[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] restricting access to hobbit

What Phil requested may be worthy of the status of a new feature: capability
to segment hosts into groups, which in turn can be accessed and/or managed
only by designated users/group.
For some large installations with thousands of hosts, it seems to be a
must-have instead of a nice-to-have.

On Nov 15, 2007 7:36 PM, Phil Wild <philwild (at) gmail.com> wrote:

> Thank you all,
>
> This is what I was kind of expecting. The path we are currently going to
> take is to use Xen to run two versions on the one box. The virtual host idea
> is interesting but I expect we would have problems with all the daemons.
>
> I was kind of hopting that all these functions used a common utility like
> bbhostgrep or something to get the list of hosts from the bb-hosts tree and
> if so, it may have been simple to modify along the lines of putting a
> commented tag against hosts listed in bb-hosts.
>
> For the functions/reports that built directory structures I was thinking
> that a wrapper could be used to put the authentication directives in the
> right places.
>
> Cheers
>
> Phil
>
>
> On 16/11/2007, s_aiello (at) comcast.net <s_aiello (at) comcast.net> wrote:
> >
> > On Thursday 15 November 2007, Tod Hansmann wrote:
> > > So what you are asking is to have one hobbit installation function in
> > a
> > > manner equivalent to two hobbit installations.  The only reason the
> > > apache authentication stuff won't work is because the CGI-BIN stuff
> > > works on the raw data and/or memory state of hobbit's main
> > > functionality.  Thus, you would need to hack the code to do two things
> > > that is doesn't do currently:
> > >
> > > 1) You would need to get permissions built-in to bb-hosts
> > > interpretations, which would be trivial to have understood, but a lot
> > of
> > > changes to do anything with that.  (Knowing there's a group A and B is
> > > one thing.  Knowing what do with that knowledge is the harder part).
> > > 2) You would need to modify all the CGI programs to work on the
> > separate
> > > datas.
> > >
> > > This, in my estimation, is not at all what hobbit was designed for,
> > and
> > > you'd be much better off just running two separate instances of
> > hobbit.
> > > You can even run a third to combine the two sets of data into one
> > (like
> > > we do) and only allow yourself to see that one.
> > >
> > > Am I missing something in my estimations here?
> > >
> > > Tod Hansmann
> > > Network Engineer
> > >
> >
> > To get 2 separate instances can be performed by using Alternate
> > Pagesets. See
> > the Alternate Pagesets section under the bbgen man. That will not solve
> > your
> > issue with stoping a user group from maint'ing another group's devices,
> > since
> > the cgi dir isn't separate.
> >
> > As to limiting users from ack'ing/maint'ing the other groups servers,
> > you can
> > look at a post I outlined long ago. The post is at:
> > http://www.hswn.dk/hobbiton/2007/07/msg00534.html
> >
> > Not sure how this works with alternative page sets, but this should be
> > enough
> > for you to move forward and tweak accordingly.
> >
> > ~Steve
> >
> > To unsubscribe from the hobbit list, send an e-mail to
> > hobbit-unsubscribe (at) hswn.dk
> >
> >
> >
>
>
> --
>
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild (at) gmail.com
>