[Freeipa-devel] [PATCH] 0504 Default read ACIs for Sudo objects
Hello, This adds read permissions to read Sudo commands, command groups, rules. Read access is given to all authenticated users. -- Petr³ From bb9ff134db5427621b13f94e062ed24f725bc280 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 26 Mar 2014 14:19:44 +0100 Subject: [PATCH] Add managed read permissions to Sudo objects Part of the work for: https://fedorahosted.org/freeipa/ticket/1313 and: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/sudocmd.py | 13 + ipalib/plugins/sudocmdgroup.py | 12 ipalib/plugins/sudorule.py | 18 ++ 3 files changed, 43 insertions(+) diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py index 35c01aa85a11fc42f73078c85beff6d049980509..4c7ea7f884c931950da629c92ee746f4a470a6ba 100644 --- a/ipalib/plugins/sudocmd.py +++ b/ipalib/plugins/sudocmd.py @@ -51,6 +51,7 @@ class sudocmd(LDAPObject): object_name = _('sudo command') object_name_plural = _('sudo commands') object_class = ['ipaobject', 'ipasudocmd'] +permission_filter_objectclasses = ['ipasudocmd'] # object_class_config = 'ipahostobjectclasses' search_attributes = [ 'sudocmd', 'description', @@ -63,6 +64,18 @@ class sudocmd(LDAPObject): } uuid_attribute = 'ipauniqueid' rdn_attribute = 'ipauniqueid' +managed_permissions = { +'System: Read Sudo Commands': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'description', 'ipauniqueid', 'memberof', 'objectclass', +'sudocmd', +}, +}, +} + label = _('Sudo Commands') label_singular = _('Sudo Command') diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py index 0afa45819c96b5d4a7b71db3c69fabd6878b348a..471c8b858aec15d8a166a0ed7c0efcaddb99e0a2 100644 --- a/ipalib/plugins/sudocmdgroup.py +++ b/ipalib/plugins/sudocmdgroup.py @@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject): object_name = _('sudo command group') object_name_plural = _('sudo command groups') object_class = ['ipaobject', 'ipasudocmdgrp'] +permission_filter_objectclasses = ['ipasudocmdgrp'] default_attributes = [ 'cn', 'description', 'member', ] @@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject): attribute_members = { 'member': ['sudocmd'], } +managed_permissions = { +'System: Read Sudo Command Groups': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'businesscategory', 'cn', 'description', 'ipauniqueid', +'member', 'o', 'objectclass', 'ou', 'owner', 'seealso', +}, +}, +} label = _('Sudo Command Groups') label_singular = _('Sudo Command Group') diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 2463325024da7c2b6aab40fc9e03150bb6645635..3f2c4063ce385d15f0551f663cba227a1269c62e 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -96,6 +96,7 @@ class sudorule(LDAPObject): object_name = _('sudo rule') object_name_plural = _('sudo rules') object_class = ['ipaassociation', 'ipasudorule'] +permission_filter_objectclasses = ['ipasudorule'] default_attributes = [ 'cn', 'ipaenabledflag', 'externaluser', 'description', 'usercategory', 'hostcategory', @@ -115,6 +116,23 @@ class sudorule(LDAPObject): 'ipasudorunas': ['user', 'group'], 'ipasudorunasgroup': ['group'], } +managed_permissions = { +'System: Read Sudo Rules': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'cmdcategory', 'cn', 'description', 'externalhost', +'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag', +'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup', +'ipasudorunasextuser', 'ipasudorunasgroup', +'ipasudorunasgroupcategory', 'ipasudorunasusercategory', +'ipauniqueid', 'memberallowcmd', 'memberdenycmd', +'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore', +'sudoorder', 'usercategory', 'objectclass', +}, +}, +} label = _('Sudo Rules') label_singular = _('Sudo Rule') -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
Hello, This adds read permissions to read HBAC rules, services, and service groups. Read access is given to all authenticated users. -- Petr³ From e0aa9e6e22ecdb42c0f3b21d42d66e5b5945d80d Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 26 Mar 2014 15:33:49 +0100 Subject: [PATCH] Add managed read permissions to HBAC objects Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/hbacrule.py | 15 +++ ipalib/plugins/hbacsvc.py | 11 +++ ipalib/plugins/hbacsvcgroup.py | 12 3 files changed, 38 insertions(+) diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 99758b25a287488f42f95c84b5e4b8658399fdd6..52abb408b04f882b5b202468ad3d9976ebba2f95 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -115,6 +115,7 @@ class hbacrule(LDAPObject): object_name = _('HBAC rule') object_name_plural = _('HBAC rules') object_class = ['ipaassociation', 'ipahbacrule'] +permission_filter_objectclasses = ['ipahbacrule'] default_attributes = [ 'cn', 'ipaenabledflag', 'description', 'usercategory', 'hostcategory', @@ -130,6 +131,20 @@ class hbacrule(LDAPObject): 'sourcehost': ['host', 'hostgroup'], 'memberservice': ['hbacsvc', 'hbacsvcgroup'], } +managed_permissions = { +'System: Read HBAC Rules': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'accessruletype', 'accesstime', 'cn', 'description', +'externalhost', 'hostcategory', 'ipaenabledflag', +'ipauniqueid', 'memberhost', 'memberservice', 'memberuser', +'servicecategory', 'sourcehost', 'sourcehostcategory', +'usercategory', 'objectclass', +}, +}, +} label = _('HBAC Rules') label_singular = _('HBAC Rule') diff --git a/ipalib/plugins/hbacsvc.py b/ipalib/plugins/hbacsvc.py index 6c6bc94fe15a8e7af2c5ef87376bfbf3cc6438ff..58861fcfa77c5b220b4fb62e7af0039fe855d94e 100644 --- a/ipalib/plugins/hbacsvc.py +++ b/ipalib/plugins/hbacsvc.py @@ -57,11 +57,22 @@ class hbacsvc(LDAPObject): object_name = _('HBAC service') object_name_plural = _('HBAC services') object_class = [ 'ipaobject', 'ipahbacservice' ] +permission_filter_objectclasses = ['ipahbacservice'] default_attributes = ['cn', 'description', 'memberof'] uuid_attribute = 'ipauniqueid' attribute_members = { 'memberof': ['hbacsvcgroup'], } +managed_permissions = { +'System: Read HBAC Services': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'cn', 'description', 'ipauniqueid', 'memberof', 'objectclass', +}, +}, +} label = _('HBAC Services') label_singular = _('HBAC Service') diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py index 5fc0635c409eaa4be7a07dc95ec4b87b34928476..5e3ef5b7037e9a41d32cf62629c0dc87b31c8e17 100644 --- a/ipalib/plugins/hbacsvcgroup.py +++ b/ipalib/plugins/hbacsvcgroup.py @@ -52,11 +52,23 @@ class hbacsvcgroup(LDAPObject): object_name = _('HBAC service group') object_name_plural = _('HBAC service groups') object_class = ['ipaobject', 'ipahbacservicegroup'] +permission_filter_objectclasses = ['ipahbacservicegroup'] default_attributes = [ 'cn', 'description', 'member' ] uuid_attribute = 'ipauniqueid' attribute_members = { 'member': ['hbacsvc'], } +managed_permissions = { +'System: Read HBAC Service Groups': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'businesscategory', 'cn', 'description', 'ipauniqueid', +'member', 'o', 'objectclass', 'ou', 'owner', 'seealso', +}, +}, +} label = _('HBAC Service Groups') label_singular = _('HBAC Service Group') -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0506 Default read ACIs for hosts
Hello, This adds read permissions to read hosts. Read access is given to all authenticated users. For reading host membership info, there is a separate permission that also defaults to all authenticated users. The userPassword attribute is not included for obvious reasons. -- Petr³ From 0e528f986b92ccb56b6000ae8f9a2d573b5ff44e Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 26 Mar 2014 15:58:08 +0100 Subject: [PATCH] Add managed read permissions to host Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/host.py | 22 ++ 1 file changed, 22 insertions(+) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 1e339acfc55820db232ba189275a05957ef8ebbd..1323797ea85da73d8a62ae747da655fdf084a49c 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -252,6 +252,28 @@ class host(LDAPObject): } password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')] +managed_permissions = { +'System: Read Hosts': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'cn', 'description', 'fqdn', 'ipaclientversion', +'ipakrbauthzdata', 'ipasshpubkey', 'ipauniqueid', +'krbprincipalname', 'l', 'macaddress', 'nshardwareplatform', +'nshostlocation', 'nsosversion', 'objectclass', +'serverhostname', 'usercertificate', 'userclass', +}, +}, +'System: Read Host Membership': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'enrolledby', 'memberof', 'managedby', +}, +}, +} label = _('Hosts') label_singular = _('Host') -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 565-568 webui: field and widget binding refactoring
On 2.4.2014 17:57, Misnyovszki Adam wrote: On Thu, 27 Mar 2014 16:07:55 +0100 Petr Vobornik pvobo...@redhat.com wrote: The last refactoring I did while implementing RCUE login or more precisely support for standalone facets which have forms but are not details facets. [PATCH] webui: field and widget binding refactoring This is a Web UI wide change. Fields and Widgets binding was refactored to enable proper two-way binding between them. This should allow to have one source of truth (field) for multiple consumers - widgets or something else. One of the goal is to have fields and widget implementations independent on each other. So that one could use a widget without field or use one field for multiple widgets, etc.. Basically a fields logic was split into separate components: - adapters - parsers formatters - binder Adapters - extract data from data source (FreeIPA RPC command result) - prepares them for commands. Parsers - parse extracted data to format expected by field - parse widget value to format expected by field Formatters - format field value to format suitable for widgets - format field value to format suitable for adapter Binder - is a communication bridge between field and widget - listens to field's and widget's events and call appropriate methods Some side benefits: - better validation reporting in multivalued widget [PATCH] webui: replace widget's hidden property with visible Hidden was used only in ACI. There is no reason to have two properties which are negations of each other. [PATCH] webui: change widget updated event into value change event This change allow us to use proper two way binding between a field and a widget. In previous implementation field was not changed if something changed the value of a widget in 'update'. Now listeners are notified when the widget value is changed by: calling 'update', 'set_value' or by user change. [PATCH] webui-tests: binding test suite Add basic tests for two-way binding between a field and two widgets Integration tests and unit tests ran as expected, looking through the code, and manually testing it confirmed that, so ACK Greets Adam Pushed to master: * 0d05a50e19b71cade636d9ca4882e453f614a78c webui: field and widget binding refactoring * aadde0f849bc7f129ef5bfdd96391ebeee273829 webui: replace widget's hidden property with visible * df18a3bc040299dae2dc573667ec7ee2db45a8e5 webui: change widget updated event into value change event * 480eba26a14cc616c4c336a6db69fb8ba66a0a60 webui-tests: binding test suite -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 163-166] Various ipatests fixes
Hi. these fix the following: * not properly removed PKI instance on IPA uninstall * improper usage of external hostname of AD subdomain in the legacy client tests * relax regex checks in legacy client tests * put 2 seconds of sleep after restart of SSSD when clearing the cache -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 9733bf9c2e7615d9d9728b650896c71fe83a1f35 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 2 Apr 2014 12:26:12 +0200 Subject: [PATCH] ipatests: Make sure that remnants of PKI are removed --- ipatests/test_integration/tasks.py | 9 + 1 file changed, 9 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 0d916ca469ecb8aa2f85161d1747dfa586865468..a86210cfb0ac5f08493d0fff86a595473f4df9b4 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -445,6 +445,15 @@ def uninstall_master(host): host.run_command(['ipa-server-install', '--uninstall', '-U'], raiseonerr=False) +host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'], + raiseonerr=False) +host.run_command(['rm', '-rf', + '/var/log/pki/pki-tomcat', + '/etc/sysconfig/pki-tomcat', + '/etc/sysconfig/pki/tomcat/pki-tomcat', + '/var/lib/pki/pki-tomcat', + '/etc/pki/pki-tomcat'], + raiseonerr=False) unapply_fixes(host) -- 1.8.5.3 From c3c4bec8138171638d79c1426e3ab76cba048b53 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 2 Apr 2014 13:20:01 +0200 Subject: [PATCH] ipatests: legacy_clients: Use hostname instead of external hostname for AD subdomain --- ipatests/test_integration/test_legacy_clients.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py index 072a2939dcc60d949a4f25b7362bbce86ef1fc4d..e3444687bf6f5cb0f3a32152587c01ca1f47e49d 100644 --- a/ipatests/test_integration/test_legacy_clients.py +++ b/ipatests/test_integration/test_legacy_clients.py @@ -65,7 +65,7 @@ class BaseTestLegacyClient(object): try: child_ad = cls.host_by_role(cls.optional_extra_roles[0]) cls.ad_subdomain = '.'.join( - child_ad.external_hostname.split('.')[1:]) + child_ad.hostname.split('.')[1:]) except LookupError: cls.ad_subdomain = None -- 1.8.5.3 From 2942826dc5254ddab1706096db8b5490d12e3553 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 2 Apr 2014 13:21:07 +0200 Subject: [PATCH] ipatests: legacy_clients: Relax regex checks --- ipatests/test_integration/test_legacy_clients.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py index e3444687bf6f5cb0f3a32152587c01ca1f47e49d..af4202de6a297ce350a435b02ae3b839e24135e9 100644 --- a/ipatests/test_integration/test_legacy_clients.py +++ b/ipatests/test_integration/test_legacy_clients.py @@ -98,8 +98,8 @@ class BaseTestLegacyClient(object): self.clear_sssd_caches() result = self.legacy_client.run_command(['getent', 'passwd', 'admin']) -admin_regex = ^admin:\*:(\d+):(\d+):\ - Administrator:/home/admin:/bin/bash$ +admin_regex = admin:\*:(\d+):(\d+):\ + Administrator:/home/admin:/bin/bash assert re.search(admin_regex, result.stdout_text) @@ -107,7 +107,7 @@ class BaseTestLegacyClient(object): self.clear_sssd_caches() result = self.legacy_client.run_command(['getent', 'group', 'admins']) -admin_group_regex = ^admins:\*:(\d+):admin +admin_group_regex = admins:\*:(\d+):admin assert re.search(admin_group_regex, result.stdout_text) -- 1.8.5.3 From 8a7eceb3f5cf645cd91c98b8ae15057499effbbe Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 3 Apr 2014 12:11:21 +0200 Subject: [PATCH] ipatests: tasks: Wait 2 seconds after restart of SSSD when clearing the cache --- ipatests/test_integration/tasks.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index a86210cfb0ac5f08493d0fff86a595473f4df9b4..d03ee6021fb34f8292814b23ea4e8fdd4606a90b 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -414,6 +414,9 @@ def clear_sssd_cache(host): else: host.run_command(['/sbin/service', 'sssd', 'start']) +# To avoid false negatives due to SSSD not responding yet +time.sleep(2) + def sync_time(host, server): -- 1.8.5.3
Re: [Freeipa-devel] [PATCHES 163-166] Various ipatests fixes
On 04/03/2014 12:42 PM, Tomas Babej wrote: Hi. these fix the following: * not properly removed PKI instance on IPA uninstall * improper usage of external hostname of AD subdomain in the legacy client tests * relax regex checks in legacy client tests * put 2 seconds of sleep after restart of SSSD when clearing the cache I will take the review. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. -- Petr³ From 6281a7159138d7c3bf024ed4ff370fe1193c5799 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 3 Apr 2014 12:40:48 +0200 Subject: [PATCH] Allow anonymous read access to containers All nsContainer objects, except ones in cn=etc, can now be read anonymously. The allowed attributes are cn and objectclass. These are the same in all IPA installations so they don't provide any sensitive information. Also, $SUFFIX itself can now be read anonymously. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/20-aci.update | 8 1 file changed, 8 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 3f27eb84416f3869b65d424d10f46b1a8572dee9..e9e1fe9db4d9c594ae0485c6f7cec8a668a8ff92 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -16,3 +16,11 @@ dn: cn=computers,cn=accounts,$SUFFIX dn: cn=computers,cn=accounts,$SUFFIX add:aci:'(targetattr=ipasshpubkey)(version 3.0; acl Hosts can manage other host SSH public keys; allow(write) userattr = parent[0,1].managedby#USERDN;)' + +# Read access to $SUFFIX itself +dn: $SUFFIX +add:aci:'(targetfilter=(objectclass=domain))(targetattr=objectclass || dc || info || nisDomain || associatedDomain)(version 3.0; acl Anonymous read access to DIT root; allow(read, search, compare) userdn = ldap:///anyone;;)' + +# Read access to containers +dn: $SUFFIX +add:aci:'(targetfilter=(objectclass=nsContainer))(target!=ldap:///cn=etc,$SUFFIX;)(targetattr=objectclass || cn)(version 3.0; acl Anonymous read access to containers; allow(read, search, compare) userdn = ldap:///anyone;;)' -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On 04/03/2014 02:53 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. Because we don't want to duplicate information. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On Thu, 2014-04-03 at 15:19 +0200, Petr Viktorin wrote: On 04/03/2014 02:53 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. Because we don't want to duplicate information. So are we removing default-aci.ldif completely ? I think we already mentioned this, but I can hardly recall the discussion, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0029-0046] Internationalized domain names in DNS plugin
On 2.4.2014 14:07, Martin Basti wrote: Helo list, this patchset allows to use internationalized domian in DNS plugin. - dns names are stored in ACE form(punycoded) in LDAP - raw option shows dns data in ACE form, otherwise dns names are converted to unicode - plugin allow all characters in domain name, which are valid by IDN RFCs (almost everything including non-printable), should be validation more restrictive? (there is bug in dnspython with special characters, will be fixed soon) - TODO update WebUI to support DNSName objects Required patches: freeipa-jcholast-255-Allow-primary-keys-to-use-different-type-than-unicod.patch freeipa-jcholast-256-Support-API-version-specific-RPC-marshalling.patch freeipa-jcholast-257-Replace-get_syntax-method-of-IPASimpleObject-with-ne.patch freeipa-jcholast-258-Use-raw-attribute-values-in-command-result-when-raw-.patch freeipa-jcholast-259-Keep-original-name-when-setting-attribute-in-LDAPEnt.patch Patches attached. First batch of comments, so far I have only read the code/patches, without doing actual testing. Patch 30: 1) It might make sense to put all of this into a new module (e.g. dnsutil.py) rather than ipautil. 2) +if isinstance(labels, str): +if not labels: +raise ValueError('empty string') ... +elif isinstance(labels, unicode): +if not labels: +raise ValueError('empty string') It might be nicer to: +if isinstance(labels, basestring) and not labels: +raise ValueError('empty string') + +if isinstance(labels, str): ... +elif isinstance(labels, unicode): 3) +def __nonzero__(self): +return True It would be nice to include a comment about why DNSName always evaluates to True (mention @). 4) +@staticmethod +def get_root(): +return DNSName(dns.name.root) + +@staticmethod +def get_origin_sign(): +return DNSName(u'@') + +@staticmethod +def get_rev_zone(): +return DNSName(u'in-addr.arpa.') + +@staticmethod +def get_ip6_rev_zone(): +return DNSName(u'ip6.arpa.') I think you should either drop the get_ prefix from the name, or (even better) make these global constants. I would shorten origin_sign to just sign. Can you please use tuples of str objects (i.e. what dns.name.Name uses internally) instead of unicode objects for the initialization? I think it should be the preferred style of initializing DNSName objects (DN objects do the same). 5) +def __str__(self): +return super(DNSName, self).to_text() You don't need to use super here. 6) +def ToASCII(self, omit_final_dot=False): +return super(DNSName, self).to_text(omit_final_dot=omit_final_dot).decode('ascii') + +def ToUnicode(self, omit_final_dot=False): +return super(DNSName, self).to_unicode(omit_final_dot=omit_final_dot).decode('utf-8') What was the reason for the unusual naming again? I would prefer PEP-8 compatible names (e.g. to_ascii and to_unicode), but if the current names absolutely have to stay, please add a comment with explanation. I don't like the omit_final_dot flag. IMHO it should be dropped and whether the result includes a final dot or not should depend solely on whether the name is absolute or relative. You can still use e.g. name.derelativize(root).ToUnicode() to drop the final dot, which is more explanatory. In ToUnicode, the call to dns.name.Name.to_unicode already returns a unicode object, no need to call decode on it. 7) +def concatenate(self, other): +return DNSName(super(DNSName, self).concatenate(other).labels) + +def relativize(self, origin): +return DNSName(super(DNSName, self).relativize(origin).labels) + +def derelativize(self, origin): +return DNSName(super(DNSName, self).derelativize(origin).labels) + +def choose_relativity(self, origin=None, relativize=True): +return DNSName(super(DNSName, self).choose_relativity(origin=origin, relativize=relativize).labels) Why use .labels here? The DNSName constructor knows how to deal with dns.name.Name objects, right? 8) +def is_ip_reverse(self): +if self.is_subdomain(self.get_rev_zone()): +return True +return False + +def is_ip6_reverse(self): +if self.is_subdomain(self.get_ip6_rev_zone()): +return True +return False + +def is_reverse(self): +if self.is_ip_reverse() or self.is_ip6_reverse(): +return True +return False The ifs are all redundant. Return the result of the check directly (return self.is_subdomain ... etc.) Patch 31: 1) +kwargs = Param.kwargs + ( +('require_absolute', bool, False), +('require_relative', bool, False), +) What about renaming these to 'only_absolute' and 'only_relative'? IMO it better captures the meaning (yes I know we already discussed the naming in length :-)
Re: [Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object
On Wed, 02 Apr 2014, Martin Kosek wrote: On 04/01/2014 12:03 PM, Jan Pazdziora wrote: On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote: Yes, that was the intention. Mistake on my part, I'll send updated patches. Updated patch attached. Ack based on reading the code and documentation for slapi_ch_free_string. Ok, thanks. Though I would like this patch to be also functionally tested that it does not break anything, ideally together with your other ipa-range patches. ACK to 0162, 0161, 0158 (should be applied in this order). # ipa idrange-find 2 ranges matched Range name: AD.TEST_id_range First Posix ID of the range: 111500 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2275361654-3393353068-3720134936 Range type: Active Directory domain range Range name: T.VDA.LI_id_range First Posix ID of the range: 91740 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 # ipa idrange-add AD.TEST_1_id_range First Posix ID of the range: 111900 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 First RID of the secondary RID range: 100 ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range. the message comes from the ipa-range-check plugin. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Changing RCUE to PatternFly
Hi all, this is a notice about what I'm going to do so you can raise objections before I spend any time on it. == Intro == First some facts: 1. RCUE was based on Bootstrap 2 (BS2), it used BS2 css file and provided it's own less files with overrides 2. the RCUE adoption started with this version at the end of last year 3. during the winter RCUE was renamed to PatternFly and rebased on Bootstrap 3. It doesn't use BS 3 CSS file anymore but it uses its LESS files to make just one output CSS. 4. PatternFly+Bootstrap 3 LESS files can be compiled only by NodeJS less compiler atm. Support in python-lesscpy is being implemented by OpenStack guys. I planned to upgrade from RCUE to PatternFly when python-lesscpy was ready but now it seems that it will happen no sooner than in F21. As the adoption goes forward I need more stuff from PatternFly (styles for tables, alerts, tabs,...). Using RCUE and cherry picking from BS3 and PatternFly is messy and creates more work. So I decided to upgrade now. The issue with css file provided by PatternFly project is that, that it contains font definitions which force us to bundle font files. == What I'm going to do == - I'll prepare simple less file which will use(combine) all Bootstrap 3, PatternFly and FontAwesome LESS files without the ones which force us to bundle fonts (we already have replacements for those). - it will be compiled by developer using nodejs-lessc - minified output CSS will be added to our git - it should change rarely - I'll document how I did it/write script so others can reproduce it later when needed No third-party LESS files will be in our git except variables.less from each project so we will be able to use the constants in our style definitions (simplifies upgrades). Our own LESS files don't use any new Less markup features so we are still able to compile it with current version of python-lesscpy. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] OTP work, what's left?
On Tue, 2014-04-01 at 17:12 +0200, Martin Kosek wrote: On 03/28/2014 10:17 AM, Martin Kosek wrote: On 03/23/2014 10:26 PM, Alexander Bokovoy wrote: Hi! I've updated my COPR repo with current git master versions of FreeIPA and SSSD with few added patches on top that close OTP gaps (Nathaniel's patch 0038 and Jakub Hrozek's patch for password changes). With these patches we currently lack following parts of the OTP work: - OTP sync client. Still in development, patches and approach need additional review/discussion on the list - Password change in WebUI fails when OTP token exist for the user. More detailed examination is needed, I'm getting ACIError. http://copr.fedoraproject.org/coprs/abbra/freeipa-otp-unstable/ Alexander or Nathaniel, I see you progressed with the OTP development a lot, good job. Please provide a clean list of patches + information who acked what so that it can be pushed to master. Hint: OTP Patches thread is too chaotic for me to follow. Martin Hi Nathaniel, I did a quick search in the thread and it seems to me that at least following 2 patches are not merged (though appears to be ACKed): [PATCH 17/17] schema-compat: set precedence to 49 to allow OTP binds over compat tree [PATCH] freeipa.spec.in: update dependencies to 389-ds and selinux-policy Is that all that is left to be pushed from this long thread? Yup. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Ipa-server-install Firewall Support
This discussion morphs out of some questions that I asked over on the user's mailing list: https://www.redhat.com/archives/freeipa-users/2014-April/msg00033.html. It's also related to Trac #2110. (The subject says ipa-server-install, but this will also apply to replica installs, too.) What is the expected compatibility with RHEL 5 and 6? Neither of those comes with FirewallD. Integrating with iptables is bound to be messy, and I feel like there's too many ways to get into trouble with destroying a user's iptables configuration. (Due to the unsafety of `iptables-restore`, there's no way to guarantee that the user's configuration will persist through a reboot.) Seeing as FirewallD has been the default in Fedora since 18 and will be in RHEL 7, it seems like a reasonable thing to do. Would there be opposition to making FirewallD the only firewall that ipa-server-install will configure, and just print out iptables (or iptables-save fragments) for non-FirewallD systems? The implementation should be pretty simple and straightforward, but I wanted to run over it briefly to see if there were any initial feedback. First, there's a question of dependence. FirewallD exposes a DBus interface on the system bus. While it is possible to interact with shell commands, I would greatly prefer to make use of DBus directly. That will require pulling in python-dbus as a package dependency. Second, FirewallD operates on zones to which interfaces are attached. To apply any sort of configuration, we'll need to attach a freeipa-server FirewallD service to the proper zone. During the current installation program, we already know the server's IP address from a call to installutils.get_server_ip_address(). I'll need to resolve on which interface this IP resides, and then FirewallD can tell me which zone should be modified. It is possible to scrape the output of `ip address` to determine, but that's a messy solution. The better method is to use the NetworkManager DBus interfaces to query for this information. This gets back to my compatibility question above. Fedora doesn't really work without NetworkManager anymore, and I assume that will hold for RHEL 7. Third, do we want to allow the user to limit the network access? I think that it makes sense to allow users to specify a network (e.g. 192.168.0.0/16) to limit accessibility to their FreeIPA server. Yet, there's always some trade-off to adding more options to ipa-server-install. Fourth, FirewallD configuration is simple and quick, so I think it makes sense to get it out of the way early in the install process. I'm thinking right after ipaservices.backup_and_replace_hostname() (line 1,038) runs. Implementation Walkthrough ~$ ipa-server-install --firewall --firewall-allow 192.168.0.0/24 --firewall-allow 192.168.1.0/24 [...] [skip to line 1038] 1. Detect if FirewallD is running via DBus. (If not generate sample iptables rules, print/log them, and continue normal install.) 2. Use NM DBus to resolve IP-interface. (If NM not available, potentially fallback to scrapping `ip a`.) 3. Use FirewallD DBus to resolve interface to zone. 4. FreeIPA will include a service XML template (like dsinstance.INF_TEMPLATE) that specifies the necessary ports/protocols. Write this service file to /etc/firewalld/services/. 5. If the user provided --firewall-allow args, generate rich rules based on the template, and add them to the proper zone. If not, the service is still added as a rich rule (for consistency and ease of uninstall). Thanks, Justin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel