On 06/19/2014 02:54 PM, Simo Sorce wrote: > On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote: >> On 06/19/2014 02:43 PM, Simo Sorce wrote: >>> On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote: >>>> I'll address the other issues separately. >>>> >>>> On 06/18/2014 05:46 PM, Martin Kosek wrote: >>>>> 3) I hit one issue when I open the Web UI host tab, I get "Insufficient >>>>> access: >>>>> No such virtual command" error triggered by "cert-show" command. >>>>> >>>>> We will need to add the permission "System: Read Virtual Operations" that >>>>> Honza >>>>> is creating also to "Host Administrators" to fix that part. >>>> >>>> I'm not familiar with Honza's effort, but that seems right. >>>> I'm curious, why don't we just allow reading virtual operations by >>>> anybody? It seems to me they're the same in every IPA installation, >>>> what's there to hide? >>>> >>>> Anyway, I poked around in how it works now: for cert-show you need write >>>> access to the objectClass of the "retrieve certificate" virt op entry. >>>> So that right you can actually remove the "ipaVirtualOperation" >>>> objectClass. >>>> Aand the new "Anonymous read access to containers" ACI has a >>>> (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for >>>> a virt op can allow everyone see that virt op). >>>> Shouldn't we base the check on some other attribute instead? >>>> >>>> And curiously, for cert-find there is no virt op based access check. >>> >>> I wonder if we can replace some of these with the ipaProtectedOperation >>> machinery, it works better for protecting itself from manipulation. >>> >>> Simo. >> >> Yup, as I said in other part of this thread, we should invent something >> better > > Well given we already have something better introduced with the > getkeytab patches, maybe we can go ahead and start using them ?
Well yeah, I have the same opinion as you do, we should consider using ipaProtectedOperation for Virtual Operations. I just said we may not be able to do it directly in 4.0. >> eventually for Virtual Operations. For 4.0, I would just keep previous >> behavior >> and dump ipaVirtualOperation objectclass. > > Are we concerned that older replicas will not work if we change these to > ipaProtectedOperation based ACIs ? (unless their DS is fixed, there were > bugs). I am concerned. One more reason to wait a bit and keep the old Virtual Operation behavior in 4.0 :-) Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel