Hello everyone, To properly support load-balanced services, we need FreeIPA-managed service hosts to be able to retrieve the following elements, without the intervention of any user (only starting with the host keytab):
- Keytab containing keys for: - Service canonical principal - When accessed via service DNS alias (Kerberos rDNS lookup disabled) - Service principal alias for host - When accessed via service DNS alias (Kerberos rDNS lookup enabled) - When accessed via host canonical FQDN - X.509 certificate for: - Service alias FQDN - Host actual FQDN In order to obtain each element of this list, we need to: - Allow the host to retrieve the service key - Creation/reset of the key should be forbidden - Allow the host to request a certificate for both its own FQDN and the service DNS alias (which matches the service canonical principal) - Preferably only these 2 subject names should be allowed - Create a service principal alias matching the host's FQDN We are managing hundreds of services spread across tens of thousands of hosts. Each service is managed by a different user group, hence we can't afford to grant all these users the "Service Administrators" privilege. Ideally, each service would be configured just once (with just maybe a few exceptional updates). On the contrary, hostgroup(s) containing the service hosts would be continuously updated. This way, FreeIPA administrator would give their blessing at service creation, and then let service administrators manage hosts membership. We think the following configuration could be applied for each service: - A hostgroup containing all the service hosts, allowed to: - Retrieve the service key - Request certificate with alternative suject name by: - Being assigned the to "managedBy" service attribute - Or being granted the permission to write the "userCertificate" service attribute - A service administrators group, allowed to: - Write the "member" attribute of the hostgroup - Create/reset the service key The keytab creation/retrieval part is quite straight forward to deal with. But this is not necessarily the case for certificates and service principal aliases: We observed the "managedBy" setting has 2 downsides: - It grants the host the permission to request a certificate with subject alternative names, but it also grants the permission to create/reset the key, which we don't want. - It consists of a list of hosts that must be continuously maintained, since it cannot refer to the hostgroup directly. Therefore it seems that a permission granting the hostgroup to update the service's "userCertificate" attribute sounds more flexible. But both options have the downside of granting any host from the hostgroup to request any other as the alternative subject name. Regarding the service principal aliases, we haven't found any way to dynamically update the list as the service hostgroup changes. We could either grant the service hostgroup the permission to update the "krbPrincipalName" service attribute, but it sounds like an excessive permission. We could also implement a background service continuously updating principal alias list of services according to their associated hostgroups. So I would summarise my questions this way: - Are assumptions used in this message true? - Is granting write permissions on "userCertificate" service attribute the best alternative to "managedBy" for our use case? - What is the best way to keep a service principal alias list up-to-date with a hostgroup? Since it is my first message on this mailing list, I would like to pay tribute to the development team of FreeIPA and its community. Even if there is still work to do, FreeIPA is a quite impressive piece of work given the complexity of the environment it is trying to integrate into, and the variety of use cases it has to support. Kind regards, --- Julien Rische Systems engineer CERN _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
