I have some notes and questions on https://fedorahosted.org/freeipa/ticket/3566 (Control access of user roles to server functions).

An IPA terminology refresher for reference:
- ACI: The DS-level permission.
- Permission: IPA object that encapsulates one ACI. Example: "add user". Permissions aren't as flexible as raw ACIs. - Privilege: IPA object that groups several permissions, e.g. with a "manage users" privilege you can "add user", "modify user", ... - Role: IPA object that groups privileges, e.g. an "User Administrator" can manage users and groups. Roles are assigned to users/groups/hosts.

# Permission structure

I think it would be best to have two permissions for each object, one for the entries and one for the container. This keeps the ACIs manageable with existing permission API:

aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Read Groups";allow (read,search,compare) groupdn = "ldap:///cn=Read Groups,cn=permissions,cn=pbac,$SUFFIX";)

aci: (target = "ldap:///cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Read Group Container";allow (read,search,compare) groupdn = "ldap:///cn=Read Group Container,cn=permissions,cn=pbac,$SUFFIX";)

These would be combined in a "Group Readers" privilege.

All the privileges would be granted to a role called "Users", which would contain ipausers and admins.

# External users & system accounts

I'm not sure how to handle external users here, since they're not added to any group. Either we'll need a special ACI for them, or somehow make it possible to add non-group sets of users to Roles.

The same goes for system accounts, except those aren't even implemented in IPA yet (https://fedorahosted.org/freeipa/ticket/2801).

# Protected attributes

How to handle passwords and other non-public attributes? I'm thinking about keeping a global list of such attributes, and applying it to each read permission ACI on normal operations and upgrades; either generating a (targetfilter != ...) clause or filtering the (targetfilter = ...) one.
Possibly that list would be configurable and stored in LDAP.

For reference, we currently exclude these in the anonymous read rule: "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming"

# Compat tree

Do we want to reuse the read privileges for the compat tree, or create extra ones?

# Combining read rights

I think (read, search, compare) should be exposed in permission objects as a single right. Or is there a reason to keep it split?

# P.S.

I believe that we should strive to put our info about default permissions, containers, settings, and the schema for each plugin in the actual plugin module, rather than it all being split across several ldif/update files. This would make this data more manageable, introspectable and consistent, expose dependencies between plugins, and make it possible to actually write self-contained plugins. This should be done when the time comes for a new version of the ldap-updater.


Freeipa-devel mailing list

Reply via email to