Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
JR Aquino wrote:
On May 20, 2011, at 8:32 AM, Rob Crittenden wrote:
JR Aquino wrote:
On May 10, 2011, at 8:14 PM, Adam Young wrote:
On 05/10/2011 11:07 PM, Adam Young wrote:
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify
the auditing of users for their indirect membership to their authorization
rights.
An Administrator should have the ability to quickly identify the rights a user
will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal:
tes...@example.com
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY,
AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount
freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
OPPS, forgot to have PATCH in the subject.
I think you need this as well, right?
-'memberof': ['group', 'netgroup', 'role'],
+'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what
authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating additional
memberof attributes. It has nothing to do with the memberofindirect:
You are also going to want need modify the sudo rule and HBAC rule to use the
serial associator on some facets. It looks like group at least has things
backwards. The group.js file I think needs a rule like this:
association_facet({
name: 'memberof_sudorule',
associator: IPA.serial_associator
}).
THis is because the API is for adding multiple groups to the sudo rule, but the default
behaviour is for adding multipleother entity tothis entity.
The above comment is regarding ticket:
https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch
and ticket 1170
As for Patch 24 and ticket 1170, are there any other questions or does this
look ready to go?
Nack, this adds some additional API that isn't in API.txt.
It would be nice to add test cases for this as well, perhaps in the sudo and
hbac tests (create a rule, add a user to it, make sure when showing the user
you can see the rule).
New patch attached to address API and Tests.
(Please note Ticket# 1263 incase there are problems testing)
Please review and ack
ack, pushed to master.
I also bumped up the API minor version because of the new options.
JR, in the future when you resubmit a patch can you keep the same name
and add an incrementing number so it is easier to tell which version of
the patch we're dealing with?
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
On May 20, 2011, at 8:32 AM, Rob Crittenden wrote:
JR Aquino wrote:
On May 10, 2011, at 8:14 PM, Adam Young wrote:
On 05/10/2011 11:07 PM, Adam Young wrote:
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to
simplify the auditing of users for their indirect membership to their
authorization rights.
An Administrator should have the ability to quickly identify the
rights a user will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal:
tes...@example.com
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY,
AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson,
inetuser, posixaccount
freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
OPPS, forgot to have PATCH in the subject.
I think you need this as well, right?
-'memberof': ['group', 'netgroup', 'role'],
+'memberof': ['group', 'netgroup', 'role', 'sudorule',
'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what
authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating
additional memberof attributes. It has nothing to do with the
memberofindirect:
You are also going to want need modify the sudo rule and HBAC rule to use
the serial associator on some facets. It looks like group at least has
things backwards. The group.js file I think needs a rule like this:
association_facet({
name: 'memberof_sudorule',
associator: IPA.serial_associator
}).
THis is because the API is for adding multiple groups to the sudo rule, but
the default behaviour is for adding multipleother entity tothis entity.
The above comment is regarding ticket:
https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this
patch and ticket 1170
As for Patch 24 and ticket 1170, are there any other questions or does this
look ready to go?
Nack, this adds some additional API that isn't in API.txt.
It would be nice to add test cases for this as well, perhaps in the sudo and
hbac tests (create a rule, add a user to it, make sure when showing the user
you can see the rule).
New patch attached to address API and Tests.
(Please note Ticket# 1263 incase there are problems testing)
Please review and ack
binZSYqz8RswD.bin
Description: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
JR Aquino wrote:
On May 10, 2011, at 8:14 PM, Adam Young wrote:
On 05/10/2011 11:07 PM, Adam Young wrote:
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify
the auditing of users for their indirect membership to their authorization
rights.
An Administrator should have the ability to quickly identify the rights a user
will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal:
tes...@example.com
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY,
AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount
freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
OPPS, forgot to have PATCH in the subject.
I think you need this as well, right?
-'memberof': ['group', 'netgroup', 'role'],
+'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what
authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating additional
memberof attributes. It has nothing to do with the memberofindirect:
You are also going to want need modify the sudo rule and HBAC rule to use the
serial associator on some facets. It looks like group at least has things
backwards. The group.js file I think needs a rule like this:
association_facet({
name: 'memberof_sudorule',
associator: IPA.serial_associator
}).
THis is because the API is for adding multiple groups to the sudo rule, but the default
behaviour is for adding multipleother entity tothis entity.
The above comment is regarding ticket:
https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch
and ticket 1170
As for Patch 24 and ticket 1170, are there any other questions or does this
look ready to go?
Nack, this adds some additional API that isn't in API.txt.
It would be nice to add test cases for this as well, perhaps in the sudo
and hbac tests (create a rule, add a user to it, make sure when showing
the user you can see the rule).
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
On May 10, 2011, at 8:14 PM, Adam Young wrote:
On 05/10/2011 11:07 PM, Adam Young wrote:
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to
simplify the auditing of users for their indirect membership to their
authorization rights.
An Administrator should have the ability to quickly identify the rights
a user will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal:
tes...@example.com
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY,
AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson,
inetuser, posixaccount
freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
OPPS, forgot to have PATCH in the subject.
I think you need this as well, right?
-'memberof': ['group', 'netgroup', 'role'],
+'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what
authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating additional
memberof attributes. It has nothing to do with the memberofindirect:
You are also going to want need modify the sudo rule and HBAC rule to use the
serial associator on some facets. It looks like group at least has things
backwards. The group.js file I think needs a rule like this:
association_facet({
name: 'memberof_sudorule',
associator: IPA.serial_associator
}).
THis is because the API is for adding multiple groups to the sudo rule, but
the default behaviour is for adding multiple other entity to this entity.
The above comment is regarding ticket:
https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch
and ticket 1170
As for Patch 24 and ticket 1170, are there any other questions or does this
look ready to go?
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: JR Aquino wrote: On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. An Administrator should have the ability to quickly identify the rights a user will have in the system. For example. With the patch added, my user show looks like this: # ipa user-show tester --all dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com User login: tester First name: Tester Last name: Engineering Full name: Tester Engineering Display name: Tester Engineering Initials: TE Home directory: /home/tester GECOS field: Tester Engineering Login shell: /bin/sh Kerberos principal: tes...@example.com UID: 1829800388 GID: 1829800388 Account disabled: False Member of groups: ipausers, auto-dev-deploy-tools, build-integration ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com memberofindirect_HBAC rule: development memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel OPPS, forgot to have PATCH in the subject. I think you need this as well, right? -'memberof': ['group', 'netgroup', 'role'], +'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], Some scope change. Added memberof and memberofindirect Added to user.py host.py group.py hostgroup.py When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. xmlrpc tests check out Please review binPqnMACO4v3.bin Description: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify
the auditing of users for their indirect membership to their authorization
rights.
An Administrator should have the ability to quickly identify the rights a user
will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal: tes...@example.com
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY,
AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount
freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
OPPS, forgot to have PATCH in the subject.
I think you need this as well, right?
-'memberof': ['group', 'netgroup', 'role'],
+'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what
authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating
additional memberof attributes. It has nothing to do with the
memberofindirect:
attribute_members: {
memberof: [
group,
netgroup,
role,
hbacrule,
sudorule
],
memberofindirect: [
group,
netgroup,
role,
hbacrule,
sudorule
]
},
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
On 05/10/2011 11:07 PM, Adam Young wrote:
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify
the auditing of users for their indirect membership to their authorization
rights.
An Administrator should have the ability to quickly identify the rights a user
will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal:tes...@example.com
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY,
AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount
freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
OPPS, forgot to have PATCH in the subject.
I think you need this as well, right?
-'memberof': ['group', 'netgroup', 'role'],
+'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what
authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The reason that this shows up in the UI is that it is generating
additional memberof attributes. It has nothing to do with the
memberofindirect:
You are also going to want need modify the sudo rule and HBAC rule to
use the serial associator on some facets. It looks like group at least
has things backwards. The group.js file I think needs a rule like this:
association_facet({
name: 'memberof_sudorule',
associator: IPA.serial_associator
}).
THis is because the API is for adding multiple groups to the sudo rule,
but the default behaviour is for adding multiple other entity to this
entity.
attribute_members: {
memberof: [
group,
netgroup,
role,
hbacrule,
sudorule
],
memberofindirect: [
group,
netgroup,
role,
hbacrule,
sudorule
]
},
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
