Исаев Виталий Анатольевич wrote:
Dear colleagues, we faced with an issue of access differentiation for
junior IPA admins. Our idea was to create several (say, three – group1,
group2, group3) isolated groups with one junior admin per group.
The group isolation means that admin of group1 is not able to add to his
group neither users nor subgroups – members of other global groups (i.e.
group2, group3)
We have attempted to accomplish this by RBAC for every junior admin. It
was pointed out, that the admin can modify the objects (users,
subgroups) belonging to his group only. However, every user enrolled to
IPA can see all the other objects by default, therefore any junior admin
can add users and subgroups FROM THE OTHER isolated group to his group
with no restrictions.
So the question is – how to implement (the specified) group “isolation”
in IPA?
We’re running on the RHEL 6.4 with IPA 3.0. Thank you.
You need to create some custom permissions that limit the capabilities
by memberof.
I set up a simple system with a couple of users:
kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1
ipa user-add --first=group2 --last=user1 g2u1
ipa group-add-member --users g1u1 g1
ipa group-add-member --users g2u1 g2
ipa user-add --first=group1 --last=admin1 g1a1
ipa group-add-member --users g1a1 g1
ipa passwd g1a1
g1a1 is going to be my junior admin
Next I created a permission so junior admins can manage the telephone
number. This permission allows the phone number attribute to be written
only for members of the group g1.
ipa permission-add --attrs=telephonenumber --memberof=g1
--permissions=write g1_modify_members
ipa privilege-add g1_junior_admin --desc='Group 1 junior admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin
ipa role-add --desc='Group 1 junior admin' group1
ipa role-add-privilege --privileges=g1_junior_admin group1
ipa role-add-member --users=g1a1 group1
So members of the group1 role can modify the telephonenumber attribute
of its members.
Let's see it in action:
kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1
--------------------
Modified user "g1u1"
--------------------
User login: g1u1
First name: group1
Last name: user1
Home directory: /home/g1u1
Login shell: /bin/sh
Email address: g...@example.com
UID: 1197000004
GID: 1197000004
Telephone Number: 410-555-1212
Account disabled: False
Password: False
Member of groups: ipausers, g1
Kerberos keys available: False
Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'facsimileTelephoneNumber' attribute of entry
'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.
Change the phone number of a non-member of the group and it also fails
as expected:
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'telephoneNumber' attribute of entry
'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
