Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
> On the patches: > > [2] you define a new attribute Url which is fine, but the actual > attribute is not ok in several way. > > - You assigned an OID from a hole in the IPAv2 Attibutes space, it > should be an assigned ID from the IPAv3 attribute space instead > > - You do not namespace the attribute, it should at least be ipaUrl > I'll look into that > - you are using case Exact matching, is this intentional? Are the URIs > in there case sensitive strings ? > > - there is an available attribute called labeledURI (with alias > labeledurl) in the standard schema (however I notice it also has > caseExactMatch) that has basically the same definition of your Url > attribute, why not use that one ? > Actually, URI is case sensitive: http://stackoverflow.com/a/26196170/1978950 I'll check labeledURI you mentioned. > [3] If I read the patch correctly failing to find a Url is a fatal > condition, this is not ok as it would fail to operate with older servers > that do not have a url on the rules. > I believe it is not a fatal condition. If you mean line 100, it is for the case of some failure of the call. If the call succeeds and there is no URI, then line 105 happens and the URI is considered empty. If you are talking about the evaluation in line 21, this will be changed, the exact string comparison is there just for testing. > It is not clear to me what happen on an older client if URL is used but > not the service? Or is service always enforced ? (It is not clear to me > that it is). > I'm not sure I understand. If there is no service, the rule must necessarily fail to allow the access before even evaluating URI, or at least I think so. URI will only reduce the set of HBAC rules matching certain request. -- Lukas Hellebrandt Associate Quality Engineer lhell...@redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
On 02/28/2016 11:39 AM, Jakub Hrozek wrote: > On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote: >> On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote: >>> On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > Hi, FreeIPA and SSSD communities! > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > control access not only based on (user, host, service), but on (user, > host, service, resource's URI). > > I created a patch for FreeIPA [2] so it is capable of storing URI as > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > this URI from FreeIPA and use it in HBAC evaluation. > > I still need to develop a part of SSSD receiving URI-aware requests. It > will either be an enhancement of Infopipe or I will use PAM responder > (any suggestions?). > > I wanted to kindly ask you for review and your opinions on the patches > and generally on my approach. This would be my first contribution to > FreeIPA and SSSD so there might be bugs. What do you think? > > Btw, is there some better place to share patches than a pasting tool? > Maybe some form of pull request? > > Thanks for your opinions! > > [1] > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > [2] > http://pastebin.com/rsHzXeAR > [3] > http://pastebin.com/atcZMuP1 > Hi Lukas, could please post your patches here using git-format-patch or even better provide a public git tree with them applied ? (Any place github, fedorapeople, your own server, etc. is fine) First a question, what service can actually use this scheme and how ? there is no URL field in PAM. >>> >>> When Lukas started the work, we IIRC concluded that PAM is not an >>> appropriate interface and we should probably expose some DBUS methods >>> for access control. We haven't really discussed any details since then. >> >> This only shifts the question, what service would use this interface ? >> note I am not opposed to it, but would like to understand how we are >> going to test that it actually works and is useful. > > I thought it was going to be an Apache module, much like Jan's > mod_authnz_pam, so maybe something like mod_authnz_hbac. > Exactly. It could have other uses, but an example I will be using will be an Apache module. And really, the only functional difference between mod_authnz_pam and the new module would be that the new module will be URI-aware (so it will use either PAM or Infopipe to communicate with SSSD and among other things, send URI, too) and it will probably be authorization-only. I am still not sure about the Infopipe vs PAM thing. I am trying to do normal authorization as the PAM one, just add some URI parameter to the request. I am still not sure whether it is a good idea to use a PAM variable (URI is not a standard field but maybe PAM supports other than standard variables?) or whether to add more functionality to Infopipe and do not use PAM at all. That is probably my most important question for now. -- Lukas Hellebrandt Associate Quality Engineer lhell...@redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote: > On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote: > > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > > > Hi, FreeIPA and SSSD communities! > > > > > > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > > > > control access not only based on (user, host, service), but on (user, > > > > host, service, resource's URI). > > > > > > > > I created a patch for FreeIPA [2] so it is capable of storing URI as > > > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > > > > this URI from FreeIPA and use it in HBAC evaluation. > > > > > > > > I still need to develop a part of SSSD receiving URI-aware requests. It > > > > will either be an enhancement of Infopipe or I will use PAM responder > > > > (any suggestions?). > > > > > > > > I wanted to kindly ask you for review and your opinions on the patches > > > > and generally on my approach. This would be my first contribution to > > > > FreeIPA and SSSD so there might be bugs. What do you think? > > > > > > > > Btw, is there some better place to share patches than a pasting tool? > > > > Maybe some form of pull request? > > > > > > > > Thanks for your opinions! > > > > > > > > [1] > > > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > > > > [2] > > > > http://pastebin.com/rsHzXeAR > > > > [3] > > > > http://pastebin.com/atcZMuP1 > > > > > > > > > > Hi Lukas, could please post your patches here using git-format-patch or > > > even better provide a public git tree with them applied ? > > > (Any place github, fedorapeople, your own server, etc. is fine) > > > > > > > > > First a question, what service can actually use this scheme and how ? > > > there is no URL field in PAM. > > > > When Lukas started the work, we IIRC concluded that PAM is not an > > appropriate interface and we should probably expose some DBUS methods > > for access control. We haven't really discussed any details since then. > > This only shifts the question, what service would use this interface ? > note I am not opposed to it, but would like to understand how we are > going to test that it actually works and is useful. I thought it was going to be an Apache module, much like Jan's mod_authnz_pam, so maybe something like mod_authnz_hbac. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote: > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > > Hi, FreeIPA and SSSD communities! > > > > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > > > control access not only based on (user, host, service), but on (user, > > > host, service, resource's URI). > > > > > > I created a patch for FreeIPA [2] so it is capable of storing URI as > > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > > > this URI from FreeIPA and use it in HBAC evaluation. > > > > > > I still need to develop a part of SSSD receiving URI-aware requests. It > > > will either be an enhancement of Infopipe or I will use PAM responder > > > (any suggestions?). > > > > > > I wanted to kindly ask you for review and your opinions on the patches > > > and generally on my approach. This would be my first contribution to > > > FreeIPA and SSSD so there might be bugs. What do you think? > > > > > > Btw, is there some better place to share patches than a pasting tool? > > > Maybe some form of pull request? > > > > > > Thanks for your opinions! > > > > > > [1] > > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > > > [2] > > > http://pastebin.com/rsHzXeAR > > > [3] > > > http://pastebin.com/atcZMuP1 > > > > > > > Hi Lukas, could please post your patches here using git-format-patch or > > even better provide a public git tree with them applied ? > > (Any place github, fedorapeople, your own server, etc. is fine) > > > > > > First a question, what service can actually use this scheme and how ? > > there is no URL field in PAM. > > When Lukas started the work, we IIRC concluded that PAM is not an > appropriate interface and we should probably expose some DBUS methods > for access control. We haven't really discussed any details since then. This only shifts the question, what service would use this interface ? note I am not opposed to it, but would like to understand how we are going to test that it actually works and is useful. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > Hi, FreeIPA and SSSD communities! > > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > > control access not only based on (user, host, service), but on (user, > > host, service, resource's URI). > > > > I created a patch for FreeIPA [2] so it is capable of storing URI as > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > > this URI from FreeIPA and use it in HBAC evaluation. > > > > I still need to develop a part of SSSD receiving URI-aware requests. It > > will either be an enhancement of Infopipe or I will use PAM responder > > (any suggestions?). > > > > I wanted to kindly ask you for review and your opinions on the patches > > and generally on my approach. This would be my first contribution to > > FreeIPA and SSSD so there might be bugs. What do you think? > > > > Btw, is there some better place to share patches than a pasting tool? > > Maybe some form of pull request? > > > > Thanks for your opinions! > > > > [1] > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > > [2] > > http://pastebin.com/rsHzXeAR > > [3] > > http://pastebin.com/atcZMuP1 > > > > Hi Lukas, could please post your patches here using git-format-patch or > even better provide a public git tree with them applied ? > (Any place github, fedorapeople, your own server, etc. is fine) > > > First a question, what service can actually use this scheme and how ? > there is no URL field in PAM. When Lukas started the work, we IIRC concluded that PAM is not an appropriate interface and we should probably expose some DBUS methods for access control. We haven't really discussed any details since then. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > Hi, FreeIPA and SSSD communities! > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > control access not only based on (user, host, service), but on (user, > host, service, resource's URI). > > I created a patch for FreeIPA [2] so it is capable of storing URI as > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > this URI from FreeIPA and use it in HBAC evaluation. > > I still need to develop a part of SSSD receiving URI-aware requests. It > will either be an enhancement of Infopipe or I will use PAM responder > (any suggestions?). > > I wanted to kindly ask you for review and your opinions on the patches > and generally on my approach. This would be my first contribution to > FreeIPA and SSSD so there might be bugs. What do you think? > > Btw, is there some better place to share patches than a pasting tool? > Maybe some form of pull request? > > Thanks for your opinions! > > [1] > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > [2] > http://pastebin.com/rsHzXeAR > [3] > http://pastebin.com/atcZMuP1 > Hi Lukas, could please post your patches here using git-format-patch or even better provide a public git tree with them applied ? (Any place github, fedorapeople, your own server, etc. is fine) First a question, what service can actually use this scheme and how ? there is no URL field in PAM. On the patches: [2] you define a new attribute Url which is fine, but the actual attribute is not ok in several way. - You assigned an OID from a hole in the IPAv2 Attibutes space, it should be an assigned ID from the IPAv3 attribute space instead - You do not namespace the attribute, it should at least be ipaUrl - you are using case Exact matching, is this intentional? Are the URIs in there case sensitive strings ? - there is an available attribute called labeledURI (with alias labeledurl) in the standard schema (however I notice it also has caseExactMatch) that has basically the same definition of your Url attribute, why not use that one ? [3] If I read the patch correctly failing to find a Url is a fatal condition, this is not ok as it would fail to operate with older servers that do not have a url on the rules. It is not clear to me what happen on an older client if URL is used but not the service? Or is service always enforced ? (It is not clear to me that it is). HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback
Greetings, welcome! On 02/26/2016 01:17 PM, Lukáš Hellebrandt wrote: ... > Btw, is there some better place to share patches than a pasting tool? > Maybe some form of pull request? There is :-) Please see advise here: http://www.freeipa.org/page/Contribute/Code#Submit_a_patch It has more information on top of submitting patches. For example, I think it would actually make sense to start with a design page where you would describe the use cases, design, APIs, etc: http://www.freeipa.org/page/Contribute/Code#Prepare Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] URI in HBAC rules - patch - request for feedback
Hi, FreeIPA and SSSD communities! I am working on adding URI to HBAC as my thesis [1]. The goal is to control access not only based on (user, host, service), but on (user, host, service, resource's URI). I created a patch for FreeIPA [2] so it is capable of storing URI as part of HBAC rule. I created a patch for SSSD [3] so it is able to get this URI from FreeIPA and use it in HBAC evaluation. I still need to develop a part of SSSD receiving URI-aware requests. It will either be an enhancement of Infopipe or I will use PAM responder (any suggestions?). I wanted to kindly ask you for review and your opinions on the patches and generally on my approach. This would be my first contribution to FreeIPA and SSSD so there might be bugs. What do you think? Btw, is there some better place to share patches than a pasting tool? Maybe some form of pull request? Thanks for your opinions! [1] https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa [2] http://pastebin.com/rsHzXeAR [3] http://pastebin.com/atcZMuP1 -- Lukas Hellebrandt -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
