Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Alexander Bokovoy Fri, 05 Sep 2014 04:37:02 -0700

On Fri, 05 Sep 2014, Petr Viktorin wrote:

On 09/05/2014 09:18 AM, Martin Kosek wrote:

On 09/05/2014 09:03 AM, Alexander Bokovoy wrote:

On Fri, 05 Sep 2014, Alexander Bokovoy wrote:

On Thu, 04 Sep 2014, Martin Kosek wrote:

On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:

On Wed, 03 Sep 2014, Martin Kosek wrote:

On 09/03/2014 03:15 PM, Petr Viktorin wrote:

On 09/03/2014 02:27 PM, Petr Viktorin wrote:

On 09/03/2014 01:27 PM, Petr Viktorin wrote:

Hello,
This adds managed read permissions to the compat tree.


For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.

I'm unsure if this is what we want to do for groups, but "Read Group
Membership" is only granted to authenticated users by default, and the
compat tree exposes memberuid.

https://fedorahosted.org/freeipa/ticket/4521


Self-NACK, there's a typo (though I could swear I tested this :/)


Fixed patch attached.


I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
see if there are no reservations from Alexander or Rob.

I think we need a bit more fixes. Here is ACL log for an anonymous
request:

[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
"cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
aci matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no
aci matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
search on
entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
by aci(38): aciname= "permission:System: Read User
Compat Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
search on
entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
search on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
to anonymous: no aci matched the subject by aci(18): aciname= "Admin can
manage
any entry", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous:
cached allow by aci(38)

createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:

createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates


Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.

Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?

Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
run ipa-adtrust-install on this machine yet.


I do not think that this attribute is written to cn=compat (did not see it in
config) - is it?


The same set should be allowed for primary tree.


IMO this should be just one global permission/ACI, set for DIT root.


I experimented a bit, by setting SSSD with a simple LDAP provider
talking to a compat tree (with views enabled, but that doesn't change
anything) and I think we need to move to ipabindpermruletype=anonymous
or otherwise such setup will not work at all. Attached is my take at it
on top of Petr's patchset.

You can ignore views-related ACIs for time being.

Scratch that, it was older version with duplicate entries.

Proper one is attached.


Thanks! Looks sane to me. We would just need to remove Views related ACIs for
the 4.0.x version that we will need for today.


Thanks indeed!

Here is the patched patch. The Read Operational Attributes permission issplit for createtimestamp/modifytimestamp/entryusn (anonymous) andcreatorsname/modifiersname (authenticated).

Thanks! ACK.

Only admins can read the cn=compat entry itself. I don't think that's anissue though.

It is an empty virtual entry that doesn't exist anywhere and is
synthesized by slapi-nis on each request.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Reply via email to