Re: [Freeipa-devel] Sudorule schema inconsistencies
On 05/12/2014 11:56 AM, Tomas Babej wrote: > Hi fellow developers, > > while working on https://fedorahosted.org/freeipa/ticket/4263 I found > some inconsistencies in the attribute naming: > > There are the following attributes in the schema: > > * ipasudorunas_user : RunAs Users > * ipasudorunas_group : Groups of RunAs Users (and not groups you can > RunAsGroup as) > > This implies that ipasudorunas prefix implicitly talks about RunAsUser > and not RunAsGroup. This hypothesis is confirmed by attribute: > > * ipasudorunasgroup_group : Run with the gid of a specified POSIX group > > since here the prefix is ipasudorunas*group*. > > However, > > * ipasudorunasextuser : RunAs External User (consistent) > * ipasudorunasextgroup : RunAs External Group (*inconsistent*, since > ipasudorunas prefix means RunAsUser in other attributes. This attribute > naming implies semantics of "External Groups of RunAs Users" and not > "External group you can RunAsGroup as."). > > The ticket https://fedorahosted.org/freeipa/ticket/4263 calls for > implementation of precisely this "External Groups of RunAs Users". Since > ipasudorunasextgroup attribute is taken, we have the following alternatives: > > 1.) Create new attribute ipasudorunasgroup_extgroup and move semantics > of ipasudorunasextgroup there. This frees ipasudorunasextgroup for the > 4263's use case. (painful) Painful indeed. I would really prefer to avoid this option, as it would involve change upgrade plugin to migrate all sudo rules, requirement for users to upgrade *all* FreeIPA servers to avoid older servers adding inconsistent SUDO rules etc. etc. > 2.) Create new attribute with incosistent name, such as > ipasudorunasextgroupmembers or ipasudorunasextusergroup. > 3.) Do not create new attributes, but use a workaround which adds failed > groups as users with % prefix (patch attached). > > What do you think? 3) seems to be unprecedented in our code and inconsistent as well. IMO it would be also difficult to process later. '%' is a sudoers syntax specific prefix and we try to make our native tree (cn=sudo) not that much dependent on the exact sudoers syntax. I personally think 2) would be the best choice, though I agree naming will be difficult. ipasudorunasextusergroup is my favorite. But as we discussed in person, in the same patch we will need to make sure all the labeling and doc strings clarifies all this mess. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Sudorule schema inconsistencies
Hi, On 12.5.2014 11:56, Tomas Babej wrote: Hi fellow developers, while working on https://fedorahosted.org/freeipa/ticket/4263 I found some inconsistencies in the attribute naming: There are the following attributes in the schema: * ipasudorunas_user : RunAs Users * ipasudorunas_group : Groups of RunAs Users (and not groups you can RunAsGroup as) This implies that ipasudorunas prefix implicitly talks about RunAsUser and not RunAsGroup. This hypothesis is confirmed by attribute: * ipasudorunasgroup_group : Run with the gid of a specified POSIX group since here the prefix is ipasudorunas*group*. However, * ipasudorunasextuser : RunAs External User (consistent) * ipasudorunasextgroup : RunAs External Group (*inconsistent*, since ipasudorunas prefix means RunAsUser in other attributes. This attribute naming implies semantics of "External Groups of RunAs Users" and not "External group you can RunAsGroup as."). The ticket https://fedorahosted.org/freeipa/ticket/4263 calls for implementation of precisely this "External Groups of RunAs Users". Since ipasudorunasextgroup attribute is taken, we have the following alternatives: 1.) Create new attribute ipasudorunasgroup_extgroup and move semantics of ipasudorunasextgroup there. This frees ipasudorunasextgroup for the 4263's use case. (painful) 2.) Create new attribute with incosistent name, such as ipasudorunasextgroupmembers or ipasudorunasextusergroup. 3.) Do not create new attributes, but use a workaround which adds failed groups as users with % prefix (patch attached). What do you think? I'm going to point out that ipasudorunas_user etc. is not an actual attribute, it's the ipasudorunas attribute after membership processing. In other words, the ipasudorunas attribute is used for both users and groups. Is there anything stopping you from doing the same thing with ipasudorunasextuser? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Sudorule schema inconsistencies
Hi fellow developers, while working on https://fedorahosted.org/freeipa/ticket/4263 I found some inconsistencies in the attribute naming: There are the following attributes in the schema: * ipasudorunas_user : RunAs Users * ipasudorunas_group : Groups of RunAs Users (and not groups you can RunAsGroup as) This implies that ipasudorunas prefix implicitly talks about RunAsUser and not RunAsGroup. This hypothesis is confirmed by attribute: * ipasudorunasgroup_group : Run with the gid of a specified POSIX group since here the prefix is ipasudorunas*group*. However, * ipasudorunasextuser : RunAs External User (consistent) * ipasudorunasextgroup : RunAs External Group (*inconsistent*, since ipasudorunas prefix means RunAsUser in other attributes. This attribute naming implies semantics of "External Groups of RunAs Users" and not "External group you can RunAsGroup as."). The ticket https://fedorahosted.org/freeipa/ticket/4263 calls for implementation of precisely this "External Groups of RunAs Users". Since ipasudorunasextgroup attribute is taken, we have the following alternatives: 1.) Create new attribute ipasudorunasgroup_extgroup and move semantics of ipasudorunasextgroup there. This frees ipasudorunasextgroup for the 4263's use case. (painful) 2.) Create new attribute with incosistent name, such as ipasudorunasextgroupmembers or ipasudorunasextusergroup. 3.) Do not create new attributes, but use a workaround which adds failed groups as users with % prefix (patch attached). What do you think? -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org >From 67a1908ef2c6eeab382eb435ad4d41536e7d98e3 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 5 May 2014 17:04:27 +0200 Subject: [PATCH] sudorules: Allow specifing RunAsUser as external group --- ipalib/plugins/sudorule.py | 22 ++ 1 file changed, 22 insertions(+) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 627b4b975f6336658eb74d37b4c15d803511c5d4..68fd6d4748b63a2f2e436f1e7dabe42699fac787 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -550,6 +550,26 @@ class sudorule_remove_host(LDAPRemoveMember): api.register(sudorule_remove_host) + +def convert_failed_groups_to_users_with_group_prefix(memberattr, failed): +""" +Converts any failed groups to failed users by appending % character +to the group name. +""" + +# Basic assumptions +if not memberattr in failed: +return + +if 'user' not in failed[memberattr] or 'group' not in failed[memberattr]: +return + +for group_name, error in failed[memberattr]['group']: +failed[memberattr]['user'].append((u'%' + group_name, error)) + +failed[memberattr]['group'] = [] + + class sudorule_add_runasuser(LDAPAddMember): __doc__ = _('Add users and groups for Sudo to execute as.') @@ -589,6 +609,7 @@ class sudorule_add_runasuser(LDAPAddMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) +convert_failed_groups_to_users_with_group_prefix('ipasudorunas', failed) return add_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_add_runasuser) @@ -602,6 +623,7 @@ class sudorule_remove_runasuser(LDAPRemoveMember): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) +convert_failed_groups_to_users_with_group_prefix('ipasudorunas', failed) return remove_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_remove_runasuser) -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel