[pve-devel] r4831 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Jun 23 08:14:09 CEST 2010 

Author: dietmar
Date: 2010-06-23 06:14:09 +0000 (Wed, 23 Jun 2010)
New Revision: 4831

Modified:
   pve-access-control/trunk/README
   pve-access-control/trunk/user.cfg.ex
Log:
add information about proposed authentication file 



Modified: pve-access-control/trunk/README
===================================================================
--- pve-access-control/trunk/README	2010-06-22 11:37:05 UTC (rev 4830)
+++ pve-access-control/trunk/README	2010-06-23 06:14:09 UTC (rev 4831)
@@ -1,4 +1,5 @@
 User Management and Access Control
+==================================
 
 Proxmox VE implements an easy but flexible way to manage users. A
 powerful Access Control algorithm is used to grant permissions to
@@ -8,14 +9,46 @@
 
 Use groups in ACLs (not individual users).
 
+User Authentication
+===================
+
+Users are identified by there email address. The domain part of the
+email determines how a user gets authenticated. The file 
+
+/etc/pve/auth.cfg 
+
+associates domains with authentication servers.
+
+----example auth.cfg ---------------------
+
+AD: proxmox.com,maurer-it.com
+	server 10.10.10.1
+	...
+
+LDAP: example.com
+	server 10.10.10.2
+      	....
+
+------------------------------------------
+
+Users without domains get authenticated using our own password file.
+
+User with 'localhost' as domain ("<user>@localhost") use PAM for authentication.
+
+
+Proposed user database fields:
+==============================
+
 users:
 
 	login_name: email address (user at domain)
-	account type: pam, ldap, shadow, ident (how to verify password)
-	group: primary group name 
-	real_name: full user name
-	comment: arbitrary comment
+	enabled: 1 = TRUE, 0 = FALSE
 
+	# account type: pam, ldap, shadow, ident (how to verify password)
+	# group: primary group name 
+	# real_name: full user name
+	# comment: arbitrary comment
+
 	special user root: The root user has full administrative privileges
 
 	encrypted passwords (md5 crypt) are stored in separate shadow file
@@ -81,6 +114,7 @@
 
 
 ACL and Objects:
+================
  
 An access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
 

Modified: pve-access-control/trunk/user.cfg.ex
===================================================================
--- pve-access-control/trunk/user.cfg.ex	2010-06-22 11:37:05 UTC (rev 4830)
+++ pve-access-control/trunk/user.cfg.ex	2010-06-23 06:14:09 UTC (rev 4831)
@@ -2,7 +2,7 @@
 
 group:testgroup:joe at localhost:
 
-role:admin:VM.ConfigureCD,VM.Create,SetPermissions,VM.Console:
+role:admin:VM.ConfigureCD,VM.Create,Permissions.Modify,VM.Console:
 
 acl:0:/users:@testgroup,joe at localhost:Administrator:

More information about the pve-devel mailing list