Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/27/2014 05:13 PM, Simo Sorce wrote: On Tue, 2014-05-27 at 18:01 +0300, Alexander Bokovoy wrote: On Tue, 27 May 2014, Petr Viktorin wrote: On 05/26/2014 12:13 PM, Petr Viktorin wrote: [...] Thanks for the thorough review! Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119 Okay guys, we have another issue: user-add (and the migration plugin) needs access to cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,... to check the originfilter for '(objectclass=disable)'. Do we want to give read access to all users, or just user admins? I would say user admins. If something more substantial fails, we'll extend the access. ACK For the record, the change is in my patch 0560. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On Tue, 2014-05-27 at 18:01 +0300, Alexander Bokovoy wrote: > On Tue, 27 May 2014, Petr Viktorin wrote: > >On 05/26/2014 12:13 PM, Petr Viktorin wrote: > >[...] > >> > >>Thanks for the thorough review! > >>Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119 > > > > > >Okay guys, we have another issue: > >user-add (and the migration plugin) needs access to cn=UPG > >Definition,cn=Definitions,cn=Managed Entries,cn=etc,... to check the > >originfilter for '(objectclass=disable)'. > > > >Do we want to give read access to all users, or just user admins? > I would say user admins. If something more substantial fails, we'll > extend the access. > ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On Tue, 27 May 2014, Petr Viktorin wrote: On 05/26/2014 12:13 PM, Petr Viktorin wrote: [...] Thanks for the thorough review! Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119 Okay guys, we have another issue: user-add (and the migration plugin) needs access to cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,... to check the originfilter for '(objectclass=disable)'. Do we want to give read access to all users, or just user admins? I would say user admins. If something more substantial fails, we'll extend the access. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/26/2014 12:13 PM, Petr Viktorin wrote: [...] Thanks for the thorough review! Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119 Okay guys, we have another issue: user-add (and the migration plugin) needs access to cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,... to check the originfilter for '(objectclass=disable)'. Do we want to give read access to all users, or just user admins? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/26/2014 12:09 PM, Martin Kosek wrote: On 05/26/2014 12:04 PM, Petr Viktorin wrote: On 05/25/2014 09:29 PM, Martin Kosek wrote: On 05/23/2014 04:50 PM, Simo Sorce wrote: On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote: On 05/22/2014 04:20 PM, Petr Viktorin wrote: On 05/21/2014 12:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: On 05/16/2014 04:33 PM, Petr Viktorin wrote: On 05/16/2014 01:54 PM, Martin Kosek wrote: On 04/29/2014 11:00 PM, Petr Viktorin wrote: Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously [0]. Patch 0541 is some minor refactoring for the next part. Patch 0542 sets the read acces to addressbook attributes to anonymous when upgrading from pre-4.0. I first this by checking if the update is run from ipa-server-install or not, but then I realized the logic I want is simple: if the global anon read ACI exists, we want to preserve its spirit by setting addressbook attribute ACI to anonymous. [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al. 540: Looks good! The only attributes I am concerned about are special IPA attributes: - ipauniqueid - ipasshpubkey - ipauserauthtype - userclass I personally do not think they should be included in POSIX attributes permissions, they are far from POSIX definition... What about creating one more permission "System: Read User IPA Attributes" as these are specific to FreeIPA use and allowing that permission for all authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. Ok, looks good. I am now just pondering whether "System: Read User POSIX Attributes" is the right name for the permission as there are not just POSIX attributes, but also attributes from organizationalPerson or inetOrgPerson objectclasses. Maybe we should name it "System: Read User Core Attributes" or "System: Read User Basic Attributes"? Simo, any preference? We could use: "System: Read User Standard Attributes" I've used this one, then. but the 'posix' version is also ok to me. On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: Also, I just realized we forgot memberOf attribute - it needs to be available to authenticated users otherwise group membership will fall apart. Good catch. Added. We are very close to push this one - I have just one last concern about userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, now we added it to be read by default. This results in this warning during upgrade: Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 Simo (or others), is this OK or do we want to keep hiding userpkcs12 by default? Is there any client that needs access to that information that we are aware of ? Simo. I do not think so. Rob, do you know? This was my mistake. We never allowed non-admins to see that attribute by default, so we shouldn't start now. ack, we probably had a good reason and it is much safer to keep this decision. I'm glad the updater caught it, sorry that I didn't. Actually, that means that you made the security checks in the updater right :-) I diffed the change in the patch and it removed the last obstacle I saw with this patch set. Thus, ACK for all 3. Thanks for the thorough review! Pushed to master: 63becae88c6c270b98f0432dc474b661b82f3119 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/26/2014 12:04 PM, Petr Viktorin wrote: > On 05/25/2014 09:29 PM, Martin Kosek wrote: >> On 05/23/2014 04:50 PM, Simo Sorce wrote: >>> On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote: On 05/22/2014 04:20 PM, Petr Viktorin wrote: > On 05/21/2014 12:14 PM, Simo Sorce wrote: >> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: >>> On 05/16/2014 04:33 PM, Petr Viktorin wrote: On 05/16/2014 01:54 PM, Martin Kosek wrote: > On 04/29/2014 11:00 PM, Petr Viktorin wrote: >> Patch 0540 adds a bunch of managed read ACIs for user, as >> discussed >> previously >> [0]. >> >> Patch 0541 is some minor refactoring for the next part. >> >> Patch 0542 sets the read acces to addressbook attributes to >> anonymous when >> upgrading from pre-4.0. >> I first this by checking if the update is run from >> ipa-server-install or >> not, >> but then I realized the logic I want is simple: if the global >> anon read ACI >> exists, we want to preserve its spirit by setting addressbook >> attribute >> ACI to >> anonymous. >> >> >> [0] >> http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html >> et >> al. >> > > 540: > > Looks good! The only attributes I am concerned about are special > IPA > attributes: > > - ipauniqueid > - ipasshpubkey > - ipauserauthtype > - userclass > > I personally do not think they should be included in POSIX > attributes > permissions, they are far from POSIX definition... > > What about creating one more permission "System: Read User IPA > Attributes" as > these are specific to FreeIPA use and allowing that permission > for all > authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. >>> >>> Ok, looks good. >>> >>> I am now just pondering whether "System: Read User POSIX >>> Attributes" is the >>> right name for the permission as there are not just POSIX >>> attributes, but also >>> attributes from organizationalPerson or inetOrgPerson objectclasses. >>> >>> Maybe we should name it "System: Read User Core Attributes" or >>> "System: Read >>> User Basic Attributes"? Simo, any preference? >> >> We could use: "System: Read User Standard Attributes" > > I've used this one, then. > >> >> but the 'posix' version is also ok to me. > > On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: >> Also, I just realized we forgot memberOf attribute - it needs to be >> available >> to authenticated users otherwise group membership will fall apart. > > Good catch. Added. > We are very close to push this one - I have just one last concern about userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, now we added it to be read by default. This results in this warning during upgrade: Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 Simo (or others), is this OK or do we want to keep hiding userpkcs12 by default? >>> >>> Is there any client that needs access to that information that we are >>> aware of ? >>> >>> Simo. >> >> I do not think so. Rob, do you know? > > This was my mistake. We never allowed non-admins to see that attribute by > default, so we shouldn't start now. ack, we probably had a good reason and it is much safer to keep this decision. > I'm glad the updater caught it, sorry that I didn't. Actually, that means that you made the security checks in the updater right :-) I diffed the change in the patch and it removed the last obstacle I saw with this patch set. Thus, ACK for all 3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/25/2014 09:29 PM, Martin Kosek wrote: On 05/23/2014 04:50 PM, Simo Sorce wrote: On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote: On 05/22/2014 04:20 PM, Petr Viktorin wrote: On 05/21/2014 12:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: On 05/16/2014 04:33 PM, Petr Viktorin wrote: On 05/16/2014 01:54 PM, Martin Kosek wrote: On 04/29/2014 11:00 PM, Petr Viktorin wrote: Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously [0]. Patch 0541 is some minor refactoring for the next part. Patch 0542 sets the read acces to addressbook attributes to anonymous when upgrading from pre-4.0. I first this by checking if the update is run from ipa-server-install or not, but then I realized the logic I want is simple: if the global anon read ACI exists, we want to preserve its spirit by setting addressbook attribute ACI to anonymous. [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al. 540: Looks good! The only attributes I am concerned about are special IPA attributes: - ipauniqueid - ipasshpubkey - ipauserauthtype - userclass I personally do not think they should be included in POSIX attributes permissions, they are far from POSIX definition... What about creating one more permission "System: Read User IPA Attributes" as these are specific to FreeIPA use and allowing that permission for all authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. Ok, looks good. I am now just pondering whether "System: Read User POSIX Attributes" is the right name for the permission as there are not just POSIX attributes, but also attributes from organizationalPerson or inetOrgPerson objectclasses. Maybe we should name it "System: Read User Core Attributes" or "System: Read User Basic Attributes"? Simo, any preference? We could use: "System: Read User Standard Attributes" I've used this one, then. but the 'posix' version is also ok to me. On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: Also, I just realized we forgot memberOf attribute - it needs to be available to authenticated users otherwise group membership will fall apart. Good catch. Added. We are very close to push this one - I have just one last concern about userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, now we added it to be read by default. This results in this warning during upgrade: Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 Simo (or others), is this OK or do we want to keep hiding userpkcs12 by default? Is there any client that needs access to that information that we are aware of ? Simo. I do not think so. Rob, do you know? This was my mistake. We never allowed non-admins to see that attribute by default, so we shouldn't start now. I'm glad the updater caught it, sorry that I didn't. -- Petr³ From a7db3134a81c4496a41407e7da617fcf7b47904a Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed read permissions to user Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/user.py | 70 ++ 1 file changed, 70 insertions(+) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index d9c7c6c858aa0a4927efc01fb41b535b7bb04ba2..56e2fe69719f3d0133c3b0e745c5a37ec76e12ca 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -233,6 +233,76 @@ class user(LDAPObject): bindable = True password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')] +managed_permissions = { +'System: Read User Standard Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'cn', 'sn', 'description', 'title', 'uid', +'displayname', 'givenname', 'initials', 'manager', 'gecos', +'gidnumber', 'homedirectory', 'loginshell', 'uidnumber' +}, +}, +'System: Read User Addressbook Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'seealso', 'telephonenumber', +'fax', 'l', 'ou', 'st', 'postalcode', 'street', +'destinationindicator', 'internationalisdnnumber', +'physicaldeliveryofficename', 'postaladdress', 'postofficebox', +'preferreddeliverymethod', 'registeredaddress', +'teletexterminalidentifier', 'telexnumber', 'x121address', +'carlicense', 'departmentnu
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/23/2014 04:50 PM, Simo Sorce wrote: On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote: On 05/22/2014 04:20 PM, Petr Viktorin wrote: On 05/21/2014 12:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: On 05/16/2014 04:33 PM, Petr Viktorin wrote: On 05/16/2014 01:54 PM, Martin Kosek wrote: On 04/29/2014 11:00 PM, Petr Viktorin wrote: Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously [0]. Patch 0541 is some minor refactoring for the next part. Patch 0542 sets the read acces to addressbook attributes to anonymous when upgrading from pre-4.0. I first this by checking if the update is run from ipa-server-install or not, but then I realized the logic I want is simple: if the global anon read ACI exists, we want to preserve its spirit by setting addressbook attribute ACI to anonymous. [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al. 540: Looks good! The only attributes I am concerned about are special IPA attributes: - ipauniqueid - ipasshpubkey - ipauserauthtype - userclass I personally do not think they should be included in POSIX attributes permissions, they are far from POSIX definition... What about creating one more permission "System: Read User IPA Attributes" as these are specific to FreeIPA use and allowing that permission for all authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. Ok, looks good. I am now just pondering whether "System: Read User POSIX Attributes" is the right name for the permission as there are not just POSIX attributes, but also attributes from organizationalPerson or inetOrgPerson objectclasses. Maybe we should name it "System: Read User Core Attributes" or "System: Read User Basic Attributes"? Simo, any preference? We could use: "System: Read User Standard Attributes" I've used this one, then. but the 'posix' version is also ok to me. On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: Also, I just realized we forgot memberOf attribute - it needs to be available to authenticated users otherwise group membership will fall apart. Good catch. Added. We are very close to push this one - I have just one last concern about userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, now we added it to be read by default. This results in this warning during upgrade: Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 Simo (or others), is this OK or do we want to keep hiding userpkcs12 by default? Is there any client that needs access to that information that we are aware of ? Simo. I do not think so. Rob, do you know? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote: > On 05/22/2014 04:20 PM, Petr Viktorin wrote: > > On 05/21/2014 12:14 PM, Simo Sorce wrote: > >> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: > >>> On 05/16/2014 04:33 PM, Petr Viktorin wrote: > On 05/16/2014 01:54 PM, Martin Kosek wrote: > > On 04/29/2014 11:00 PM, Petr Viktorin wrote: > >> Patch 0540 adds a bunch of managed read ACIs for user, as discussed > >> previously > >> [0]. > >> > >> Patch 0541 is some minor refactoring for the next part. > >> > >> Patch 0542 sets the read acces to addressbook attributes to anonymous > >> when > >> upgrading from pre-4.0. > >> I first this by checking if the update is run from ipa-server-install > >> or > >> not, > >> but then I realized the logic I want is simple: if the global anon > >> read ACI > >> exists, we want to preserve its spirit by setting addressbook attribute > >> ACI to > >> anonymous. > >> > >> > >> [0] > >> http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html > >> et > >> al. > >> > > > > 540: > > > > Looks good! The only attributes I am concerned about are special IPA > > attributes: > > > > - ipauniqueid > > - ipasshpubkey > > - ipauserauthtype > > - userclass > > > > I personally do not think they should be included in POSIX attributes > > permissions, they are far from POSIX definition... > > > > What about creating one more permission "System: Read User IPA > > Attributes" as > > these are specific to FreeIPA use and allowing that permission for all > > authenticated users? > > Sounds reasonable. I assume we want this one to be also set to anonymous > when > upgrading from old versions. > Attaching updated patches. > >>> > >>> Ok, looks good. > >>> > >>> I am now just pondering whether "System: Read User POSIX Attributes" is > >>> the > >>> right name for the permission as there are not just POSIX attributes, but > >>> also > >>> attributes from organizationalPerson or inetOrgPerson objectclasses. > >>> > >>> Maybe we should name it "System: Read User Core Attributes" or "System: > >>> Read > >>> User Basic Attributes"? Simo, any preference? > >> > >> We could use: "System: Read User Standard Attributes" > > > > I've used this one, then. > > > >> > >> but the 'posix' version is also ok to me. > > > > On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: > >> Also, I just realized we forgot memberOf attribute - it needs to be > >> available > >> to authenticated users otherwise group membership will fall apart. > > > > Good catch. Added. > > > > We are very close to push this one - I have just one last concern about > userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, > now we added it to be read by default. This results in this warning during > upgrade: > > Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 > > Simo (or others), is this OK or do we want to keep hiding userpkcs12 by > default? Is there any client that needs access to that information that we are aware of ? Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/22/2014 04:20 PM, Petr Viktorin wrote: > On 05/21/2014 12:14 PM, Simo Sorce wrote: >> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: >>> On 05/16/2014 04:33 PM, Petr Viktorin wrote: On 05/16/2014 01:54 PM, Martin Kosek wrote: > On 04/29/2014 11:00 PM, Petr Viktorin wrote: >> Patch 0540 adds a bunch of managed read ACIs for user, as discussed >> previously >> [0]. >> >> Patch 0541 is some minor refactoring for the next part. >> >> Patch 0542 sets the read acces to addressbook attributes to anonymous >> when >> upgrading from pre-4.0. >> I first this by checking if the update is run from ipa-server-install or >> not, >> but then I realized the logic I want is simple: if the global anon read >> ACI >> exists, we want to preserve its spirit by setting addressbook attribute >> ACI to >> anonymous. >> >> >> [0] >> http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et >> al. >> > > 540: > > Looks good! The only attributes I am concerned about are special IPA > attributes: > > - ipauniqueid > - ipasshpubkey > - ipauserauthtype > - userclass > > I personally do not think they should be included in POSIX attributes > permissions, they are far from POSIX definition... > > What about creating one more permission "System: Read User IPA > Attributes" as > these are specific to FreeIPA use and allowing that permission for all > authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. >>> >>> Ok, looks good. >>> >>> I am now just pondering whether "System: Read User POSIX Attributes" is the >>> right name for the permission as there are not just POSIX attributes, but >>> also >>> attributes from organizationalPerson or inetOrgPerson objectclasses. >>> >>> Maybe we should name it "System: Read User Core Attributes" or "System: Read >>> User Basic Attributes"? Simo, any preference? >> >> We could use: "System: Read User Standard Attributes" > > I've used this one, then. > >> >> but the 'posix' version is also ok to me. > > On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: >> Also, I just realized we forgot memberOf attribute - it needs to be available >> to authenticated users otherwise group membership will fall apart. > > Good catch. Added. > We are very close to push this one - I have just one last concern about userpkcs12 attribute. On upgrade, we previously hidden userpkcs12 from user, now we added it to be read by default. This results in this warning during upgrade: Excluded attributes for System: Read User Addressbook Attributes: userpkcs12 Simo (or others), is this OK or do we want to keep hiding userpkcs12 by default? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/21/2014 12:14 PM, Simo Sorce wrote: On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: On 05/16/2014 04:33 PM, Petr Viktorin wrote: On 05/16/2014 01:54 PM, Martin Kosek wrote: On 04/29/2014 11:00 PM, Petr Viktorin wrote: Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously [0]. Patch 0541 is some minor refactoring for the next part. Patch 0542 sets the read acces to addressbook attributes to anonymous when upgrading from pre-4.0. I first this by checking if the update is run from ipa-server-install or not, but then I realized the logic I want is simple: if the global anon read ACI exists, we want to preserve its spirit by setting addressbook attribute ACI to anonymous. [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al. 540: Looks good! The only attributes I am concerned about are special IPA attributes: - ipauniqueid - ipasshpubkey - ipauserauthtype - userclass I personally do not think they should be included in POSIX attributes permissions, they are far from POSIX definition... What about creating one more permission "System: Read User IPA Attributes" as these are specific to FreeIPA use and allowing that permission for all authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. Ok, looks good. I am now just pondering whether "System: Read User POSIX Attributes" is the right name for the permission as there are not just POSIX attributes, but also attributes from organizationalPerson or inetOrgPerson objectclasses. Maybe we should name it "System: Read User Core Attributes" or "System: Read User Basic Attributes"? Simo, any preference? We could use: "System: Read User Standard Attributes" I've used this one, then. but the 'posix' version is also ok to me. On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: Also, I just realized we forgot memberOf attribute - it needs to be available to authenticated users otherwise group membership will fall apart. Good catch. Added. -- Petr³ From f02ca92737e03eb9872ab87ce039766a6372dbe4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed read permissions to user Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/user.py | 70 ++ 1 file changed, 70 insertions(+) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index d9c7c6c858aa0a4927efc01fb41b535b7bb04ba2..76efdc8941f70155c11553532dedc5656c4efcd0 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -233,6 +233,76 @@ class user(LDAPObject): bindable = True password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')] +managed_permissions = { +'System: Read User Standard Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'cn', 'sn', 'description', 'title', 'uid', +'displayname', 'givenname', 'initials', 'manager', 'gecos', +'gidnumber', 'homedirectory', 'loginshell', 'uidnumber' +}, +}, +'System: Read User Addressbook Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'seealso', 'telephonenumber', +'fax', 'l', 'ou', 'st', 'postalcode', 'street', +'destinationindicator', 'internationalisdnnumber', +'physicaldeliveryofficename', 'postaladdress', 'postofficebox', +'preferreddeliverymethod', 'registeredaddress', +'teletexterminalidentifier', 'telexnumber', 'x121address', +'carlicense', 'departmentnumber', 'employeenumber', +'employeetype', 'preferredlanguage', 'mail', 'mobile', 'pager', +'audio', 'businesscategory', 'homephone', 'homepostaladdress', +'jpegphoto', 'labeleduri', 'o', 'photo', 'roomnumber', +'secretary', 'usercertificate', 'userpkcs12', +'usersmimecertificate', 'x500uniqueidentifier', +'inetuserhttpurl', 'inetuserstatus', +}, +}, +'System: Read User IPA Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass', +}, +}, +'System: Read User Kerberos Attributes': { +'r
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote: > On 05/16/2014 04:33 PM, Petr Viktorin wrote: > > On 05/16/2014 01:54 PM, Martin Kosek wrote: > >> On 04/29/2014 11:00 PM, Petr Viktorin wrote: > >>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed > >>> previously > >>> [0]. > >>> > >>> Patch 0541 is some minor refactoring for the next part. > >>> > >>> Patch 0542 sets the read acces to addressbook attributes to anonymous when > >>> upgrading from pre-4.0. > >>> I first this by checking if the update is run from ipa-server-install or > >>> not, > >>> but then I realized the logic I want is simple: if the global anon read > >>> ACI > >>> exists, we want to preserve its spirit by setting addressbook attribute > >>> ACI to > >>> anonymous. > >>> > >>> > >>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html > >>> et > >>> al. > >>> > >> > >> 540: > >> > >> Looks good! The only attributes I am concerned about are special IPA > >> attributes: > >> > >> - ipauniqueid > >> - ipasshpubkey > >> - ipauserauthtype > >> - userclass > >> > >> I personally do not think they should be included in POSIX attributes > >> permissions, they are far from POSIX definition... > >> > >> What about creating one more permission "System: Read User IPA Attributes" > >> as > >> these are specific to FreeIPA use and allowing that permission for all > >> authenticated users? > > > > Sounds reasonable. I assume we want this one to be also set to anonymous > > when > > upgrading from old versions. > > Attaching updated patches. > > Ok, looks good. > > I am now just pondering whether "System: Read User POSIX Attributes" is the > right name for the permission as there are not just POSIX attributes, but also > attributes from organizationalPerson or inetOrgPerson objectclasses. > > Maybe we should name it "System: Read User Core Attributes" or "System: Read > User Basic Attributes"? Simo, any preference? We could use: "System: Read User Standard Attributes" but the 'posix' version is also ok to me. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/16/2014 04:33 PM, Petr Viktorin wrote: > On 05/16/2014 01:54 PM, Martin Kosek wrote: >> On 04/29/2014 11:00 PM, Petr Viktorin wrote: >>> Patch 0540 adds a bunch of managed read ACIs for user, as discussed >>> previously >>> [0]. >>> >>> Patch 0541 is some minor refactoring for the next part. >>> >>> Patch 0542 sets the read acces to addressbook attributes to anonymous when >>> upgrading from pre-4.0. >>> I first this by checking if the update is run from ipa-server-install or >>> not, >>> but then I realized the logic I want is simple: if the global anon read ACI >>> exists, we want to preserve its spirit by setting addressbook attribute ACI >>> to >>> anonymous. >>> >>> >>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et >>> al. >>> >> >> 540: >> >> Looks good! The only attributes I am concerned about are special IPA >> attributes: >> >> - ipauniqueid >> - ipasshpubkey >> - ipauserauthtype >> - userclass >> >> I personally do not think they should be included in POSIX attributes >> permissions, they are far from POSIX definition... >> >> What about creating one more permission "System: Read User IPA Attributes" as >> these are specific to FreeIPA use and allowing that permission for all >> authenticated users? > > Sounds reasonable. I assume we want this one to be also set to anonymous when > upgrading from old versions. > Attaching updated patches. Ok, looks good. I am now just pondering whether "System: Read User POSIX Attributes" is the right name for the permission as there are not just POSIX attributes, but also attributes from organizationalPerson or inetOrgPerson objectclasses. Maybe we should name it "System: Read User Core Attributes" or "System: Read User Basic Attributes"? Simo, any preference? Also, I just realized we forgot memberOf attribute - it needs to be available to authenticated users otherwise group membership will fall apart. > >> 541, 542: >> ACK for both, works fine in both new installation and upgrade. >> >> Martin >> > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 05/16/2014 01:54 PM, Martin Kosek wrote: On 04/29/2014 11:00 PM, Petr Viktorin wrote: Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously [0]. Patch 0541 is some minor refactoring for the next part. Patch 0542 sets the read acces to addressbook attributes to anonymous when upgrading from pre-4.0. I first this by checking if the update is run from ipa-server-install or not, but then I realized the logic I want is simple: if the global anon read ACI exists, we want to preserve its spirit by setting addressbook attribute ACI to anonymous. [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al. 540: Looks good! The only attributes I am concerned about are special IPA attributes: - ipauniqueid - ipasshpubkey - ipauserauthtype - userclass I personally do not think they should be included in POSIX attributes permissions, they are far from POSIX definition... What about creating one more permission "System: Read User IPA Attributes" as these are specific to FreeIPA use and allowing that permission for all authenticated users? Sounds reasonable. I assume we want this one to be also set to anonymous when upgrading from old versions. Attaching updated patches. 541, 542: ACK for both, works fine in both new installation and upgrade. Martin -- Petr³ From 04311c33f4cee613865521469779b625ab4657c9 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed read permissions to user Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/user.py | 62 ++ 1 file changed, 62 insertions(+) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index d9c7c6c858aa0a4927efc01fb41b535b7bb04ba2..bc6c2a300c58783dceed1aebbbde56e28f06f518 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -233,6 +233,68 @@ class user(LDAPObject): bindable = True password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')] +managed_permissions = { +'System: Read User POSIX Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'cn', 'sn', 'description', 'title', 'uid', +'displayname', 'givenname', 'initials', 'manager', 'gecos', +'gidnumber', 'homedirectory', 'loginshell', 'uidnumber' +}, +}, +'System: Read User Addressbook Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'seealso', 'telephonenumber', +'fax', 'l', 'ou', 'st', 'postalcode', 'street', +'destinationindicator', 'internationalisdnnumber', +'physicaldeliveryofficename', 'postaladdress', 'postofficebox', +'preferreddeliverymethod', 'registeredaddress', +'teletexterminalidentifier', 'telexnumber', 'x121address', +'carlicense', 'departmentnumber', 'employeenumber', +'employeetype', 'preferredlanguage', 'mail', 'mobile', 'pager', +'audio', 'businesscategory', 'homephone', 'homepostaladdress', +'jpegphoto', 'labeleduri', 'o', 'photo', 'roomnumber', +'secretary', 'usercertificate', 'userpkcs12', +'usersmimecertificate', 'x500uniqueidentifier', +'inetuserhttpurl', 'inetuserstatus', +}, +}, +'System: Read User IPA Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass', +}, +}, +'System: Read User Kerberos Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', +'krbprincipalexpiration', 'krbpasswordexpiration', +'krblastpwdchange', 'nsaccountlock', 'krbprincipaltype', +}, +}, +'System: Read User Kerberos Login Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'krblastsuccessfulauth', 'krblastfailedauth', +'krblastpwdchange
Re: [Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
On 04/29/2014 11:00 PM, Petr Viktorin wrote: > Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously > [0]. > > Patch 0541 is some minor refactoring for the next part. > > Patch 0542 sets the read acces to addressbook attributes to anonymous when > upgrading from pre-4.0. > I first this by checking if the update is run from ipa-server-install or not, > but then I realized the logic I want is simple: if the global anon read ACI > exists, we want to preserve its spirit by setting addressbook attribute ACI to > anonymous. > > > [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et > al. > 540: Looks good! The only attributes I am concerned about are special IPA attributes: - ipauniqueid - ipasshpubkey - ipauserauthtype - userclass I personally do not think they should be included in POSIX attributes permissions, they are far from POSIX definition... What about creating one more permission "System: Read User IPA Attributes" as these are specific to FreeIPA use and allowing that permission for all authenticated users? 541, 542: ACK for both, works fine in both new installation and upgrade. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user
Patch 0540 adds a bunch of managed read ACIs for user, as discussed previously [0]. Patch 0541 is some minor refactoring for the next part. Patch 0542 sets the read acces to addressbook attributes to anonymous when upgrading from pre-4.0. I first this by checking if the update is run from ipa-server-install or not, but then I realized the logic I want is simple: if the global anon read ACI exists, we want to preserve its spirit by setting addressbook attribute ACI to anonymous. [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html et al. -- Petr³ From 9f9681c2e302923e28941c97f6b489b4d46ded8a Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: [PATCH] Add managed read permissions to user Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- ipalib/plugins/user.py | 55 ++ 1 file changed, 55 insertions(+) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 166955933b2fd8b1cd1cddd5e4d48f4c97b2d7cd..12101256b9e7b42f3d85a9ff4d23690f78efd7bf 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -232,6 +232,61 @@ class user(LDAPObject): bindable = True password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')] +managed_permissions = { +'System: Read User POSIX Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'cn', 'sn', 'description', 'title', 'uid', +'displayname', 'givenname', 'initials', 'manager', +'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'gecos', +'gidnumber', 'homedirectory', 'loginshell', 'uidnumber' +}, +}, +'System: Read User Addressbook Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'seealso', 'telephonenumber', +'fax', 'l', 'ou', 'st', 'postalcode', 'street', +'destinationindicator', 'internationalisdnnumber', +'physicaldeliveryofficename', 'postaladdress', 'postofficebox', +'preferreddeliverymethod', 'registeredaddress', +'teletexterminalidentifier', 'telexnumber', 'x121address', +'carlicense', 'departmentnumber', 'employeenumber', +'employeetype', 'preferredlanguage', 'mail', 'mobile', 'pager', +'audio', 'businesscategory', 'homephone', 'homepostaladdress', +'jpegphoto', 'labeleduri', 'o', 'photo', 'roomnumber', +'secretary', 'usercertificate', 'userpkcs12', +'usersmimecertificate', 'x500uniqueidentifier', +'inetuserhttpurl', 'inetuserstatus', 'userclass', +}, +}, +'System: Read User Kerberos Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'all', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', +'krbprincipalexpiration', 'krbpasswordexpiration', +'krblastpwdchange', 'nsaccountlock', 'krbprincipaltype', +}, +}, +'System: Read User Kerberos Login Attributes': { +'replaces_global_anonymous_aci': True, +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'krblastsuccessfulauth', 'krblastfailedauth', +'krblastpwdchange', 'krblastadminunlock', +'krbloginfailedcount', 'krbpwdpolicyreference', +'krbticketpolicyreference', 'krbupenabled', +}, +'default_privileges': {'User Administrators'}, +}, +} label = _('Users') label_singular = _('User') -- 1.9.0 From 4efc66dfe0ce2ecc53ac1562c03c43f45f77babd Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 29 Apr 2014 21:15:05 +0200 Subject: [PATCH] update_managed_permissions: Pass around anonymous ACI rather than its blacklist It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. --- .../install/plugins/update_managed_permissions.py | 35 +++--- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index bffd9bbf434e76c