On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote:
> On 06/19/2014 02:43 PM, Simo Sorce wrote:
> > On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
> >> I'll address the other issues separately.
> >> On 06/18/2014 05:46 PM, Martin Kosek wrote:
> >>> 3) I hit one issue when I open the Web UI host tab, I get "Insufficient
> >>> access:
> >>> No such virtual command" error triggered by "cert-show" command.
> >>> We will need to add the permission "System: Read Virtual Operations" that
> >>> Honza
> >>> is creating also to "Host Administrators" to fix that part.
> >> I'm not familiar with Honza's effort, but that seems right.
> >> I'm curious, why don't we just allow reading virtual operations by
> >> anybody? It seems to me they're the same in every IPA installation,
> >> what's there to hide?
> >> Anyway, I poked around in how it works now: for cert-show you need write
> >> access to the objectClass of the "retrieve certificate" virt op entry.
> >> So that right you can actually remove the "ipaVirtualOperation"
> >> objectClass.
> >> Aand the new "Anonymous read access to containers" ACI has a
> >> (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for
> >> a virt op can allow everyone see that virt op).
> >> Shouldn't we base the check on some other attribute instead?
> >> And curiously, for cert-find there is no virt op based access check.
> > I wonder if we can replace some of these with the ipaProtectedOperation
> > machinery, it works better for protecting itself from manipulation.
> > Simo.
> Yup, as I said in other part of this thread, we should invent something better
Well given we already have something better introduced with the
getkeytab patches, maybe we can go ahead and start using them ?
> eventually for Virtual Operations. For 4.0, I would just keep previous
> and dump ipaVirtualOperation objectclass.
Are we concerned that older replicas will not work if we change these to
ipaProtectedOperation based ACIs ? (unless their DS is fixed, there were
Freeipa-devel mailing list