiz module has a Login override mechanism. We could take advantage of it for UserProfile, too.
However, what is the goal? Why an unprivileged user wants to see the Dashboard?
Good question, I’m not following the scenario outlined above
Diagnostic, status evaluation (system load or space management), access to specific services for troubleshooting (VPN, Print server), service and access management (mail quotas, user and shares management).
Actually you have two ways to share privileges in the server-manager
- be in the administrators group → full privilege
- be in the managers group → privilege only on the management section (I’m not sure that the dashboard is visible)
It is either too much, or really not enough
Others are thinking like me, see
I have made separate root / admin / user panels (Working!) - #11 by Xonline
If you manage servers for your customers you probably want to restrict permissions, except if you love to hurt yourself and fix a lot of issues because several incompetents have all rights. You probably need to let a full access to certain, and just few management and configuration sections for others.
This is just an example but if you want to delegate an access to the server-manager, the dashboard is just another resource that you might want to share with the granted users !
Actually, I made like a code challenge for me to delegate per panel, it is maybe a need for some usages, but also we could think to delegate per section, it is easy, fast, efficient.
what do you think @dnutan
with all my respect @davidep the fact that a user cannot see the dashboard because it is hardcoded, is an issue for me.
Agree with @pike and @stephdl.
One could want to delegate access to dashboard and stats to monitor server status/resources to a user without giving her full access or admin privilege.
A small businesses may not be able to afford having a sysadmin at full time but might have a smart jack-of-all-trades person who can handle tasks like creating shared folders, user/mail accounts, managing quotas, and monitor the system on a daily basis and let more complicated tasks or planned maintenance to an external sysadmin.
A soho businesses may have an IT department composed by people with different skills (sysadmin, programmer, web developer…) or/and different work-hours. Some could have the need to configure a reverse proxy but don’t need access to users, backups, et cetera.
These are fictional examples.
I like this idea of a central control panel for users.
Tested delegation to users (not groups) on NethServer 7 and didn’t find any issue.
UserProfile and Login delegation checkboxes have no observable effect, but that’s ok.
Thank you very much for your explanations, really appreciated!
Let’s see if we can change the default permissions. My proposal is
- Retain default pages: administrators have Dashboard as splash page, unprivileged users have UserProfile page.
- Unprivileged users have access to pages under the “Status” category, Dashboard included.
Is it fine for you?
This is not an userspace page.
@davidep, if you are a mail server manager, would you like to bring to mailbox users data about the available space on the mail server? Or the runtime?
My answer is “no”. Default user should access only to pw update page.
Please, consider this hypotetical case.
50-100 workers firm, external workers (salesforce? Technicians? remote workers? who knows ), HR department, an IT guy/gal resident for helpdesk and day-to-day tasks with no experience about server management or Information system deployment. And you are the Sysadmin of nethserver.
Which is deployed as MailServer, Content filtering, VPN endpoint, file server, printer server.
HR should have access to User management page, for add and disable users, change password.
IT guy should have access to Printer management, backup management, users permissions management, VPN status/management, status of the server (dashboard included).
Other users should access to PW page, Mail/cloud suite.
External user should access PW page, Mail/cloud suite, OpenVPN download section.
And it would be nice change dashboard access to the various sections of a delegated panels if a new entry comes to HR, IT or other department, enabling the specific section to access and to interact-to.
It’s quite a wish, probably not an easy-to-outcome feature, i know.
This feature (user’s page) exists with SME Server, I agree like @dnutan that it could be a new (collaborative I hope) work. Maybe a draft on the wiki or here could be started on what it is needed.
Yes
like @pike I tend to think that it is too much…probably I just would to delegate the Application (in Status section) by default…or eventually, following the need of the sysadmin…nothing granted by default but available if needed.
I found a bug myself yesterday
with the two radio buttons (same db property but with two values : enabled/disabled) once validated you cannot remove all the delegation easily…you need to set a delegation per panel and uncheck all selected panels
Agree.
No access unless delegated.
Uncheck panels one by one, that’s what I did. I would prefer a (de)select all approach instead of two radio buttons, but don’t know if such control is available in the nethgui framework.
At the users/groups list there’s no indicator of delegation status (to quickly grasp whether the default policy, full delegation, or custom delegation has been assigned). You have to open each item to remember which ones had some delegation.
@sebastian implemented one by JS
super…is it possible to get it incorporated in nethgui with the ‘SELECTOR_MULTIPLE’.
For now I tested it, work nicely
@dnutan I kept your Idea
if the sudo textarea is empty then it is a full sudo access, else you need to write down each allowed bash command (a verification is done to see if the command is executable by ‘is_executable’, can be done also by file_exists)
In my opinion “Delegate all panels” and “Delegation per panel” columns are redundant (if “delegate all” is enabled the other cannot be, and the inverse case).
I wasn’t getting your point on keeping the “Delegate all panels” radio button. Now I realize it makes sense if someone wants to delegate all panels (*) including the ones installed by new modules (that are not listed at the time of assigning delegations). If this is desired we shall remember to document it once design and functionality is sorted out.
PS: Have not tested if this is the current behaviour.
yes, the delegate all panels will give a full access to all future installed modules. The equivalent will be to put this user in the administrators group.
I have not stated on the final UI, things can change.
yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.3-1.ns7.sdl.noarch.rpm
- display the values of delegation directly in the User/Group table
- sudo delegation (full and by specific command)
- Uncheck/Check all Panel (thank nethesis )
available for ns7
if sudoCommands=.,..,/
or some combination of .
and /
# visudo -cf /etc/sudoers.d/UserDelegation
visudo: >>> /etc/sudoers.d/UserDelegation: syntax error near line 14 <<<
parse error in /etc/sudoers.d/UserDelegation near line 14
causing login issues and other side effects.
Not a module problem is to give sudoers access to commands that inadvertently allow shell escapes (see sudoers NOEXEC
tag).