On 09/23/2014 08:58 PM, Simo Sorce wrote:
> On Tue, 23 Sep 2014 17:18:38 +0200
> Martin Kosek <mko...@redhat.com> wrote:
>> On 09/22/2014 09:48 PM, Alexander Bokovoy wrote:
>>> On Mon, 22 Sep 2014, Martin Basti wrote:
>>>> Related ticket: https://fedorahosted.org/freeipa/ticket/3644
>>>> 1) API
>>>> The ipaKrb5DelegationACL objectclass requires targets which are
>>>> stored in extra objectclass.
>>>> A) we allow users to create groups of principals and then
>>>> associate them as targets -- user can use same group for multiple
>>>> delegation ACL
>>>> B) users specify only list of target principals (no groups)
>>>> B seems better to me.
>>> You have three clearly separate object types here:
>>> 1. Principals -- any object in the tree that has krbPrincipalAux
>>> supplemental auxiliary object class. These objects can be anywhere
>>> in the tree, we can decide on limiting subtrees to search.
>>> 2. Delegation ACLs -- any object that has ipaKrb5DelegationACL
>>> supplemental structural object class. These objects can be anywhere
>>> under cn=s4u2proxy,$SUFFIX
>>> 3. Groups of principals -- any object that has groupOfPrincipals
>>> _and_ doesn't have ipaKrb5DelegationACL object classes. These
>>> objects can be anywhere in the tree, we can decide on limiting
>>> subtrees to search and can decide on a specific subtree to put new
>>> groups of principals.
>>> For (1) you just need to be able to reference principals, this only
>>> requires a search filter to define DN of the principal based on
>>> krbPrincipalName or krbCanonicalName, with support for 'shortcuts'
>>> (specifying principal without realm which is our realm).
>>> (1) is only used to resolve principals for (2) and (3).
>>> For (2) you need to implement a proper object handling, like any
>>> other IPA object that supports:
>>> -- multiple values for ipaAllowToImpersonate
>>> -- multiple values for ipaAllowedTarget
>>> CLI would look something like this:
>>> ipa krbdelegation-add
>>> For (3) you need to implement a proper object handling where
>>> creating the object would happen in the predefined subtree but
>>> search or modify would be possible for any object matched by a
>>> proper filter.
>>> CLI would look something like this:
>>> ipa krbprincipalgroup-add
>>> The way we use right now groupOfPrincipals, the objects referenced
>>> are placed in different subtrees, according to their primary role.
>>> That's right, as krbPrincipalAux is an auxiliary class, and is
>>> added on top of other object classes to turn other objects into
>>> principals. We also use groupOfPrincipals not only for Kerberos
>>> delegation ACLs, that's why support for multiple subtrees is needed.
>>> Creating new groupOfPrincipals objects can be allowed in a single
>>> designated place, cn=s4u2proxy,$SUFFIX, because this is primary use
>>> of this API.
>> Alexander's proposal makes sense to me. I would just personally name
>> the commands differently to share the same prefix. I.e.
>> ipa krbdelegation-*
>> ipa krbdelegationgroup-*
>> as we are not creating general purpose principal groups but only
>> groups for S4U2Proxy usage.
>> I would also reconsider your request to search for the objects in the
>> whole s4u2proxy tree. Across FreeIPA framework, we handle objects in
>> static and defined location of our tree, not in the entire subtree.
>> I think we should although indeed consider adding group of principals
>> to own nsContainer (like cn=targets) as otherwise we will have a
>> clash between krbdelegation rule names and krbdelegationgroup names.
> Keep in mind that we already have a few rules in there and the groups
> are in the same container, the names are different as the groups are
> named <rule-name>-targets, so we'll have to keep using a subtree
> search, but that is fine cn=s4u2proxy has no subtree atm.
Ok, it is true I was also thinking how to deal with existing s4u2 proxy rules.
It would be best to simply move current targets to cn=targets too, but if they
are already referred to from elsewhere it may be a too drastic move (though
would allow us to start with clean approach and no exceptions).
However, I still think we should have a special container for user custom rules
(cn=targets or similar) to not deal with name clashes on targets groups and
Freeipa-devel mailing list