On 10/03/2014 05:03 PM, Petr Vobornik wrote:
> On 3.10.2014 16:46, Simo Sorce wrote:
>>>>
>>>> I did not do any ACI work in the patch yet. I assume that we would like
>>>> to add the attr into  'System: Read Host|Service' permission. But I
>>>> think that write right should have it's own permission.
>>>
>>> I have added 2 new permissions. Simo, are they OK?
>>>
>>> for services:
>>> 'System: Manage Service Keytab Permissions': {
>>>       'ipapermright': {'read', 'search', 'compare', 'write'},
>>>       'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
>>>       'default_privileges': {'Service Administrators', 'Host
>>> Administrators'},
>>> },
>>>
>>> for hosts:
>>> 'System: Manage Host Keytab Permissions': {
>>>       'ipapermright': {'read', 'search', 'compare', 'write'},
>>>       'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
>>>       'default_privileges': {'Host Administrators'},
>>> },
>>>
>>> I'm not sure about the write right for 'objectclass' but it's required
>>> in order to add 'ipaallowedoperations' oc.
>>
>> As long as it allows only to add/remove the specific value it should be fine.
>>
>> Can you please send the raw ACIs ?
>> I still find it difficult to reason on the security of the result withouth
>> looking at the lower level.
>>
> 
> in cn=computers,cn=accounts,dc=example,dc=com:
> 
> (targetattr = "createtimestamp || entryusn || ipaallowedtoperform ||
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host 
> Keytab
> Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System:
> Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)
> 
> in cn=services,cn=accounts,dc=idm,dc=example,dc=com:
> 
> (targetattr = "createtimestamp || entryusn || ipaallowedtoperform ||
> modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service
> Keytab Permissions";allow (compare,read,search,write) groupdn =
> "ldap:///cn=System: Manage Service Keytab
> Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)

I do not think this is what Simo wanted to see. IMO, by "allowing only a
specific value" he wanted to allow holders of a permission to only
add/update/remove only selected operations, for example
ipaallowedtoperform;read_key.

The targetattr part should then only target ipaallowedtoperform;read_key and
not whole ipaallowedtoperform. (If that is really supported in DS ACI).

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to