Hello,
I've been working on reusing polkit authorization for OpenLMI providers,
which use a DBus service (e.g. NetworkManager, PackageKit, realmd,
systemd, ...).
I've documented the architecture on our wiki [1] and I submitted review
in our review-board. I won't push the patches until we get to an
agreement that it's the way to go and also the implementation is secure
- please review carefully. There are *no* changes needed in our provider
code and/or in the DBus services we work with.
1: https://fedorahosted.org/openlmi/wiki/PolkitAuthorization
2: https://reviewboard-openlmi.rhcloud.com/users/jsafrane/
In short, the concept is similar to Cockpit's reauthorization [3], we
just don't play tricks with user passwords - we don't have one on CIM
provider level. Instead, we register a polkit agent, which bluntly
authenticates every request from polkit in its PAM session.
3: https://github.com/cockpit-project/cockpit/blob/master/doc/reauthorize.md
[Kudos to Cockpit guys, I used their code to implement polkit agent and
helper.]
Just a side note: right now, users with remote CIM access must be
members of 'pegasus' group, otherwise they cannot start a provider. Is
it good or bad? Should _any_ user be able to use CIM by default and let
polkit decide? It's trivial to fix, just set different file/directory
permissions in tog-pegasus.rpm. And there is /etc/Pegasus/access.conf,
which can control access properly if sysadmin wishes, so the question is
just about the default setting.
Jan
Hello,
I developed GUI for OpenLMI (+ account and service provider) as part of
my bachelor thesis. Now as an intern I continue working on it.
It is capable of generating scripts for LMIShell as well as execute
these changes. It can also discover computers on network using SLP.
For those of you, who might be interested, follow this link:
https://github.com/mhatina/openlmi_gui
Martin Hatina
We've been busy last weeks with reworking all OpenLMI documentation.
Initially I wanted to post this announcement when the new docs are
finished, but with each version I'm finding new problems and tiny
glitches which need some attention and the finished version is further
and further ahead.
So, the work-in-progress version is available at
http://openlmi-test-doc.readthedocs.org/en/latest/.
The ultimate goal is:
- to have it generated by readthedocs.org, as it has nice style (few
tweaks were needed though and their build system is... hard to tackle with)
- to have it hosted on doc.openlmi.org, if possible
- have all documentation (providers, storage, networking, tools,
scripts) together on one place and linked together (e.g. links from
providers to appropriate lmi metacommand and back, not done yet)
- still have possibility to ship the documentation as part of our
packages (some people prefer offline docs), we'll see if we can achieve
this.
- be more newbie-friendly, especially in the overview pages (again, not
there yet, but 'Storage provider' front page is the first attempt.
- obsolete some pages on openlmi.org. We'd like all the _documentation_
to be on doc.openlmi.org, and leave openlmi.org just for overview, some
tutorials (QuickStart) and integration with other projects (Pegasus SSL
setup, IPA, ...). All text related to providers, shell or metacommand
will be removed from there, as it is inconsistent, redundant and often
completely wrong.
What's ready for review:
- overall style (colors, fonts, ...). We believe readthedocs.org has
done great job in this, I have just added support for four levels of the
navigation menu on the left
- overall structure (= the navigation menu)
- some chapters have weird name, I know about"
- OpenLMI Networking Provider documentation should be just
"Networking provider"
- OpenLMI Tools documentation should be "OpenLMI client tools and
utilities" or something like that, as it covers lmi metacommand,
lmishell and OpenLMI scripts.
- most of OpenLMI providers
- except networking
- storage should not include "CIM classes" chapter
- all providers need better front pages with overview, link to
appropriate lmi metacommand reference. See storage as example.
I'm tuning client utilities chapters, adding python API reference,
individual metacommand, adjusting chapter names etc.
You can see there is lot of work ahead. You can contribute, best by
patches to individual git repos (openlmi-providers, -networking,
-storage and -tools; use reviewboard as usual) or by feedback here on
openlmi-devel.
For better docs!
Jan
Send openlmi-reviews mailing list submissions to
openlmi-reviews(a)lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
or, via email, send a message with subject or body 'help' to
openlmi-reviews-request(a)lists.fedorahosted.org
You can reach the person managing the list at
openlmi-reviews-owner(a)lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openlmi-reviews digest..."
Today's Topics:
1. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
2. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
3. buildbot failure in OpenLMI on storage-rhel6
(openlmiproject(a)gmail.com)
4. buildbot failure in OpenLMI on networking-rhel6
(openlmiproject(a)gmail.com)
5. buildbot failure in OpenLMI on storage-rhel7stable
(openlmiproject(a)gmail.com)
6. buildbot failure in OpenLMI on storage-rhel7
(openlmiproject(a)gmail.com)
7. buildbot failure in OpenLMI on networking-rhel7stable
(openlmiproject(a)gmail.com)
8. buildbot failure in OpenLMI on networking-rhel7
(openlmiproject(a)gmail.com)
9. buildbot failure in OpenLMI on providers-rhel7stable
(openlmiproject(a)gmail.com)
10. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
11. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
_______________________________________________
openlmi-reviews mailing list
openlmi-reviews(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
Send openlmi-reviews mailing list submissions to
openlmi-reviews(a)lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
or, via email, send a message with subject or body 'help' to
openlmi-reviews-request(a)lists.fedorahosted.org
You can reach the person managing the list at
openlmi-reviews-owner(a)lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openlmi-reviews digest..."
Today's Topics:
1. Re: Review Request 2066: [5/10] openlmi-storage doc: Add
connection to all use cases. (Jan Safranek)
2. Re: Review Request 2066: [5/10] openlmi-storage doc: Add
connection to all use cases. (Jan Safranek)
3. Review Request 1955: Add missing gcc to build dependencies
list (Alois Mahdal)
4. Re: Review Request 1955: Add missing gcc to build
dependencies list (Alois Mahdal)
5. Review Request 2076: Add SELinux note and build deps to
README (Alois Mahdal)
6. buildbot failure in OpenLMI on networking-rhel6
(openlmiproject(a)gmail.com)
7. buildbot failure in OpenLMI on storage-rhel6
(openlmiproject(a)gmail.com)
8. buildbot failure in OpenLMI on networking-rhel7
(openlmiproject(a)gmail.com)
9. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
10. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
11. buildbot failure in OpenLMI on providers-rhel7stable
(openlmiproject(a)gmail.com)
12. buildbot failure in OpenLMI on storage-rhel7
(openlmiproject(a)gmail.com)
13. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
14. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
15. buildbot failure in OpenLMI on storage-rhel7stable
(openlmiproject(a)gmail.com)
16. buildbot failure in OpenLMI on networking-rhel7stable
(openlmiproject(a)gmail.com)
_______________________________________________
openlmi-reviews mailing list
openlmi-reviews(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
Send openlmi-reviews mailing list submissions to
openlmi-reviews(a)lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
or, via email, send a message with subject or body 'help' to
openlmi-reviews-request(a)lists.fedorahosted.org
You can reach the person managing the list at
openlmi-reviews-owner(a)lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openlmi-reviews digest..."
Today's Topics:
1. Review Request 2073: networking [1/3] Use ERR_NOT_FOUND
instead of ERR_FAILED when non-existing object is used (Radek Novacek)
2. Review Request 2074: networking [2/3] Return proper error
message from the methods (Radek Novacek)
3. Review Request 2075: networking [3/3] mof: describe return
values of LMI_CreateIPSettings method (Radek Novacek)
4. Re: Review Request 2073: networking [1/3] Use ERR_NOT_FOUND
instead of ERR_FAILED when non-existing object is used (scanbot)
5. Re: Review Request 2074: networking [2/3] Return proper error
message from the methods (scanbot)
6. Re: Review Request 2075: networking [3/3] mof: describe
return values of LMI_CreateIPSettings method (scanbot)
7. Re: Review Request 2073: networking [1/3] Use ERR_NOT_FOUND
instead of ERR_FAILED when non-existing object is used (scanbot)
8. Re: Review Request 2074: networking [2/3] Return proper error
message from the methods (scanbot)
9. Re: Review Request 2075: networking [3/3] mof: describe
return values of LMI_CreateIPSettings method (scanbot)
10. buildbot failure in OpenLMI on networking-rhel6
(openlmiproject(a)gmail.com)
11. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
12. buildbot failure in OpenLMI on storage-rhel6
(openlmiproject(a)gmail.com)
13. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
14. buildbot failure in OpenLMI on providers-rawhide
(openlmiproject(a)gmail.com)
15. buildbot failure in OpenLMI on networking-rhel7
(openlmiproject(a)gmail.com)
16. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
17. buildbot failure in OpenLMI on storage-rhel7stable
(openlmiproject(a)gmail.com)
18. buildbot failure in OpenLMI on storage-rhel7
(openlmiproject(a)gmail.com)
19. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
20. buildbot failure in OpenLMI on providers-rhel7stable
(openlmiproject(a)gmail.com)
21. buildbot failure in OpenLMI on networking-rhel7stable
(openlmiproject(a)gmail.com)
_______________________________________________
openlmi-reviews mailing list
openlmi-reviews(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
Send openlmi-reviews mailing list submissions to
openlmi-reviews(a)lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews
or, via email, send a message with subject or body 'help' to
openlmi-reviews-request(a)lists.fedorahosted.org
You can reach the person managing the list at
openlmi-reviews-owner(a)lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openlmi-reviews digest..."
Today's Topics:
1. Review Request 2046: [1/1] selinux: install and register
60_LMI_SELinux_MethodParameters.mof (Vitezslav Crhonek)
2. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
3. Re: Review Request 2046: [1/1] selinux: install and register
60_LMI_SELinux_MethodParameters.mof (Michal Minar)
4. Re: Review Request 2044: [1/1] selinux: minor documentation
fixes (Michal Minar)
5. Re: Review Request 2046: [1/1] selinux: install and register
60_LMI_SELinux_MethodParameters.mof (Vitezslav Crhonek)
6. Re: Review Request 2044: [1/1] selinux: minor documentation
fixes (Vitezslav Crhonek)
7. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
8. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
9. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
10. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
11. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
12. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
13. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
14. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
15. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
16. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
17. buildbot failure in OpenLMI on storage-rhel6
(openlmiproject(a)gmail.com)
18. buildbot failure in OpenLMI on networking-rhel6
(openlmiproject(a)gmail.com)
19. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
20. buildbot failure in OpenLMI on storage-rhel7
(openlmiproject(a)gmail.com)
21. buildbot failure in OpenLMI on networking-rhel7
(openlmiproject(a)gmail.com)
22. buildbot failure in OpenLMI on providers-rhel7stable
(openlmiproject(a)gmail.com)
23. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
24. buildbot failure in OpenLMI on networking-rhel7stable
(openlmiproject(a)gmail.com)
25. buildbot failure in OpenLMI on storage-rawhide
(openlmiproject(a)gmail.com)
26. buildbot failure in OpenLMI on storage-rhel7stable
(openlmiproject(a)gmail.com)
27. buildbot failure in OpenLMI on networking-rawhide
(openlmiproject(a)gmail.com)
28. Re: Review Request 2043: providers [1/1] service-dbus: fix
potential memory leak found by coverity (Jan Safranek)
29. Re: Review Request 2043: providers [1/1] service-dbus: fix
potential memory leak found by coverity (Radek Novacek)
30. buildbot failure in OpenLMI on providers-rhel7
(openlmiproject(a)gmail.com)
31. buildbot failure in OpenLMI on providers-rhel6
(openlmiproject(a)gmail.com)
32. Re: Review Request 2027: tools - doc: allow to build
documentation with commands (Michal Minar)
33. Re: Review Request 2027: tools - doc: allow to build
documentation with commands (Michal Minar)
_______________________________________________
openlmi-reviews mailing list
openlmi-reviews(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/openlmi-reviews