Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/28/2014 11:17 AM, Alexander Bokovoy wrote: On Mon, 28 Apr 2014, Martin Kosek wrote: On 04/28/2014 10:02 AM, Alexander Bokovoy wrote: On Fri, 25 Apr 2014, Petr Viktorin wrote: On 04/23/2014 02:46 PM, Martin Kosek wrote: On 04/22/2014 01:38 PM, Petr Viktorin wrote: On 04/16/2014 05:56 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Martin Kosek wrote: In general I am not sure all authenticated users need access to all this info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. I agree. +1 Simo. All right. Now I'm replacing the global anonymous read ACI; converting the others will come later. The existing agents/admins ACIs grant the 'read' (or 'all') right already. ipaIDRange is covered in the range plugin, so what's left for this patch is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes. Does that sound reasonable? This is all that's needed from SSSD side, I just verified in sssd git. sssd indeed only uses these attributes: #define IPA_CN "cn" #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" So I am OK with the patch as is. However, with this ACI, regular users will not be able to show Trusts with command line even though they have access to the basic information: # ipa trust-find 0 trusts matched Number of entries returned 0 IMO trust command should be able to return the information that the user is allowed to see. I prepared a patch to make the read part of trust.py more resilient to missing attributes. Attached. With this patch enabled, I have this output as regular user: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 1 # ipa trust-show tbad.example.com Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 # ipa trustdomain-find tbad.example.com Domain name: child.tbad.example.com Domain NetBIOS name: CHILD Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 Domain name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 2 The only bigger change I did was to filter trust root domains by ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not available to everyone. Martin The patch looks good to me, but I think Alexander is better qualified to review it. ACK. Thanks Alexander. I assume you are also ok with Petr's 529.2 I used as a base. (there is also a pending patch 530 also touching this trust plugin area. Yes. As I said in the other thread, I only slightly worried with SID blacklists visibility (or lack, there of) with the latest changes but we should handle that as a separate patchset (if any). I've rebased my patch, and pushed both to master: 5d832c342608fd567ea258c1d506cae28f6b0abf -- Petr³ From 51521f5c5c105687f559de74b4a9b1ff12334620 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed rea
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Mon, 28 Apr 2014, Martin Kosek wrote: On 04/28/2014 10:02 AM, Alexander Bokovoy wrote: On Fri, 25 Apr 2014, Petr Viktorin wrote: On 04/23/2014 02:46 PM, Martin Kosek wrote: On 04/22/2014 01:38 PM, Petr Viktorin wrote: On 04/16/2014 05:56 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Martin Kosek wrote: In general I am not sure all authenticated users need access to all this info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. I agree. +1 Simo. All right. Now I'm replacing the global anonymous read ACI; converting the others will come later. The existing agents/admins ACIs grant the 'read' (or 'all') right already. ipaIDRange is covered in the range plugin, so what's left for this patch is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes. Does that sound reasonable? This is all that's needed from SSSD side, I just verified in sssd git. sssd indeed only uses these attributes: #define IPA_CN "cn" #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" So I am OK with the patch as is. However, with this ACI, regular users will not be able to show Trusts with command line even though they have access to the basic information: # ipa trust-find 0 trusts matched Number of entries returned 0 IMO trust command should be able to return the information that the user is allowed to see. I prepared a patch to make the read part of trust.py more resilient to missing attributes. Attached. With this patch enabled, I have this output as regular user: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 1 # ipa trust-show tbad.example.com Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 # ipa trustdomain-find tbad.example.com Domain name: child.tbad.example.com Domain NetBIOS name: CHILD Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 Domain name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 2 The only bigger change I did was to filter trust root domains by ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not available to everyone. Martin The patch looks good to me, but I think Alexander is better qualified to review it. ACK. Thanks Alexander. I assume you are also ok with Petr's 529.2 I used as a base. (there is also a pending patch 530 also touching this trust plugin area. Yes. As I said in the other thread, I only slightly worried with SID blacklists visibility (or lack, there of) with the latest changes but we should handle that as a separate patchset (if any). -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/28/2014 10:02 AM, Alexander Bokovoy wrote: > On Fri, 25 Apr 2014, Petr Viktorin wrote: >> On 04/23/2014 02:46 PM, Martin Kosek wrote: >>> On 04/22/2014 01:38 PM, Petr Viktorin wrote: On 04/16/2014 05:56 PM, Simo Sorce wrote: > On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: >> On Wed, 16 Apr 2014, Martin Kosek wrote: >>> In general I am not sure all authenticated users need access to >>> all >>> this >>> info. Alexander ? >> SSSD needs to read some of this information for subdomains >> support. >> That would be at least host/*@REALM who needs to access it. > > Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn >>> >>> Question is - is there any added value in hiding part of the >>> trust information from authenticated users? I.e. attributes like >>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of >>> this >>> attribute anyway?), SID blacklists... >> Yes. Some of those attributes are needed as internal detail of >> ipasam -- >> part of how Samba stores this information taken from specific DCE RPC >> structures. >> >>> If yes, we would need to split this permission in 2 and have one for >>> authenticated users and one for "Trust Adminitrators" and "Trust >>> Readers". >> Yes. Authenticated users shouldn't get any access to those details: >>ipantsupportedencryptiontypes >>ipanttrustattributes >>ipanttrustauthincoming >>ipanttrustauthoutgoing >> >> > > Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system > group > should > then have this permission assigned so that samba can operate the > attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. >>> >>> Right. We will probably want to turn most of ACIs in >>> install/updates/60-trusts.update in managed permissions (i.e. defined in >>> trust.py) and make "adtrust agents" and "trust admins" it's members. >> I agree. >> > > +1 > > Simo. > All right. Now I'm replacing the global anonymous read ACI; converting the others will come later. The existing agents/admins ACIs grant the 'read' (or 'all') right already. ipaIDRange is covered in the range plugin, so what's left for this patch is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes. Does that sound reasonable? >>> >>> This is all that's needed from SSSD side, I just verified in sssd git. sssd >>> indeed only uses these attributes: >>> >>> #define IPA_CN "cn" >>> #define IPA_FLATNAME "ipaNTFlatName" >>> #define IPA_SID "ipaNTSecurityIdentifier" >>> #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" >>> >>> So I am OK with the patch as is. >>> >>> However, with this ACI, regular users will not be able to show Trusts with >>> command line even though they have access to the basic information: >>> >>> # ipa trust-find >>> >>> 0 trusts matched >>> >>> >>> Number of entries returned 0 >>> >>> >>> IMO trust command should be able to return the information that the user is >>> allowed to see. I prepared a patch to make the read part of trust.py more >>> resilient to missing attributes. Attached. >>> >>> With this patch enabled, I have this output as regular user: >>> >>> # ipa trust-find >>> --- >>> 1 trust matched >>> --- >>> Realm name: tbad.example.com >>> Domain NetBIOS name: TBAD >>> Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 >>> >>> Number of entries returned 1 >>> >>> # ipa trust-show tbad.example.com >>> Realm name: tbad.example.com >>> Domain NetBIOS name: TBAD >>> Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 >>> >>> # ipa trustdomain-find tbad.example.com >>> Domain name: child.tbad.example.com >>> Domain NetBIOS name: CHILD >>> Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 >>> >>> Domain name: tbad.example.com >>> Domain NetBIOS name: TBAD >>> Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 >>> >>> Number of entries returned 2 >>> >>> >>> The only bigger change I did was to filter trust root domains by >>> ipaNTSecurityIdentifier a
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Fri, 25 Apr 2014, Petr Viktorin wrote: On 04/23/2014 02:46 PM, Martin Kosek wrote: On 04/22/2014 01:38 PM, Petr Viktorin wrote: On 04/16/2014 05:56 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Martin Kosek wrote: In general I am not sure all authenticated users need access to all this info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. I agree. +1 Simo. All right. Now I'm replacing the global anonymous read ACI; converting the others will come later. The existing agents/admins ACIs grant the 'read' (or 'all') right already. ipaIDRange is covered in the range plugin, so what's left for this patch is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes. Does that sound reasonable? This is all that's needed from SSSD side, I just verified in sssd git. sssd indeed only uses these attributes: #define IPA_CN "cn" #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" So I am OK with the patch as is. However, with this ACI, regular users will not be able to show Trusts with command line even though they have access to the basic information: # ipa trust-find 0 trusts matched Number of entries returned 0 IMO trust command should be able to return the information that the user is allowed to see. I prepared a patch to make the read part of trust.py more resilient to missing attributes. Attached. With this patch enabled, I have this output as regular user: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 1 # ipa trust-show tbad.example.com Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 # ipa trustdomain-find tbad.example.com Domain name: child.tbad.example.com Domain NetBIOS name: CHILD Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 Domain name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 2 The only bigger change I did was to filter trust root domains by ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not available to everyone. Martin The patch looks good to me, but I think Alexander is better qualified to review it. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/23/2014 02:46 PM, Martin Kosek wrote: On 04/22/2014 01:38 PM, Petr Viktorin wrote: On 04/16/2014 05:56 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Martin Kosek wrote: In general I am not sure all authenticated users need access to all this info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. I agree. +1 Simo. All right. Now I'm replacing the global anonymous read ACI; converting the others will come later. The existing agents/admins ACIs grant the 'read' (or 'all') right already. ipaIDRange is covered in the range plugin, so what's left for this patch is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes. Does that sound reasonable? This is all that's needed from SSSD side, I just verified in sssd git. sssd indeed only uses these attributes: #define IPA_CN "cn" #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" So I am OK with the patch as is. However, with this ACI, regular users will not be able to show Trusts with command line even though they have access to the basic information: # ipa trust-find 0 trusts matched Number of entries returned 0 IMO trust command should be able to return the information that the user is allowed to see. I prepared a patch to make the read part of trust.py more resilient to missing attributes. Attached. With this patch enabled, I have this output as regular user: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 1 # ipa trust-show tbad.example.com Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 # ipa trustdomain-find tbad.example.com Domain name: child.tbad.example.com Domain NetBIOS name: CHILD Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 Domain name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 2 The only bigger change I did was to filter trust root domains by ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not available to everyone. Martin The patch looks good to me, but I think Alexander is better qualified to review it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/22/2014 01:38 PM, Petr Viktorin wrote: > On 04/16/2014 05:56 PM, Simo Sorce wrote: >> On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: >>> On Wed, 16 Apr 2014, Martin Kosek wrote: In general I am not sure all authenticated users need access to all this info. Alexander ? >>> SSSD needs to read some of this information for subdomains support. >>> That would be at least host/*@REALM who needs to access it. >> >> Can you please list exactly which ones are needed ? > SSSD subdomains support needs: >- objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs > - ipaNTFlatName > - ipaNTSecurityIdentifier > - ipaNTTrustedDomainSID > - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... >>> Yes. Some of those attributes are needed as internal detail of ipasam -- >>> part of how Samba stores this information taken from specific DCE RPC >>> structures. >>> If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". >>> Yes. Authenticated users shouldn't get any access to those details: >>>ipantsupportedencryptiontypes >>>ipanttrustattributes >>>ipanttrustauthincoming >>>ipanttrustauthoutgoing >>> >>> >> >> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group >> should >> then have this permission assigned so that samba can operate the >> attributes. > 'adtrust agents' and 'trust administrators' should have read, modify, > delete, and search on cn=trusts. > Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. >>> I agree. >>> >> >> +1 >> >> Simo. >> > > All right. Now I'm replacing the global anonymous read ACI; converting the > others will come later. The existing agents/admins ACIs grant the 'read' (or > 'all') right already. > ipaIDRange is covered in the range plugin, so what's left for this patch is > the > ipaNTTrustedDomain/ipaNTDomainAttrs attributes. > > Does that sound reasonable? This is all that's needed from SSSD side, I just verified in sssd git. sssd indeed only uses these attributes: #define IPA_CN "cn" #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" So I am OK with the patch as is. However, with this ACI, regular users will not be able to show Trusts with command line even though they have access to the basic information: # ipa trust-find 0 trusts matched Number of entries returned 0 IMO trust command should be able to return the information that the user is allowed to see. I prepared a patch to make the read part of trust.py more resilient to missing attributes. Attached. With this patch enabled, I have this output as regular user: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 1 # ipa trust-show tbad.example.com Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 # ipa trustdomain-find tbad.example.com Domain name: child.tbad.example.com Domain NetBIOS name: CHILD Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075 Domain name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Number of entries returned 2 The only bigger change I did was to filter trust root domains by ipaNTSecurityIdentifier and not ipaNTSIDBlacklistIncoming which is not available to everyone. Martin From e3b84761216774f1ff94ea3bd482ec8119e8d19c Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 23 Apr 2014 14:32:01 +0200 Subject: [PATCH] Make trust objects available to regular users With global read ACI removed, some of the trust and trustdomain attributes are not available. Make trust plugin resilient to these missing attributes and let it return the available information. --- ipalib/plugins/trust.py | 30 +++--- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/trust.py b
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/16/2014 05:56 PM, Simo Sorce wrote: On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Martin Kosek wrote: In general I am not sure all authenticated users need access to all this info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. I agree. +1 Simo. All right. Now I'm replacing the global anonymous read ACI; converting the others will come later. The existing agents/admins ACIs grant the 'read' (or 'all') right already. ipaIDRange is covered in the range plugin, so what's left for this patch is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes. Does that sound reasonable? -- Petr³ From 6cb4199fcc3a10a288734fff513b1e24bce45cd7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed read permissions to trust A single permission is added to cover trust, trustconfig, and trustdomain. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/trust.py | 15 +++ 1 file changed, 15 insertions(+) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index de838803f5c1046fedbc3b811ed28282f0890cd9..82972b3691ad65d7fdaa10f710a6485f7e9a0a6d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -312,6 +312,21 @@ class trust(LDAPObject): search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] +managed_permissions = { +'System: Read Trust Information': { +# Allow reading of attributes needed for SSSD subdomains support +'non_object': True, +'ipapermlocation': DN(container_dn, api.env.basedn), +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'cn', 'objectclass', +'ipantflatname', 'ipantsecurityidentifier', +'ipanttrusteddomainsid', +}, +}, +} label = _('Trusts') label_singular = _('Trust') -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/16/2014 06:56 PM, Sumit Bose wrote: > On Wed, Apr 16, 2014 at 04:59:55PM +0300, Alexander Bokovoy wrote: >> On Wed, 16 Apr 2014, Simo Sorce wrote: ... >>> Can you please list exactly which ones are needed ? ... >> - objectclass ipaIDRange >> - cn >> - ipaBaseID >> - ipaIDRangeSize >> - ipaBaseRID >> - ipaSecondaryBaseRID > > iparangetype and ipanttrusteddomainsid are needed as well. > > bye, > Sumit > Thanks. But in case of ID Ranges we are safe as we exposed all ID range attributes to all authenticated users (hosts). Trust objects are different, we plan to have at least 2 permissions so that only needed attributes are exposed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, Apr 16, 2014 at 04:59:55PM +0300, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Simo Sorce wrote: > >On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: > >>On Wed, 16 Apr 2014, Simo Sorce wrote: > +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', > +'ipanttrustposixoffset', > 'ipantsupportedencryptiontypes', > +'ipantsidblacklistincoming', > 'ipantsidblacklistoutgoing', > +# ipaNTDomainAttrs: > +'ipantsecurityidentifier', 'ipantflatname', > 'ipantdomainguid', > +'ipantfallbackprimarygroup', > +}, > +}, > +} > > label = _('Trusts') > label_singular = _('Trust') > >>> > >>>In general I am not sure all authenticated users need access to all this > >>>info. Alexander ? > >>SSSD needs to read some of this information for subdomains support. > >>That would be at least host/*@REALM who needs to access it. > > > >Can you please list exactly which ones are needed ? > SSSD subdomains support needs: > - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs > - ipaNTFlatName > - ipaNTSecurityIdentifier > - ipaNTTrustedDomainSID > - cn > > - objectclass ipaIDRange > - cn > - ipaBaseID > - ipaIDRangeSize > - ipaBaseRID > - ipaSecondaryBaseRID iparangetype and ipanttrusteddomainsid are needed as well. bye, Sumit > > > > > > > >Simo. > > > > > > > > -- > / Alexander Bokovoy > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Martin Kosek wrote: > >In general I am not sure all authenticated users need access to all > >this > >info. Alexander ? > SSSD needs to read some of this information for subdomains support. > That would be at least host/*@REALM who needs to access it. > >>> > >>> Can you please list exactly which ones are needed ? > >> SSSD subdomains support needs: > >> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs > >> - ipaNTFlatName > >> - ipaNTSecurityIdentifier > >> - ipaNTTrustedDomainSID > >> - cn > > > > Question is - is there any added value in hiding part of the > > trust information from authenticated users? I.e. attributes like > > ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this > > attribute anyway?), SID blacklists... > Yes. Some of those attributes are needed as internal detail of ipasam -- > part of how Samba stores this information taken from specific DCE RPC > structures. > > > If yes, we would need to split this permission in 2 and have one for > > authenticated users and one for "Trust Adminitrators" and "Trust > > Readers". > Yes. Authenticated users shouldn't get any access to those details: > ipantsupportedencryptiontypes > ipanttrustattributes > ipanttrustauthincoming > ipanttrustauthoutgoing > > > >>> > >>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group > >>> should > >>> then have this permission assigned so that samba can operate the > >>> attributes. > >> 'adtrust agents' and 'trust administrators' should have read, modify, > >> delete, and search on cn=trusts. > >> > > > >Right. We will probably want to turn most of ACIs in > >install/updates/60-trusts.update in managed permissions (i.e. defined in > >trust.py) and make "adtrust agents" and "trust admins" it's members. > I agree. > +1 Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 16 Apr 2014, Martin Kosek wrote: >In general I am not sure all authenticated users need access to all this >info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. I agree. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/16/2014 05:22 PM, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Martin Kosek wrote: >> On 04/16/2014 05:10 PM, Alexander Bokovoy wrote: >>> On Wed, 16 Apr 2014, Martin Kosek wrote: On 04/16/2014 03:59 PM, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Simo Sorce wrote: >> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: >>> On Wed, 16 Apr 2014, Simo Sorce wrote: >>> >> +'ipanttrusteddomainsid', >>> >> 'ipanttrustforesttrustinfo', >>> >> +'ipanttrustposixoffset', >>> >> 'ipantsupportedencryptiontypes', >>> >> +'ipantsidblacklistincoming', >>> >> 'ipantsidblacklistoutgoing', >>> >> +# ipaNTDomainAttrs: >>> >> +'ipantsecurityidentifier', 'ipantflatname', >>> >> 'ipantdomainguid', >>> >> +'ipantfallbackprimarygroup', >>> >> +}, >>> >> +}, >>> >> +} >>> >> >>> >> label = _('Trusts') >>> >> label_singular = _('Trust') >>> > >>> >In general I am not sure all authenticated users need access to all >>> >this >>> >info. Alexander ? >>> SSSD needs to read some of this information for subdomains support. >>> That would be at least host/*@REALM who needs to access it. >> >> Can you please list exactly which ones are needed ? > SSSD subdomains support needs: > - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs > - ipaNTFlatName > - ipaNTSecurityIdentifier > - ipaNTTrustedDomainSID > - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... >>> Yes. Some of those attributes are needed as internal detail of ipasam -- >>> part of how Samba stores this information taken from specific DCE RPC >>> structures. >>> If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". >>> Yes. Authenticated users shouldn't get any access to those details: >>> ipantsupportedencryptiontypes >>> ipanttrustattributes >>> ipanttrustauthincoming >>> ipanttrustauthoutgoing >>> >>> >> >> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group >> should >> then have this permission assigned so that samba can operate the attributes. > 'adtrust agents' and 'trust administrators' should have read, modify, > delete, and search on cn=trusts. > Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. It'd make the ACIs more maintainable and install/updates/60-trusts.update would get much shorter. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 16 Apr 2014, Martin Kosek wrote: On 04/16/2014 05:10 PM, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Martin Kosek wrote: On 04/16/2014 03:59 PM, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Simo Sorce wrote: On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Simo Sorce wrote: >> +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', >> +'ipanttrustposixoffset', >> 'ipantsupportedencryptiontypes', >> +'ipantsidblacklistincoming', >> 'ipantsidblacklistoutgoing', >> +# ipaNTDomainAttrs: >> +'ipantsecurityidentifier', 'ipantflatname', >> 'ipantdomainguid', >> +'ipantfallbackprimarygroup', >> +}, >> +}, >> +} >> >> label = _('Trusts') >> label_singular = _('Trust') > >In general I am not sure all authenticated users need access to all this >info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. 'adtrust agents' and 'trust administrators' should have read, modify, delete, and search on cn=trusts. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/16/2014 05:10 PM, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Martin Kosek wrote: >> On 04/16/2014 03:59 PM, Alexander Bokovoy wrote: >>> On Wed, 16 Apr 2014, Simo Sorce wrote: On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Simo Sorce wrote: > >> +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', > >> +'ipanttrustposixoffset', > >> 'ipantsupportedencryptiontypes', > >> +'ipantsidblacklistincoming', > >> 'ipantsidblacklistoutgoing', > >> +# ipaNTDomainAttrs: > >> +'ipantsecurityidentifier', 'ipantflatname', > >> 'ipantdomainguid', > >> +'ipantfallbackprimarygroup', > >> +}, > >> +}, > >> +} > >> > >> label = _('Trusts') > >> label_singular = _('Trust') > > > >In general I am not sure all authenticated users need access to all this > >info. Alexander ? > SSSD needs to read some of this information for subdomains support. > That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? >>> SSSD subdomains support needs: >>> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs >>> - ipaNTFlatName >>> - ipaNTSecurityIdentifier >>> - ipaNTTrustedDomainSID >>> - cn >> >> Question is - is there any added value in hiding part of the >> trust information from authenticated users? I.e. attributes like >> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this >> attribute anyway?), SID blacklists... > Yes. Some of those attributes are needed as internal detail of ipasam -- > part of how Samba stores this information taken from specific DCE RPC > structures. > >> If yes, we would need to split this permission in 2 and have one for >> authenticated users and one for "Trust Adminitrators" and "Trust Readers". > Yes. Authenticated users shouldn't get any access to those details: > ipantsupportedencryptiontypes > ipanttrustattributes > ipanttrustauthincoming > ipanttrustauthoutgoing > > Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should then have this permission assigned so that samba can operate the attributes. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 16 Apr 2014, Martin Kosek wrote: On 04/16/2014 03:59 PM, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Simo Sorce wrote: On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Simo Sorce wrote: >> +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', >> +'ipanttrustposixoffset', >> 'ipantsupportedencryptiontypes', >> +'ipantsidblacklistincoming', >> 'ipantsidblacklistoutgoing', >> +# ipaNTDomainAttrs: >> +'ipantsecurityidentifier', 'ipantflatname', >> 'ipantdomainguid', >> +'ipantfallbackprimarygroup', >> +}, >> +}, >> +} >> >> label = _('Trusts') >> label_singular = _('Trust') > >In general I am not sure all authenticated users need access to all this >info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... Yes. Some of those attributes are needed as internal detail of ipasam -- part of how Samba stores this information taken from specific DCE RPC structures. If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Yes. Authenticated users shouldn't get any access to those details: ipantsupportedencryptiontypes ipanttrustattributes ipanttrustauthincoming ipanttrustauthoutgoing -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Simo Sorce wrote: >> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: >>> On Wed, 16 Apr 2014, Simo Sorce wrote: >>> >> +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', >>> >> +'ipanttrustposixoffset', >>> >> 'ipantsupportedencryptiontypes', >>> >> +'ipantsidblacklistincoming', >>> >> 'ipantsidblacklistoutgoing', >>> >> +# ipaNTDomainAttrs: >>> >> +'ipantsecurityidentifier', 'ipantflatname', >>> >> 'ipantdomainguid', >>> >> +'ipantfallbackprimarygroup', >>> >> +}, >>> >> +}, >>> >> +} >>> >> >>> >> label = _('Trusts') >>> >> label_singular = _('Trust') >>> > >>> >In general I am not sure all authenticated users need access to all this >>> >info. Alexander ? >>> SSSD needs to read some of this information for subdomains support. >>> That would be at least host/*@REALM who needs to access it. >> >> Can you please list exactly which ones are needed ? > SSSD subdomains support needs: > - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs > - ipaNTFlatName > - ipaNTSecurityIdentifier > - ipaNTTrustedDomainSID > - cn Question is - is there any added value in hiding part of the trust information from authenticated users? I.e. attributes like ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this attribute anyway?), SID blacklists... If yes, we would need to split this permission in 2 and have one for authenticated users and one for "Trust Adminitrators" and "Trust Readers". Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 16 Apr 2014, Simo Sorce wrote: On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: On Wed, 16 Apr 2014, Simo Sorce wrote: >> +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', >> +'ipanttrustposixoffset', >> 'ipantsupportedencryptiontypes', >> +'ipantsidblacklistincoming', >> 'ipantsidblacklistoutgoing', >> +# ipaNTDomainAttrs: >> +'ipantsecurityidentifier', 'ipantflatname', >> 'ipantdomainguid', >> +'ipantfallbackprimarygroup', >> +}, >> +}, >> +} >> >> label = _('Trusts') >> label_singular = _('Trust') > >In general I am not sure all authenticated users need access to all this >info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? SSSD subdomains support needs: - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs - ipaNTFlatName - ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - cn - objectclass ipaIDRange - cn - ipaBaseID - ipaIDRangeSize - ipaBaseRID - ipaSecondaryBaseRID Simo. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Simo Sorce wrote: > >> +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', > >> +'ipanttrustposixoffset', > >> 'ipantsupportedencryptiontypes', > >> +'ipantsidblacklistincoming', > >> 'ipantsidblacklistoutgoing', > >> +# ipaNTDomainAttrs: > >> +'ipantsecurityidentifier', 'ipantflatname', > >> 'ipantdomainguid', > >> +'ipantfallbackprimarygroup', > >> +}, > >> +}, > >> +} > >> > >> label = _('Trusts') > >> label_singular = _('Trust') > > > >In general I am not sure all authenticated users need access to all this > >info. Alexander ? > SSSD needs to read some of this information for subdomains support. > That would be at least host/*@REALM who needs to access it. Can you please list exactly which ones are needed ? Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 16 Apr 2014, Simo Sorce wrote: +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', +'ipanttrustposixoffset', 'ipantsupportedencryptiontypes', +'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', +# ipaNTDomainAttrs: +'ipantsecurityidentifier', 'ipantflatname', 'ipantdomainguid', +'ipantfallbackprimarygroup', +}, +}, +} label = _('Trusts') label_singular = _('Trust') In general I am not sure all authenticated users need access to all this info. Alexander ? SSSD needs to read some of this information for subdomains support. That would be at least host/*@REALM who needs to access it. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
On Wed, 2014-04-16 at 14:55 +0200, Petr Viktorin wrote: > Similarly to automount, a single permission is added for reading all > the > trust objects. > Read access is given to all authenticated users. NACK!! See inline > From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001 > From: Petr Viktorin > Date: Wed, 26 Mar 2014 17:11:23 +0100 > Subject: [PATCH] Add managed read permissions to trust > > A single permission is added to cover trust, trustconfig, and > trustdomain. > > Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 > --- > ipalib/plugins/trust.py | 23 +++ > 1 file changed, 23 insertions(+) > > diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py > index > f57cf7d891928903fdbee67697b96db4ad2679b7..df69bb82d9c545839f2962d6a1a961f89e6691d3 > 100644 > --- a/ipalib/plugins/trust.py > +++ b/ipalib/plugins/trust.py > @@ -312,6 +312,29 @@ class trust(LDAPObject): > search_display_attributes = ['cn', 'ipantflatname', > 'ipanttrusteddomainsid', > 'ipanttrusttype', > 'ipantsidblacklistincoming', > 'ipantsidblacklistoutgoing' ] > +managed_permissions = { > +'System: Read Trusts': { > +# Single read permission for all trust-related entries > +'non_object': True, > +'ipapermlocation': DN(container_dn, api.env.basedn), > +'replaces_global_anonymous_aci': True, > +'ipapermbindruletype': 'all', > +'ipapermright': {'read', 'search', 'compare'}, > +'ipapermdefaultattr': { > +'cn', 'objectclass', > +# ipaNTTrustedDomain: > +'ipanttrusttype', 'ipanttrustattributes', > +'ipanttrustdirection', 'ipanttrustpartner', > 'ipantflatname', > +'ipanttrustauthoutgoing', 'ipanttrustauthincoming', These 2 attributes here They contain trust credentials, certainly must not be readbale by any authenticated user except the trust agents. > +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', > +'ipanttrustposixoffset', > 'ipantsupportedencryptiontypes', > +'ipantsidblacklistincoming', > 'ipantsidblacklistoutgoing', > +# ipaNTDomainAttrs: > +'ipantsecurityidentifier', 'ipantflatname', > 'ipantdomainguid', > +'ipantfallbackprimarygroup', > +}, > +}, > +} > > label = _('Trusts') > label_singular = _('Trust') In general I am not sure all authenticated users need access to all this info. Alexander ? Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Similarly to automount, a single permission is added for reading all the trust objects. Read access is given to all authenticated users. -- Petr³ From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed read permissions to trust A single permission is added to cover trust, trustconfig, and trustdomain. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/trust.py | 23 +++ 1 file changed, 23 insertions(+) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..df69bb82d9c545839f2962d6a1a961f89e6691d3 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -312,6 +312,29 @@ class trust(LDAPObject): search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] +managed_permissions = { +'System: Read Trusts': { +# Single read permission for all trust-related entries +'non_object': True, +'ipapermlocation': DN(container_dn, api.env.basedn), +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'cn', 'objectclass', +# ipaNTTrustedDomain: +'ipanttrusttype', 'ipanttrustattributes', +'ipanttrustdirection', 'ipanttrustpartner', 'ipantflatname', +'ipanttrustauthoutgoing', 'ipanttrustauthincoming', +'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo', +'ipanttrustposixoffset', 'ipantsupportedencryptiontypes', +'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', +# ipaNTDomainAttrs: +'ipantsecurityidentifier', 'ipantflatname', 'ipantdomainguid', +'ipantfallbackprimarygroup', +}, +}, +} label = _('Trusts') label_singular = _('Trust') -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel