On 06/05/2014 08:45 AM, Jan Cholasta wrote: > On 28.5.2014 22:44, Nathaniel McCallum wrote: >> On Mon, 2014-05-26 at 16:57 +0200, Jan Cholasta wrote: >>> On 13.5.2014 19:12, Nathaniel McCallum wrote: >>>> On Tue, 2014-05-13 at 16:33 +0200, Jan Cholasta wrote: ... >>>>>>>>> Nathaniel can you send 2 lines showing the difference in ACIs between >>>>>>>>> using managed-by vs a new attribute ? >>>>>>>> >>>>>>>> These are the ACIs using the protected mechanism: >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>>>>>>> "objectclass || description || ipatokenUniqueID || ipatokenDisabled || >>>>>>>> ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || >>>>>>>> ipatokenModel >>>>>>>> || ipatokenSerial || ipatokenOwner || ipatokenProtected")(version 3.0; >>>>>>>> acl "Users can read basic token info"; allow (read, search, compare) >>>>>>>> userattr = "ipatokenOwner#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = >>>>>>>> "ipatokenOTPalgorithm || ipatokenOTPdigits || >>>>>>>> ipatokenTOTPtimeStep")(version 3.0; acl "Users can see TOTP details"; >>>>>>>> allow (read, search, compare) userattr = "ipatokenOwner#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = >>>>>>>> "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl "Users >>>>>>>> can >>>>>>>> see HOTP details"; allow (read, search, compare) userattr = >>>>>>>> "ipatokenOwner#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = >>>>>>>> "(&(objectClass=ipaToken)(!(ipatokenProtected=TRUE)))")(targetattrs = >>>>>>>> "description || ipatokenDisabled || ipatokenNotBefore || >>>>>>>> ipatokenNotAfter || ipatokenVendor || ipatokenModel || >>>>>>>> ipatokenSerial")(version 3.0; acl "Users can write basic token info"; >>>>>>>> allow (write) userattr = "ipatokenOwner#USERDN";) >>>>>>>> >>>>>>>> aci: (target = >>>>>>>> "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter >>>>>>>> = "(&(objectClass=ipaToken)(!(ipatokenProtected=TRUE))))")(version 3.0; >>>>>>>> acl "Users can create and delete tokens"; allow (add, delete) userattr >>>>>>>> = >>>>>>>> "ipatokenOwner#SELFDN";) >>>>>>>> >>>>>>>> This is what they look like using managedBy (I have not tested this): >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>>>>>>> "objectclass || description || ipatokenUniqueID || ipatokenDisabled || >>>>>>>> ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || >>>>>>>> ipatokenModel >>>>>>>> || ipatokenSerial || ipatokenOwner || ipatokenProtected")(version 3.0; >>>>>>>> acl "Users can read basic token info"; allow (read, search, compare) >>>>>>>> userattr = "ipatokenOwner#USERDN"; allow (read, search, compare) >>>>>>>> userattr = "managedBy#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = >>>>>>>> "ipatokenOTPalgorithm || ipatokenOTPdigits || >>>>>>>> ipatokenTOTPtimeStep")(version 3.0; acl "Users can see TOTP details"; >>>>>>>> allow (read, search, compare) userattr = "ipatokenOwner#USERDN"; allow >>>>>>>> (read, search, compare) userattr = "managedBy#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = >>>>>>>> "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl "Users >>>>>>>> can >>>>>>>> see HOTP details"; allow (read, search, compare) userattr = >>>>>>>> "ipatokenOwner#USERDN"; allow (read, search, compare) userattr = >>>>>>>> "managedBy#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>>>>>>> "description || ipatokenDisabled || ipatokenNotBefore || >>>>>>>> ipatokenNotAfter || ipatokenVendor || ipatokenModel || >>>>>>>> ipatokenSerial")(version 3.0; acl "Managers can write basic token >>>>>>>> info"; >>>>>>>> allow (write) userattr = "managedBy#USERDN";) >>>>>>>> >>>>>>>> aci: (targetfilter = "(objectClass=ipaToken)")(version 3.0; acl >>>>>>>> "Managers can delete tokens"; allow (delete) userattr = >>>>>>>> "managedBy#USERDN";) >>>>>>>> >>>>>>>> aci: (target = >>>>>>>> "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter >>>>>>>> = "(objectClass=ipaToken)")(version 3.0; acl "Users can create >>>>>>>> self-managed tokens"; allow (add) userattr = "ipatokenOwner#SELFDN" and >>>>>>>> userattr = "managedBy#SELFDN";) >>>>>>>> >>>>>>>> In short: >>>>>>>> 1. Owner and manager get read, search and compare. >>>>>>>> 2. Manager gets write (to select attributes) and delete. >>>>>>>> 3. Users can create self-managed tokens for themselves only. >>>>>>>> >>>>>>>> The otptoken-add command should gain the following defaults: >>>>>>>> 1. The owner defaults to the user adding the token. >>>>>>>> 2. If owner == user adding token, managedBy defaults to owner. >>>>>>>> 3. Otherwise, managedBy defaults to None. >>>>>>>> >>>>>>>> This means that if neither owner nor managedBy are specified, the >>>>>>>> default is a self-owned, self-managed token. Likewise, if a different >>>>>>>> owner is specified, no manager is assumed. >>>>>>>> >>>>>>>> rcrit expresses worry that ipalib's ACI parser may not handle the above >>>>>>>> syntax. This will become clear during testing if we want this approach. >>>>>>>> >>>>>>>> Does this look sane? >>>>>>> >>>>>>> I am not entirely sure your ACI syntax is always right for the second >>>>>>> set. and perhaps we want to duplicate ACIs in some cases (once for owner >>>>>>> once for manager). >>>>>>> >>>>>>> I think the read ACIs do not need to list managedby ? Do we plan to have >>>>>>> a manager that is another regular user but not the owner nor an admin ? >>>>>>> >>>>>>> In any case I prefer the sytnax that uses managedby, as it has more >>>>>>> potential. >>>>>> >>>>>> Attached is a new version of the patch which implements the feature >>>>>> using managedBy instead of ipatokenProtected. One important thing needs >>>>>> to be said about this patch. I am not exposing managedBy in either the >>>>>> UI, the CLI or LDAP (ACI). Do we care about this? If yes, should I >>>>>> expose this similar to owner or as a relationship? >>>>> >>>>> I would expose it, as a relationship. (Note that ipatokenowner should >>>>> ideally be represented as a relationship too, but the framework does not >>>>> support 1-to-many relationships ATM.) >>>> >>>> So since this is a 1-to-many relationship we shouldn't expose it? >>>> >>>> Or should I do it like owner is currently done? >>> >>> Do it like managedby is done in the host plugin (see >>> "attribute_members", "relationships", etc.) >>> >>>> >>>>> >>>>> Just curious, why are the ACIs divided like this: >>>>> >>>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>>>> "objectclass || description || ipatokenUniqueID || ipatokenDisabled || >>>>> ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel >>>>> || ipatokenSerial || ipatokenOwner")(version 3.0; acl "Users/managers >>>>> can read basic token info"; allow (read, search, compare) userattr = >>>>> "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) >>>>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = >>>>> "ipatokenOTPalgorithm || ipatokenOTPdigits || >>>>> ipatokenTOTPtimeStep")(version 3.0; acl "Users/managers can see TOTP >>>>> details"; allow (read, search, compare) userattr = >>>>> "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) >>>>> aci: (targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = >>>>> "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl >>>>> "Users/managers can see HOTP details"; allow (read, search, compare) >>>>> userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";) >>>>> >>>>> IMHO you could make them less complex by dividing them like this: >>>>> >>>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>>>> "objectclass || description || ipatokenUniqueID || ipatokenDisabled || >>>>> ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel >>>>> || ipatokenSerial || ipatokenOwner || ipatokenOTPalgorithm || >>>>> ipatokenOTPdigits || ipatokenTOTPtimeStep")(version 3.0; acl "Owner can >>>>> read token details"; allow (read, search, compare) userattr = >>>>> "ipatokenOwner#USERDN";) >>>>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>>>> "objectclass || description || ipatokenUniqueID || ipatokenDisabled || >>>>> ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel >>>>> || ipatokenSerial || ipatokenOwner || ipatokenOTPalgorithm || >>>>> ipatokenOTPdigits || ipatokenTOTPtimeStep")(version 3.0; acl "Managers >>>>> can read token details"; allow (read, search, compare) userattr = >>>>> "managedBy#USERDN";) >>>> >>>> The first set is organized by objectClass. The second by userattr. I >>>> have no strong opinion on this matter, though performance is probably a >>>> consideration. Do any DS guys want to chime in? ... >> 2. I can't figure out how to get the framework to actually show >> managedBy in command output (like otptoken-show). This means you can >> add/remove relationships using otptoken-add-managedby and >> otptoken-remove-managedby, but you can't actually see the list of >> managers. What am I missing? > > In the hbacrule or selinuxusermap plugins it is done by adding an "invisible" > param to the object plugin, like this: > > Str('managedby_user?', > label=_('Manager'), > flags=['no_create', 'no_update', 'no_search'], > ), > >> >> Also, it would be helpful if someone with DS expertise could answer the >> question about the performance of the ACI structure options as listed >> above. > > +1
CCing Ludwig to advise on the ACIs. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel