On Wed, 2014-04-16 at 10:02 +0200, Martin Kosek wrote:
> I was looking into ticket
> https://fedorahosted.org/freeipa/ticket/4054
> and experimenting with ACIs allowing privileged users to manage only their 
> own 
> LDAP objects.
> 
> As already proposed in the Bugzilla, I had success with following ACIs:
> 
> ~~~~~~~~~~~~~~~~
> # ldapmodify -h `hostname` -D "cn=Directory Manager" -x -w Secret123
> dn: cn=computers,cn=accounts,dc=mkosek-fedora20,dc=test
> add: aci
> aci: (targetattr = "userclass")(targetfilter = 
> "(objectclass=ipahost)")(version 
> 3.0;acl "permission:Modify own hosts";allow (write) userattr = 
> "creatorsName#USERDN";)
> 
> modifying entry "cn=computers,cn=accounts,dc=mkosek-fedora20,dc=test"
> 
> # ldapmodify -h `hostname` -D "cn=Directory Manager" -x -w Secret123
> dn: cn=computers,cn=accounts,dc=mkosek-fedora20,dc=test
> add: aci
> aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl 
> "permission:Modify own hosts";allow (delete) userattr = 
> "creatorsName#USERDN";)
> 
> modifying entry "cn=computers,cn=accounts,dc=mkosek-fedora20,dc=test"
> ~~~~~~~~~~~~~~~~
> 
> When I then added a user fbar with permission "Add hosts", I was able to do 
> exactly what proposed in the ticket:
> 
> 
> $ ipa host-add test.example.com --force
> -----------------------------
> Added host "test.example.com"
> -----------------------------
>    Host name: test.example.com
>    Principal name: host/test.example....@mkosek-fedora20.test
>    Password: False
>    Keytab: False
>    Managed by: test.example.com
> 
> $ ipa host-mod test.example.com --class foo
> --------------------------------
> Modified host "test.example.com"
> --------------------------------
>    Host name: test.example.com
>    Principal name: host/test.example....@mkosek-fedora20.test
>    Class: foo
>    Password: False
>    Keytab: False
>    Managed by: test.example.com
> 
> $ ipa host-mod admin.example.com --class foo
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
> 'userClass' attribute of entry 
> 'fqdn=admin.example.com,cn=computers,cn=accounts,dc=mkosek-fedora20,dc=test'.
> 
> $ ipa host-del admin.example.com
> ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete 
> the 
> entry 
> 'fqdn=admin.example.com,cn=computers,cn=accounts,dc=mkosek-fedora20,dc=test'.
> 
> $ ipa host-del test.example.com
> -------------------------------
> Deleted host "test.example.com"
> -------------------------------
> 
> I think this could be pretty powerful also with other LDAP objects. Question 
> is 
> what can be done to allow that to our users.
> 
> I do not think we should add these ACIs by default as not everybody would 
> like 
> them. But if we enhance our permission API to allow the userattr bind rule, 
> admins could add these ACIs at their wish.
> 
> IMO the API is not that difficult, something like this could work:
> 
> $ ipa permission-add test --bindtype=userattr --bind-attr=creatorsname 
> --bind-attr-type=USERDN
> 
> --bind-attr could be more or less free form text to allow "creatorsname" or 
> "parent[0].creatorsname"
> --bind-attr-type would be enum of values USERDN/GROUPDN
> 
> This should cover most of the basic use cases.
> 
> Thoughts?

Creatorsname is inflexible as you cannot change it, we should probably
have a way to add a role/group attribute at add time that would bind the
object to specific roles/groups of users, but beyond this details it
looks pretty powerful. One issue is how you still limit access to some
attributes that you may not want to allow the creator to set or change,
for example ipaUniqueId or similar things, that should always be under
control of the system.

Simo.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to