Hi all (especially developers),
Long ago I posted a question about restriction of access to parts of the
openca interfaces. There was no solution to it.
I am trying to do this with RBAC, but the system is too rigid.
The problem is following.
I have two web-pages on my openca Public interface:
1) Page for users to request certificates
2) Page for administrators to request certificates for their hosts
The first page is of public access, everybody can send a request for user
certificate. However, the second page should be available to those users
only (administrators), who posess valid user certificate from my CA. This
is a common practice: to oblige host certificate requesters to have
already the certificate from the given CA.
I tried to use OpenCA RBAC mechanism to restrict access to the second
page. For that I added a separate command HostCSR(basically the copy of
basic_csr script for CSR generation) and modified rbac/acl.xml.template
file to have the following:
=============================================================
<permission>
<module>(0|@pub_module_id@)</module>
<role>.*</role>
<operation>csr new</operation>
<owner>.*</owner>
</permission>
<permission>
<module>(0|@pub_module_id@)</module>
<role>User</role>
<operation>csr new for hosts or services</operation>
<owner>.*</owner>
</permission>
=============================================================
As one can see everybody (regardless of the role assigned to their
certificate/login name) is allowed to execute basic_csr script (first
part), and only those with 'User' role are allowd ro execute the HostCSR
(second part).
Now when I log in with my User certificate (which is issued by my CA,
registered with database on Public interface node, and has the role
'User' assigned), my certificate IS NOT retrieved from database and the
role assigned to it IS NOT changed, because in access_control/pub.xml file
which controls the authentication method for the interface I have
======================
<login>
<type> none </type>
</login>
======================
Apparently, I cannot have other authentication method because I need
UNRESTRICTED access to user certificate request page.
Later when it comes to execution of HostCSR command, the system examins
the acl.xml file, fetches the role 'User' and compares it with the role of
host certificate requester, which is EMPTY. As a result I have:
"Permission denied" error.
In fact the access control is controlled on the interface level (pub, ra,
node), not at the level of commands. This is too rigid.
What developers think about making access control more fine-grained?
I would appreciate also any solution to this problem (currently I am
implementing one: getting the DN of certificate which user uses to access
the host CSR generation page from apache, searching for it in the
database, check the role of the certificate found and granting access to
the page, if the role is 'User'. But this solution is clumsy. I would
like more light-weight one.)
I am asking specially implementers of openca RBAC system not to ignore
this e-mail.
Thanks,
Arsen.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
