RackTables: Permissions

Once you figured out how it works, everything is easy – right? As it took me some minutes and some googl’ing to find out how the permission system (Main page -> Configuration -> Permissions) in Racktables work, here is my short summary:

  • In general, Racktables’ permission engine works “top to bottom”, so the first rule that matches will win – others are simply ignored.
  • you can combine rules via “and“, “or” and “()” to keep it simpler
  • comments can be done inside the page, starting with the hash mark
  • just have a 2nd tab open and browse to the page/tab you want to include/exclude in your permission section. If I go to “Configuration” -> “Tag tree” => “Edit”, I end up with an URL like this: /index.php?page=tagtree&tab=edit – If I want to block or allow access to this page, the rule would look like

allow {$page_tagtree} and {$tab_edit}

Below is my current rule set – including comments. This allows the super admins to edit everything (just add your user name as “allow {$username_lars}” directly below the “allow {$userid_1}” entry to gain super user privileges) – and the rest of the users can loook at all the other pages, but not edit anything.

#
# the super admins:
#
allow {$userid_1}
#
# general rules for all others
#
# allow to see the “read only” pages per default
#
allow {$page_reports} or {$tab_default}
# those are always read/write pages: deny
deny {$tab_rackcode} or {$tab_system} or {$page_config} or {$tab_tags}
#
# permissions per page
#
# IPv4 space
deny {$page_ipv4space} and ( {$tab_newrange} or {$tab_manage} )
allow {$page_ipv4space}
# IPv6 space
deny {$page_ipv6space} and ( {$tab_newrange} or {$tab_manage} )
allow {$page_ipv6space}
# single Racks
deny {$page_rack} and ( {$tab_tags} or {$tab_design} or {$tab_edit} or {$tab_problems} )
allow {$page_rack}
# whole Rackspace
deny {$page_rackspace} and ( {$tab_editlocations} or {$tab_editrows} )
allow {$page_rackspace}
# VLANs (8021q)
deny {$page_8021q} and ( {$tab_vdlist} or {$tab_vstlist} )
allow {$page_8021q}
# Files
deny {$page_files} and {$tab_manage}
allow {$page_files}
# IP SLB
deny {$page_ipv4slb} and ( {$tab_defconfig} or {$tab_new_vs} or {$tab_new_vsg} or {$tab_new_rs} )
allow {$page_ipv4slb}
# Cables
deny {$page_cables} and {$tab_heaps}
allow {$page_cables}
# Objects
deny {$page_depot} and {$tab_addmore}
allow {$page_depot}
# special page (a separate extension to include our monitoring as separate tab)
allow {$page_object} and {$tab_Monitor}

As result, my team is able to work with RackTables (as they are added as super admins) – and all the rest can check what we are doing (as we have LDAP authentication enabled).

After editing, you are enforced to verify your changes before you can safe – but there is more: please also check Main page -> Reports -> RackCode for errors that are not found by the verify script (State: RackTables Version 0.20.10).

Advertisements

About Lars Vogdt

This is the private blog space of Lars Vogdt, the topics will be in first place work related.
This entry was posted in Infrastructure, network and tagged , , , . Bookmark the permalink.

2 Responses to RackTables: Permissions

  1. Carlos says:

    Hello Lars,

    I would like to know how to filter a user with its tags, meaning, this user should only access objects that match only its tags per department.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s