Access restrictions?

[duncaninnes]

Really like this plugin. But is it possible to tailor the Cockpit details to provide read-only mode and fine-grained levels of write access? I looked at the Cockpit docs, but couldn't figure if it was possible. Deep Integration might be the way, but this isn't documented.

Wondering because a good use-case would be Foreman having fine-grained access levels for OS Admins, Middleware Admins and Managers. Would want to restrict the Middleware Admins to restarting JBoss & httpd for example. And Managers would get read-only access.

[dLobatog]

That's unfortunately really, really complicated to do in a safe way from Foreman. Traffic from Cockpit goes from Cockpit to the user, without going through Foreman, so the Foreman server doesn't get a chance to limit permissions.

It's a good use case for Cockpit, although I would think they would tell you that these permissions can be configured at the OS level (have a 'middleware' user for instance). If you configure the user in such a way they can only restart jboss & httpd, that'd be a possible way to do it?

[dLobatog]

@stefwalter ^ ?

[stefwalter]

Hi @duncaninnes @dLobatog ... I've answered the question here:

https://lists.fedorahosted.org/pipermail/cockpit-devel/2015-November/000368.html

[stefwalter]

That's unfortunately really, really complicated to do in a safe way from Foreman. Traffic from Cockpit goes from Cockpit to the user, without going through Foreman, so the Foreman server doesn't get a chance to limit permissions.

Permissions should be limited on the system itself. Cockpit respects any and all system permissions. Put another way ... Cockpit has no way to elevate its privileges beyond the credentials that were used to log in, besides the system permissions granted via sudo and/or policykit.

See above list posting for more details.

[dLobatog]

@duncaninnes Closing this for now, please reopen if you have any other comments