Skip to content

Cockpit delegation UI

Stephane de Labrusse edited this page Feb 26, 2019 · 14 revisions

Goal

Delegate access to specific panels to selected users.

Associated PRs:

Profile configuration

Each system group can have a delegation profile which describes what pages can be accessed by the users inside the group. The configuration is accessible from the group modification forum inside the "Users" page, under the "System" section.

Only the root user can configure the profiles.

For each group the root user can select:

  • zero, one or more pages under the "System" section
  • zero, one or more installed applications

Special admin group

The group listed inside config getprop admins group must have access to all pages.

Such group has only one limitation: it can't edit delegation profiles.

Open problems

  • When the system uses a remote Account Provider, the group page is accessible only in read-only mode, so there is no way to configure the delegation profiles

Known bugs

The config getprop admins group must not display any select box because it's not editable. The groups should list all granted pages

Main menu

The main menu should be changed accordingly to the user delegation profile, but this is quite hard to implement.

Failed implementation:

  • create a manifest override for each user: every time there is a change in a group, the system should loop on each user home and change the menu accordingly to the profile
  • hide items using JavaScript: the menu loading is quite slow also the menu blinks on every page change

Alternative solution:

  • do not hide main menu items, the user can access all listed pages but the page should display a "Permission denied" error if the user doesn't have the delegation for the page

System

Access to system section can be selectively granted to a group. Example: members of group 'backuppers' can have access to the "Backup" page but not to the "Certificates" one

Known bugs

An admin user, when accessing the "Settings" page, has access only to the "Change password" form. The user should have access to all available settings

Applications

Access to application can be granted for the full application. Example: members of group 'firewallers' can have access to the whole firewall application and can't be limited to specific pages like port forwards.

Known bugs

An applications which uses multi-level APIs (eg. /usr/libexec/nethserver/api/nethserver-firewall-base/objects) are not accessible by delegated users. Possible fix inside /etc/sudoers.d/30_nethserver_cockpit_roles:

Cmnd_Alias DOMAINADMINS = /usr/libexec/nethserver/api/*/*/*

Dashboard

TODO

  • remove link on dashboard if the user doesn't have the permission
  • remove the reboot button if the user doesn't have the permission (visible only to admins)
  • In the application menu, when you are a user you want to see all applications of cockpit and the older application of nethgui
You can’t perform that action at this time.