Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
On 06/20/2014 10:35 PM, Martin Kosek wrote:
[...]
Everything worked as expected, I tested both enrollments with privileged
user and setting the OTP/class.
I have just one request (you will not like this) - before pushing please
also fix casing for the new host permissions to match others:
+'System: Manage host certificates': {
+'System: Manage host enrollment password': {
When this is fixed (and ACI.txt properly updated), it is an ACK.
Oh the joys of rebasing.
Fixed capitalization, pushed to master:
14e2eb9171c2cebff8efefac824edbe7dce1734c
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
On 06/19/2014 01:41 PM, Petr Viktorin wrote:
On 06/18/2014 05:46 PM, Martin Kosek wrote:
On 06/11/2014 06:39 PM, Petr Viktorin wrote:
Patch 0578 does the conversion
Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
permissions needed for automatic enrollment (from
http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)
1) Inconsistent casing in permission names:
System: Add Hosts
System: Add krbPrincipalName to a host
System: Enroll a host
System: Manage Host SSH Public Keys
System: Manage host keytab
System: Modify Hosts
System: Remove Hosts
Fixed
2) This ACI does not look right, missing enrolledby:
+'System: Enroll a host': {
+'ipapermright': {'write'},
+'ipapermdefaultattr': {'objectclass'},
When I fixed 2) via permission-mod, client enrollment with user with Host
Administrators privilege worked fine.
Added
3) I hit one issue when I open the Web UI host tab, I get Insufficient access:
No such virtual command error triggered by cert-show command.
Virtual operations seem to be quite a can of worms.
I've sent a separate reply for these.
We will need to add the permission System: Read Virtual Operations that Honza
is creating also to Host Administrators to fix that part.
4) I ran unit tests and few missing attributes:
- update hosts ACI should get macaddress attribute
Added
5) I hit one nasty issue when running the unit tests (when my master stopped
working as host account was deleted) - host_is_master function in baseldap no
longer works as we hid cn=masters from regular users:
def host_is_master(ldap, fqdn):
Check to see if this host is a master.
Raises an exception if a master, otherwise returns nothing.
master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn',
'etc'), api. env.basedn)
try:
ldap.get_entry(master_dn, ['objectclass'])
raise errors.ValidationError(name='hostname', error=_('An IPA master
host cannot be deleted or disabled'))
except errors.NotFound:
# Good, not a master
return
This means, that host-del on a master machine or service-del on master service
happily passes.
We need to make sure this functionality is still working after the permission
refactoring. Should we reconsider the cn=masters tree and allow authenticated
users see the list of IPA servers (without digging into any other detail like
services) then?
Nasty indeed, thanks for the catch!
Sent as patch 0590, since it's a different issue than converting the host
permissions.
Everything worked as expected, I tested both enrollments with privileged user
and setting the OTP/class.
I have just one request (you will not like this) - before pushing please also
fix casing for the new host permissions to match others:
+'System: Manage host certificates': {
+'System: Manage host enrollment password': {
When this is fixed (and ACI.txt properly updated), it is an ACK.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
On 06/18/2014 05:46 PM, Martin Kosek wrote:
On 06/11/2014 06:39 PM, Petr Viktorin wrote:
Patch 0578 does the conversion
Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
permissions needed for automatic enrollment (from
http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)
1) Inconsistent casing in permission names:
System: Add Hosts
System: Add krbPrincipalName to a host
System: Enroll a host
System: Manage Host SSH Public Keys
System: Manage host keytab
System: Modify Hosts
System: Remove Hosts
Fixed
2) This ACI does not look right, missing enrolledby:
+'System: Enroll a host': {
+'ipapermright': {'write'},
+'ipapermdefaultattr': {'objectclass'},
When I fixed 2) via permission-mod, client enrollment with user with Host
Administrators privilege worked fine.
Added
3) I hit one issue when I open the Web UI host tab, I get Insufficient access:
No such virtual command error triggered by cert-show command.
Virtual operations seem to be quite a can of worms.
I've sent a separate reply for these.
We will need to add the permission System: Read Virtual Operations that Honza
is creating also to Host Administrators to fix that part.
4) I ran unit tests and few missing attributes:
- update hosts ACI should get macaddress attribute
Added
5) I hit one nasty issue when running the unit tests (when my master stopped
working as host account was deleted) - host_is_master function in baseldap no
longer works as we hid cn=masters from regular users:
def host_is_master(ldap, fqdn):
Check to see if this host is a master.
Raises an exception if a master, otherwise returns nothing.
master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn',
'etc'), api. env.basedn)
try:
ldap.get_entry(master_dn, ['objectclass'])
raise errors.ValidationError(name='hostname', error=_('An IPA master
host cannot be deleted or disabled'))
except errors.NotFound:
# Good, not a master
return
This means, that host-del on a master machine or service-del on master service
happily passes.
We need to make sure this functionality is still working after the permission
refactoring. Should we reconsider the cn=masters tree and allow authenticated
users see the list of IPA servers (without digging into any other detail like
services) then?
Nasty indeed, thanks for the catch!
Sent as patch 0590, since it's a different issue than converting the
host permissions.
--
Petr³
From 3d64f29fd8151f9cc9f5475a59ee5350df4749fc Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 30 May 2014 18:35:31 +0200
Subject: [PATCH] Convert Host default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
---
ACI.txt | 14 ++
install/share/delegation.ldif| 82
install/updates/40-delegation.update | 29 +
ipalib/plugins/host.py | 66 +
4 files changed, 81 insertions(+), 110 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index cd19fb90fdd0ac1947393aabfd667e46a6f015fc..72036f1612806478a1776b6e8660023d230b631b 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -38,10 +38,24 @@ dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = cn || description || ipauniqueid || memberof || objectclass)(targetfilter = (objectclass=ipahbacservice))(version 3.0;acl permission:System: Read HBAC Services;allow (compare,read,search) userdn = ldap:///all;;)
dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso)(targetfilter = (objectclass=ipahbacservicegroup))(version 3.0;acl permission:System: Read HBAC Service Groups;allow (compare,read,search) userdn = ldap:///all;;)
+dn: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add Hosts;allow (add) groupdn = ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = enrolledby || objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Enroll a Host;allow (write) groupdn = ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;)
+dn: cn=System: Manage Host
Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
On 06/11/2014 06:39 PM, Petr Viktorin wrote: Patch 0578 does the conversion Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides permissions needed for automatic enrollment (from http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser) Rebasing to current master. -- Petr³ From fc3a52654df1b37146c28a14ddbc78c5cb5693df Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 30 May 2014 18:35:31 +0200 Subject: [PATCH] Convert Host default permissions to managed Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ACI.txt | 14 ++ install/share/delegation.ldif| 82 install/updates/40-delegation.update | 29 + ipalib/plugins/host.py | 66 + 4 files changed, 81 insertions(+), 110 deletions(-) diff --git a/ACI.txt b/ACI.txt index cd19fb90fdd0ac1947393aabfd667e46a6f015fc..6d4d2ff5b5be461399505e5b138df53fc3234892 100644 --- a/ACI.txt +++ b/ACI.txt @@ -38,10 +38,24 @@ dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = cn || description || ipauniqueid || memberof || objectclass)(targetfilter = (objectclass=ipahbacservice))(version 3.0;acl permission:System: Read HBAC Services;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso)(targetfilter = (objectclass=ipahbacservicegroup))(version 3.0;acl permission:System: Read HBAC Service Groups;allow (compare,read,search) userdn = ldap:///all;;) +dn: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add Hosts;allow (add) groupdn = ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Enroll a host,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Enroll a host;allow (write) groupdn = ldap:///cn=System: Enroll a host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Manage host keytab,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = krblastpwdchange || krbprincipalkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage host keytab;allow (write) groupdn = ldap:///cn=System: Manage host keytab,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = description || l || nshardwareplatform || nshostlocation || nsosversion)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify Hosts;allow (write) groupdn = ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = memberof)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Read Host Membership;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Read Hosts;allow (compare,read,search) userdn = ldap:///all;;) +dn: cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Remove Hosts;allow (delete) groupdn = ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = member || memberhost || memberof
Re: [Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
On 06/11/2014 06:39 PM, Petr Viktorin wrote:
Patch 0578 does the conversion
Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
permissions needed for automatic enrollment (from
http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)
1) Inconsistent casing in permission names:
System: Add Hosts
System: Add krbPrincipalName to a host
System: Enroll a host
System: Manage Host SSH Public Keys
System: Manage host keytab
System: Modify Hosts
System: Remove Hosts
2) This ACI does not look right, missing enrolledby:
+'System: Enroll a host': {
+'ipapermright': {'write'},
+'ipapermdefaultattr': {'objectclass'},
When I fixed 2) via permission-mod, client enrollment with user with Host
Administrators privilege worked fine.
3) I hit one issue when I open the Web UI host tab, I get Insufficient access:
No such virtual command error triggered by cert-show command.
We will need to add the permission System: Read Virtual Operations that Honza
is creating also to Host Administrators to fix that part.
4) I ran unit tests and few missing attributes:
- update hosts ACI should get macaddress attribute
5) I hit one nasty issue when running the unit tests (when my master stopped
working as host account was deleted) - host_is_master function in baseldap no
longer works as we hid cn=masters from regular users:
def host_is_master(ldap, fqdn):
Check to see if this host is a master.
Raises an exception if a master, otherwise returns nothing.
master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn',
'etc'), api. env.basedn)
try:
ldap.get_entry(master_dn, ['objectclass'])
raise errors.ValidationError(name='hostname', error=_('An IPA master
host cannot be deleted or disabled'))
except errors.NotFound:
# Good, not a master
return
This means, that host-del on a master machine or service-del on master service
happily passes.
We need to make sure this functionality is still working after the permission
refactoring. Should we reconsider the cn=masters tree and allow authenticated
users see the list of IPA servers (without digging into any other detail like
services) then?
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
Patch 0578 does the conversion Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides permissions needed for automatic enrollment (from http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser) -- Petr³ From 7b138f8170cfce71f6cec55ad21cb27a2ef581b1 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Fri, 30 May 2014 18:35:31 +0200 Subject: [PATCH] Convert Host default permissions to managed Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ACI.txt | 14 ++ install/share/delegation.ldif| 82 install/updates/40-delegation.update | 29 + ipalib/plugins/host.py | 62 +++ 4 files changed, 77 insertions(+), 110 deletions(-) diff --git a/ACI.txt b/ACI.txt index 2ceaacc077467b6ef54e09d0aa7d3d5695c8fd40..f4132c3713560afdbd543497a0827fa852b5d7e2 100644 --- a/ACI.txt +++ b/ACI.txt @@ -20,10 +20,24 @@ dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = cn || description || ipauniqueid || memberof || objectclass)(targetfilter = (objectclass=ipahbacservice))(version 3.0;acl permission:System: Read HBAC Services;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso)(targetfilter = (objectclass=ipahbacservicegroup))(version 3.0;acl permission:System: Read HBAC Service Groups;allow (compare,read,search) userdn = ldap:///all;;) +dn: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add Hosts;allow (add) groupdn = ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Enroll a host,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Enroll a host;allow (write) groupdn = ldap:///cn=System: Enroll a host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Manage host keytab,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = krblastpwdchange || krbprincipalkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage host keytab;allow (write) groupdn = ldap:///cn=System: Manage host keytab,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = description || l || nshardwareplatform || nshostlocation || nsosversion)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify Hosts;allow (write) groupdn = ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = memberof)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Read Host Membership;allow (compare,read,search) userdn = ldap:///all;;) dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Read Hosts;allow (compare,read,search) userdn = ldap:///all;;) +dn: cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Remove Hosts;allow (delete) groupdn = ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = member || memberhost || memberof || memberuser)(targetfilter = (objectclass=ipahostgroup))(version 3.0;acl
