Menu
▾
▴
Re: [Netdisco] Port control to different devices for different users
|
From: Ingen S. J. v. (ICTS) <j.v...@ut...> - 2010-09-13 10:39:54
|
Hi, > What I would like to do is allow certain users to be able to use the port > control features, but only for certain switches. Identifying what switches > a user should be able to control needs to be by the switch's IP address. OK, sounds reasonable, probably something others might want too. > I would like to modify the source to do this, however I am under no > illusion that my programming abilities don't stretch that far so I am > looking for some kind of hack. > > I could create a new database within Postgres which has VIEWs to the > netdisco database with additional "WHERE ip << inet 'subnet'" to only > display certain devices. There would also be a seperate netdisco frontend > with this database name in the config file. - Each set of users would get > their own instance, and this should work but is very messy. Your're right, that approach wouldn't scale. > What would be slightly better is, instead of having an additional > database, to have an additional table in the main database with a list of > usernames and subnets they can control along with somthing like a > Postrgres RULE which applies an additional WHERE clause on each SELECT. > Even this is exceeding my knowledge of Postgres and attempting to create a > rule when issueing select on the device table doesn't work because device > is already populated (It would need to be renamed and device would just be > a rule, but this would then break insert/update etc. the backend daemon > would try and use). > > Does anybody have any ideas what I do to get the desired effect? I'd say it's better if Netdisco would get a fine grained "role-based access control". Users can be assigned to a role, and based on a role you can perform specific actions on a device or group of devices. This would not only apply to "port control" (both switching on/off and changing VLANs), but we could also use this model for actions against a device (refresh, macsuck, arpnip, delete etc). It would also make it easier to add new actions (change port name, change PoE state, add/remove VLAN, etc). It's non-trivial to implement; I've thought about it and I'm willing to do (parts of) the changes, but can't guarantee when it will be done / usable. I suggest you start by creating a feature request on SourceForge :) Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands |
