On Tue, 30 Aug 2016, Alexander Bokovoy wrote:
On Mon, 29 Aug 2016, Deepak Dimri wrote:
Hi All,
I have created below permission for my "testhostgroup" with the
expectation that this permission will only allow write permission to
the members of "testhostgroup" but, then it allows me to add/delete
other hostgroup members as well. I tried changing the effective
attribute to "memberof" instead of "member" but in vain as with that i
started getting permission denied error even on  testhostgroup itself.
*****

ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member 
--filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
--------------------------------------
Added permission "testhostgroup-modify"
--------------------------------------
Permission name: testhostgroup-modify
Granted rights: write
Effective attributes: member
Bind rule type: permission
Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))******
How can i restrict permissions to manage only those hosts which are
part of a particular hostgroup? any help you could offer on this would
be much appreciated. I could not find much on similar issue in the
forum :( Thanks,Deepak                                  
The permission above says: "Allow changing 'member' attribute in the
testhostgroup object". I don't think this is what you wanted, according
to your explanation above.

Let's say you have host group 'myhostgroup':
# ipa hostgroup-add myhostgroup
-----------------------------
Added hostgroup "myhostgroup"
-----------------------------
Host-group: myhostgroup

and now you want to create a permission that would target hosts in the
host group. A member of that permission would be able to do anything
with the host.

First, you need to create a basic permission which applies to hosts:

# ipa permission-add manage-my-hostgroup --right=all --bindtype=permission --type=host --------------------------------------
Added permission "manage-my-hostgroup"
--------------------------------------
Permission name: manage-my-hostgroup
Granted rights: all
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
Type: host
Permission flags: V2, SYSTEM

Now, look at the permission in detail:

# ipa permission-show --all --raw manage-my-hostgroup
dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
cn: manage-my-hostgroup
ipapermright: all
ipapermbindruletype: permission
ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
ipapermtargetfilter: (objectclass=ipahost)
ipapermissiontype: V2
ipapermissiontype: SYSTEM
aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl 
"permission:manage-my-hostgroup";allow (all) groupdn = 
"ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";;)
objectclass: ipapermission
objectclass: top
objectclass: groupofnames
objectclass: ipapermissionv2

As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX
subtree, and target filter is set to (objectclass=ipahost). So it would
apply to any host. To further limit the permission, you have to add more
target filters. But to do so, you need to know DN of the hostgroup that
will be our target limit:

# ipa hostgroup-show --raw --all myhostgroup
dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
cn: myhostgroup
ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe
mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
objectClass: mepOriginEntry

Now, using DN of the myhostgroup, you can add a filter to the
permission:

# ipa permission-mod manage-my-hostgroup --filter 
'(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)'
Sorry, a typo here^^ I copied wrong DN, it should be
cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test

not the managed entry DN.

-----------------------------------------
Modified permission "manage-my-hostgroup"
-----------------------------------------
Permission name: manage-my-hostgroup
Granted rights: all
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
Type: host
Permission flags: V2, SYSTEM

Check all details of the permission to see that ACI was actually
modified to include the filter:

# ipa permission-show --all --raw manage-my-hostgroup
dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
cn: manage-my-hostgroup
ipapermright: all
ipapermbindruletype: permission
ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
ipapermtargetfilter: (objectclass=ipahost)
ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
ipapermissiontype: V2
ipapermissiontype: SYSTEM
aci: (targetfilter = 
"(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipahost))")(version 
3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = 
"ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";;)
objectclass: ipapermission
objectclass: top
objectclass: groupofnames
objectclass: ipapermissionv2


Our ACI says: "Allow any changes to be done in all objects of
objectclass ipahost that belong to a host group 'myhostgroup' to members
of the permission group 'manage-my-hostgroup'"

Now you can add the 'manage-my-hostgroup' permission to a new privilege
and a role, and then assign users to that role. Those users will be able
to manage hosts targeted by the permission.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to