Re: [Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
On 08/13/2015 03:46 PM, Fraser Tweedale wrote: On Thu, Aug 13, 2015 at 12:30:10PM +0300, Alexander Bokovoy wrote: On Thu, 13 Aug 2015, Fraser Tweedale wrote: On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote: On 08/13/2015 05:28 AM, Fraser Tweedale wrote: On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: usercertificate attr was moved from "System Modify Users" to this new permission. https://fedorahosted.org/freeipa/ticket/5177 Note: hosts have permission "System: Manage Host Certificates", services don't have it but usercertificate is in "System: Modify Services". I would move it as well if usercertificate was not the only attr in "System: Modify Services". New permission works as expected. What are the implications of removing userCertificate attribute from "Modify Users" ACI? Users could be relying on it given that there is (until now) no more fine-grained permission. I'm not sure what is the expected ACI upgrade behavior but applying this patch on installed server and running ipa-server-upgrade ends with userCertificate still in "System: Modify Users" permission - it eliminates your worry. The rest of users who still run IPA < 4.2 won't even notice. Ah, I see. This raises a different problem: different ACIs on different deployments, depending on when IPA was installed. Unless I am misunderstanding something, isn't that an undesirable situation? We have precedent of upgrading ACIs via upgrade plugins. So this is something we need to design for and execute. If we've done it before and the consensus is that it's a problem for another day, then I suppose it's an ACK from me. Cheers, Fraser Pushed to: master: 6b978d74ae36f377c2d4f2cae860ca79b102e3c0 ipa-4-2: 7a509980d24b2bd445633026e64db48bb4203ba0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
On Thu, Aug 13, 2015 at 12:30:10PM +0300, Alexander Bokovoy wrote: > On Thu, 13 Aug 2015, Fraser Tweedale wrote: > >On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote: > >>On 08/13/2015 05:28 AM, Fraser Tweedale wrote: > >>>On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: > usercertificate attr was moved from "System Modify Users" to this > new permission. > > https://fedorahosted.org/freeipa/ticket/5177 > > Note: hosts have permission "System: Manage Host Certificates", services > don't have it but usercertificate is in "System: Modify Services". I would > move it as well if usercertificate was not the only attr in "System: > Modify > Services". > > >>>New permission works as expected. > >>> > >>>What are the implications of removing userCertificate attribute from > >>>"Modify Users" ACI? Users could be relying on it given that there > >>>is (until now) no more fine-grained permission. > >> > >>I'm not sure what is the expected ACI upgrade behavior but applying this > >>patch on installed server and running ipa-server-upgrade ends with > >>userCertificate still in "System: Modify Users" permission - it eliminates > >>your worry. The rest of users who still run IPA < 4.2 won't even notice. > >> > >Ah, I see. > > > >This raises a different problem: different ACIs on different > >deployments, depending on when IPA was installed. Unless I am > >misunderstanding something, isn't that an undesirable situation? > We have precedent of upgrading ACIs via upgrade plugins. > So this is something we need to design for and execute. > If we've done it before and the consensus is that it's a problem for another day, then I suppose it's an ACK from me. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
On Thu, 13 Aug 2015, Fraser Tweedale wrote: On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote: On 08/13/2015 05:28 AM, Fraser Tweedale wrote: >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: >>usercertificate attr was moved from "System Modify Users" to this >>new permission. >> >>https://fedorahosted.org/freeipa/ticket/5177 >> >>Note: hosts have permission "System: Manage Host Certificates", services >>don't have it but usercertificate is in "System: Modify Services". I would >>move it as well if usercertificate was not the only attr in "System: Modify >>Services". >> >New permission works as expected. > >What are the implications of removing userCertificate attribute from >"Modify Users" ACI? Users could be relying on it given that there >is (until now) no more fine-grained permission. I'm not sure what is the expected ACI upgrade behavior but applying this patch on installed server and running ipa-server-upgrade ends with userCertificate still in "System: Modify Users" permission - it eliminates your worry. The rest of users who still run IPA < 4.2 won't even notice. Ah, I see. This raises a different problem: different ACIs on different deployments, depending on when IPA was installed. Unless I am misunderstanding something, isn't that an undesirable situation? We have precedent of upgrading ACIs via upgrade plugins. So this is something we need to design for and execute. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote: > On 08/13/2015 05:28 AM, Fraser Tweedale wrote: > >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: > >>usercertificate attr was moved from "System Modify Users" to this > >>new permission. > >> > >>https://fedorahosted.org/freeipa/ticket/5177 > >> > >>Note: hosts have permission "System: Manage Host Certificates", services > >>don't have it but usercertificate is in "System: Modify Services". I would > >>move it as well if usercertificate was not the only attr in "System: Modify > >>Services". > >> > >New permission works as expected. > > > >What are the implications of removing userCertificate attribute from > >"Modify Users" ACI? Users could be relying on it given that there > >is (until now) no more fine-grained permission. > > I'm not sure what is the expected ACI upgrade behavior but applying this > patch on installed server and running ipa-server-upgrade ends with > userCertificate still in "System: Modify Users" permission - it eliminates > your worry. The rest of users who still run IPA < 4.2 won't even notice. > Ah, I see. This raises a different problem: different ACIs on different deployments, depending on when IPA was installed. Unless I am misunderstanding something, isn't that an undesirable situation? Thanks, Fraser > > > >Perhaps we should > > > >a) use update script to add the new permission to any roles that > >have the Modify Users permission, or > >b) not remove the userCertificate attribute from the ACI, or > >c) deem this change acceptable and leave the patch as-is, in which > >case: ACK > > > >Cheers, > >Fraser > > > -- > Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
On 08/13/2015 05:28 AM, Fraser Tweedale wrote: On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: usercertificate attr was moved from "System Modify Users" to this new permission. https://fedorahosted.org/freeipa/ticket/5177 Note: hosts have permission "System: Manage Host Certificates", services don't have it but usercertificate is in "System: Modify Services". I would move it as well if usercertificate was not the only attr in "System: Modify Services". New permission works as expected. What are the implications of removing userCertificate attribute from "Modify Users" ACI? Users could be relying on it given that there is (until now) no more fine-grained permission. I'm not sure what is the expected ACI upgrade behavior but applying this patch on installed server and running ipa-server-upgrade ends with userCertificate still in "System: Modify Users" permission - it eliminates your worry. The rest of users who still run IPA < 4.2 won't even notice. Perhaps we should a) use update script to add the new permission to any roles that have the Modify Users permission, or b) not remove the userCertificate attribute from the ACI, or c) deem this change acceptable and leave the patch as-is, in which case: ACK Cheers, Fraser -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: > usercertificate attr was moved from "System Modify Users" to this > new permission. > > https://fedorahosted.org/freeipa/ticket/5177 > > Note: hosts have permission "System: Manage Host Certificates", services > don't have it but usercertificate is in "System: Modify Services". I would > move it as well if usercertificate was not the only attr in "System: Modify > Services". > New permission works as expected. What are the implications of removing userCertificate attribute from "Modify Users" ACI? Users could be relying on it given that there is (until now) no more fine-grained permission. Perhaps we should a) use update script to add the new permission to any roles that have the Modify Users permission, or b) not remove the userCertificate attribute from the ACI, or c) deem this change acceptable and leave the patch as-is, in which case: ACK Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
usercertificate attr was moved from "System Modify Users" to this new permission. https://fedorahosted.org/freeipa/ticket/5177 Note: hosts have permission "System: Manage Host Certificates", services don't have it but usercertificate is in "System: Modify Services". I would move it as well if usercertificate was not the only attr in "System: Modify Services". -- Petr Vobornik From 10e505e62c606b7a93715536ee869a86278d66c4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Wed, 12 Aug 2015 14:48:09 +0200 Subject: [PATCH] add permission: System: Manage User Certificates usercertificate attr was moved from "System Modify Users" to this new permission. https://fedorahosted.org/freeipa/ticket/5177 --- ACI.txt| 4 +++- ipalib/plugins/user.py | 10 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ACI.txt b/ACI.txt index 60607b98deb74d0b7f45d24ee9359b0cf8162b0d..99099275e1383f16aca122e05e34b2330f4d06a3 100644 --- a/ACI.txt +++ b/ACI.txt @@ -309,9 +309,11 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example +aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificates";allow (write) groupdn = "ldap:///cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || usercertificate || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 859939205f903fa4832524c8d2601141f3674bb5..e1844c057548701dbaa1cb0520ff888fecd0f6ca 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -259,6 +259,14 @@ class user(baseuser): ], 'default_privileges': {'User Administrators'}, }, +'System: Manage User Certificates': { +'ipapermright': {'write'}, +'ipapermdefaultattr': {'usercertificate'}, +'default_privileges': { +'User Administrators', +'Modify Users and Reset passwords', +}, +}, 'System: Modify Users': { 'ipapermright': {'write'}, 'ipapermdefaultattr': { @@ -269,7 +277,7 @@ class user(baseuser): 'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager', 'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title', 'userclass', -'preferredlanguage', 'usercertificate', +