Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User rights management? #12

Closed
portnov opened this issue Mar 31, 2016 · 2 comments
Closed

User rights management? #12

portnov opened this issue Mar 31, 2016 · 2 comments
Labels
question

Comments

@portnov
Copy link
Owner

portnov commented Mar 31, 2016

In order for batchd to be used in multi-user environment, it needs to have some sort of user rights management / access control system:

  • Some users are super-admins
  • Some users can do anything with specified queues only
  • Some users can only put jobs to specified queues only
  • Some users can only view status of some queues.

It seems we have to have "users", "groups" and ACLs with permissions listed above.

For the auth, we can use two approaches:

  • basic HTTP user/password auth
  • HTTPS auth with client certificate checking.

For both approaches, a question of how to store credentials secure is actual. It would be good to delegate this functionality to specialized system, but usage of system like RADIUS or kerberos seems too complex for now.
@portnov
Copy link
Owner Author

portnov commented May 14, 2017
edited
Loading

About authentication: the following options will be available:

  • basic HTTP auth. Enabled by default. Passwords are stored as SHA-256 hashes with salt.
  • "X-Auth-User" header. Provided user name is accepted without further auth. Disabled by default. To be enabled in case when authentication was done externally. Usable for example when client certificate is checked by nginx.
  • No auth. In this mode all users are superusers. This can be used on localhost. Disabled by default.

portnov pushed a commit that referenced this issue May 15, 2017
Start ACS implemnentation.
0069a30 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
Create-superuser utility.
c727474 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
On authentication.
9e736ca 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
On ACS.
a8e2cad 
refs #12
portnov pushed a commit that referenced this issue May 15, 2017
On ACS.
af4b687 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
On ACS.
4e1c25b 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
Add possibility to create/list users to CLI client.
57b925f 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
Add function to add/list permissions from CLI client.
8dc11fd 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
Implement password changing.
241e563 
refs #12.
portnov pushed a commit that referenced this issue May 15, 2017
Add possibility to disable auth on CLI client and manager.
30ca799 
In this mode all users are superusers.

refs #12.
portnov pushed a commit that referenced this issue May 16, 2017
Split permissions per job type.
0d48359 
Only for CreateJobs for now.
refs #12.
portnov pushed a commit that referenced this issue May 16, 2017
Add function to view types of job which user can create in specified …
ece9d59 
…queue.

refs #12.
portnov pushed a commit that referenced this issue May 16, 2017
Add "user" field to job.
227ad2d 
refs #12.
@portnov
Copy link
Owner Author

portnov commented May 19, 2017

Implemented.

@portnov portnov closed this as completed May 19, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@portnov