On May 10, 2011, at 8:14 PM, Adam Young wrote: > On 05/10/2011 11:07 PM, Adam Young wrote: >> On 05/10/2011 04:38 PM, JR Aquino wrote: >>> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: >>> >>> >>>> JR Aquino wrote: >>>> >>>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: >>>>> >>>>> >>>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to >>>>>> simplify the auditing of users for their indirect membership to their >>>>>> authorization rights. >>>>>> >>>>>> An Administrator should have the ability to quickly identify the rights >>>>>> a user will have in the system. >>>>>> >>>>>> For example. With the patch added, my user show looks like this: >>>>>> >>>>>> # ipa user-show tester --all >>>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com >>>>>> User login: tester >>>>>> First name: Tester >>>>>> Last name: Engineering >>>>>> Full name: Tester Engineering >>>>>> Display name: Tester Engineering >>>>>> Initials: TE >>>>>> Home directory: /home/tester >>>>>> GECOS field: Tester Engineering >>>>>> Login shell: /bin/sh >>>>>> Kerberos principal: >>>>>> tes...@example.com >>>>>> >>>>>> UID: 1829800388 >>>>>> GID: 1829800388 >>>>>> Account disabled: False >>>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration >>>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 >>>>>> krbpwdpolicyreference: >>>>>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com >>>>>> memberofindirect_HBAC rule: development >>>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, >>>>>> AUTO-dev-deploy-tools_ZENOSS, build-integration >>>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com >>>>>> objectclass: top, person, organizationalperson, inetorgperson, >>>>>> inetuser, posixaccount >>>>>> >>>>>> <freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> >>>>>> Freeipa-devel@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> OPPS, forgot to have PATCH in the subject. >>>>> >>>>> >>>> I think you need this as well, right? >>>> >>>> - 'memberof': ['group', 'netgroup', 'role'], >>>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], >>>> >>> Some scope change. >>> >>> Added memberof and memberofindirect >>> >>> Added to user.py host.py group.py hostgroup.py >>> >>> When using the --all flag it is now very clear to the administrator what >>> authorization rules these objects are directly or indirectly a memberof. >>> >>> xmlrpc tests check out >>> >>> Please review >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> The reason that this shows up in the UI is that it is generating additional >> memberof attributes. It has nothing to do with the memberofindirect: > > You are also going to want need modify the sudo rule and HBAC rule to use the > serial associator on some facets. It looks like group at least has things > backwards. The group.js file I think needs a rule like this: > > > association_facet({ > name: 'memberof_sudorule', > associator: IPA.serial_associator > }). > > THis is because the API is for adding multiple groups to the sudo rule, but > the default behaviour is for adding multiple >other entity> to <this entity>.
The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170 As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go? _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
