On 06/19/2014 02:54 PM, Simo Sorce wrote:
> On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote:
>> On 06/19/2014 02:43 PM, Simo Sorce wrote:
>>> On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
>>>> I'll address the other issues separately.
>>>> On 06/18/2014 05:46 PM, Martin Kosek wrote:
>>>>> 3) I hit one issue when I open the Web UI host tab, I get "Insufficient 
>>>>> access:
>>>>> No such virtual command" error triggered by "cert-show" command.
>>>>> We will need to add the permission "System: Read Virtual Operations" that 
>>>>> Honza
>>>>> is creating also to "Host Administrators" to fix that part.
>>>> I'm not familiar with Honza's effort, but that seems right.
>>>> I'm curious, why don't we just allow reading virtual operations by 
>>>> anybody? It seems to me they're the same in every IPA installation, 
>>>> what's there to hide?
>>>> Anyway, I poked around in how it works now: for cert-show you need write 
>>>> access to the objectClass of the "retrieve certificate" virt op entry. 
>>>> So that right you can actually remove the "ipaVirtualOperation" 
>>>> objectClass.
>>>> Aand the new "Anonymous read access to containers" ACI has a 
>>>> (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for 
>>>> a virt op can allow everyone see that virt op).
>>>> Shouldn't we base the check on some other attribute instead?
>>>> And curiously, for cert-find there is no virt op based access check.
>>> I wonder if we can replace some of these with the ipaProtectedOperation
>>> machinery, it works better for protecting itself from manipulation.
>>> Simo.
>> Yup, as I said in other part of this thread, we should invent something 
>> better
> Well given we already have something better introduced with the
> getkeytab patches, maybe we can go ahead and start using them ?

Well yeah, I have the same opinion as you do, we should consider using
ipaProtectedOperation for Virtual Operations. I just said we may not be able to
do it directly in 4.0.

>> eventually for Virtual Operations. For 4.0, I would just keep previous 
>> behavior
>> and dump ipaVirtualOperation objectclass.
> Are we concerned that older replicas will not work if we change these to
> ipaProtectedOperation based ACIs ? (unless their DS is fixed, there were
> bugs).

I am concerned. One more reason to wait a bit and keep the old Virtual
Operation behavior in 4.0 :-)


Freeipa-devel mailing list

Reply via email to