Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NACM: initial support, multiple admin users #325

Closed
troglobit opened this issue Mar 4, 2024 · 1 comment · Fixed by #418
Closed

NACM: initial support, multiple admin users #325

troglobit opened this issue Mar 4, 2024 · 1 comment · Fixed by #418
Assignees
@troglobit
Labels
enhancement New feature or request
Milestone
Infix v24.04

Comments

@troglobit
Copy link
Contributor

In cd52a42 and f5866ee3 we hard-coded default groups and a user mapping of 'admin' to the group of administrators allowed 100% access to the system.

For the next step we need to support users changing the NACM configuration, at least to the extent of adding regular users with one of the three roles: administrator (UNIX group wheel), guest, and operator. E.g., adding the user 'foo' as administrator should add them to the wheel group so they can manage the system from both NETCONF and the CLI.

As a twist, a rule with the following properties (admin-acl) should be the only rule that shows the shell node augment in ietf-system:

     "module-name": "*",
     "access-operations": "*",
     "action": "permit",
@troglobit troglobit added the enhancement New feature or request label Apr 4, 2024
@troglobit
Copy link
Contributor Author

troglobit commented Apr 25, 2024
edited
Loading

Simplest way forward, check if user is in any1 group that is in a rule that has:

"module-name": "*",
"access-operations": "*",
"action": "permit",

If user does not match that, we force shell 'clish'.

Footnotes

  1. The same user can be a member of multiple groups. See https://www.rfc-editor.org/rfc/rfc8341#section-3.3.2

@troglobit troglobit added this to the Infix v24.04 milestone Apr 26, 2024
@troglobit troglobit linked a pull request Apr 29, 2024 that will close this issue
Initial support for multiple administrators #418
Merged
13 tasks
@troglobit troglobit self-assigned this Apr 30, 2024
@wkz wkz closed this as completed in #418 Apr 30, 2024
@troglobit troglobit changed the title NACM: initial integration with preconfigured user levels NACM: initial support, multiple admin users May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@troglobit troglobit

Labels
enhancement New feature or request
Projects
Infix & C:o
Status: Done
Milestone
Infix v24.04
Development

Successfully merging a pull request may close this issue.

Initial support for multiple administrators kernelkit/infix
1 participant
@troglobit