On 04/28/2014 11:17 AM, Alexander Bokovoy wrote:
On Mon, 28 Apr 2014, Martin Kosek wrote:
On 04/28/2014 10:02 AM, Alexander Bokovoy wrote:
On Fri, 25 Apr 2014, Petr Viktorin wrote:
On 04/23/2014 02:46 PM, Martin Kosek wrote:
On 04/22/2014 01:38 PM, Petr Viktorin wrote:
On 04/16/2014 05:56 PM, Simo Sorce wrote:
On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Martin Kosek wrote:
In general I am not sure all authenticated users need
access to all
this
info. Alexander ?
SSSD needs to read some of this information for
subdomains support.
That would be at least host/*@REALM who needs to access it.


Can you please list exactly which ones are needed ?
SSSD subdomains support needs:
   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
     - ipaNTFlatName
     - ipaNTSecurityIdentifier
     - ipaNTTrustedDomainSID
     - cn

Question is - is there any added value in hiding part of the
trust information from authenticated users? I.e. attributes
like
ipanttrustdirection, ipaNTTrustAttributes (what is the
purpose of this
attribute anyway?), SID blacklists...
Yes. Some of those attributes are needed as internal detail
of ipasam --
part of how Samba stores this information taken from
specific DCE RPC
structures.

If yes, we would need to split this permission in 2 and
have one for
authenticated users and one for "Trust Adminitrators" and
"Trust
Readers".
Yes. Authenticated users shouldn't get any access to those
details:
   ipantsupportedencryptiontypes
   ipanttrustattributes
   ipanttrustauthincoming
   ipanttrustauthoutgoing



Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX"
system group
should
then have this permission assigned so that samba can operate the
attributes.
'adtrust agents' and 'trust administrators' should have read,
modify,
delete, and search on cn=trusts.


Right. We will probably want to turn most of ACIs in
install/updates/60-trusts.update in managed permissions (i.e.
defined in
trust.py) and make "adtrust agents" and "trust admins" it's
members.
I agree.


+1

Simo.


All right. Now I'm replacing the global anonymous read ACI;
converting the
others will come later. The existing agents/admins ACIs grant the
'read' (or
'all') right already.
ipaIDRange is covered in the range plugin, so what's left for this
patch is
the
ipaNTTrustedDomain/ipaNTDomainAttrs attributes.

Does that sound reasonable?

This is all that's needed from SSSD side, I just verified in sssd
git. sssd
indeed only uses these attributes:

#define IPA_CN "cn"
#define IPA_FLATNAME "ipaNTFlatName"
#define IPA_SID "ipaNTSecurityIdentifier"
#define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"

So I am OK with the patch as is.

However, with this ACI, regular users will not be able to show
Trusts with
command line even though they have access to the basic information:

# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

IMO trust command should be able to return the information that the
user is
allowed to see. I prepared a patch to make the read part of
trust.py more
resilient to missing attributes. Attached.

With this patch enabled, I have this output as regular user:

# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier:
S-1-5-21-2997650941-1802118864-3094776726
----------------------------
Number of entries returned 1
----------------------------
# ipa trust-show tbad.example.com
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier:
S-1-5-21-2997650941-1802118864-3094776726

# ipa trustdomain-find tbad.example.com
  Domain name: child.tbad.example.com
  Domain NetBIOS name: CHILD
  Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075

  Domain name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier:
S-1-5-21-2997650941-1802118864-3094776726
----------------------------
Number of entries returned 2
----------------------------

The only bigger change I did was to filter trust root domains by
ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not
available to everyone.

Martin


The patch looks good to me, but I think Alexander is better
qualified to
review it.
ACK.


Thanks Alexander. I assume you are also ok with Petr's 529.2 I used as
a base.
(there is also a pending patch 530 also touching this trust plugin area.
Yes. As I said in the other thread, I only slightly worried with SID
blacklists visibility (or lack, there of) with the latest changes but we
should handle that as a separate patchset (if any).


I've rebased my patch, and pushed both to master: 5d832c342608fd567ea258c1d506cae28f6b0abf


--
PetrĀ³

From 51521f5c5c105687f559de74b4a9b1ff12334620 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: [PATCH] Add managed read permissions to trust

A single permission is added to cover trust, trustconfig, and trustdomain.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 ipalib/plugins/trust.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 2e6af1687306929d63990ee4c7431b80cf8709ab..bff44053f92ea3e645fa55359774de9fcc622fdc 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -311,6 +311,21 @@ class trust(LDAPObject):
         'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ]
     search_display_attributes = ['cn', 'ipantflatname',
                                  'ipanttrusteddomainsid', 'ipanttrusttype']
+    managed_permissions = {
+        'System: Read Trust Information': {
+            # Allow reading of attributes needed for SSSD subdomains support
+            'non_object': True,
+            'ipapermlocation': DN(container_dn, api.env.basedn),
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cn', 'objectclass',
+                'ipantflatname', 'ipantsecurityidentifier',
+                'ipanttrusteddomainsid',
+            },
+        },
+    }
 
     label = _('Trusts')
     label_singular = _('Trust')
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to