Bug #1660
closedAdd the ability to set default filters for On-the-fly LDAP user creation
Description
Foreman is giving to much information to anyone who happens to log in via the on-the-fly LDAP account creation. They get a list of servers, see IP addresses, MAC addresses, OS versions, host YAML, report status section and other information about hosts.
It would be nice to have a way to restrict new users to see only hosts they own (which will admittedly probably be none, unless/until they get added to a group that has ownership of some hosts or are granted adequate permissions and create some); I was thinking that being able to set a default filter for the LDAP Auth Source would be a good way to handle this, though I don't know how this might play out if all filters are moved to the User Group level as I have seen discussed as a potential possibility.
And of course to be clear I don't consider it a security concern, since a lot of this information is necessarily available for ENC functionality and therefore to anyone who knows how to poke at the server properly, but a user logging in for the first time shouldn't see other groups hosts in the web UI regardless.
Updated by Ohad Levy almost 12 years ago
- Status changed from New to Resolved
just change the default user role permissions.
Ohad
Updated by Ohad Levy almost 12 years ago
about ENC, it might be better to have a list of allowed servers to reach out for foreman (that should be a separate ticket i guess).