Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
On 06/19/2014 12:52 PM, Petr Viktorin wrote: I'll address the other issues separately. On 06/18/2014 05:46 PM, Martin Kosek wrote: 3) I hit one issue when I open the Web UI host tab, I get Insufficient access: No such virtual command error triggered by cert-show command. We will need to add the permission System: Read Virtual Operations that Honza is creating also to Host Administrators to fix that part. I'm not familiar with Honza's effort, but that seems right. I'm curious, why don't we just allow reading virtual operations by anybody? It seems to me they're the same in every IPA installation, what's there to hide? They are indeed the same. This is an old (very old) mean to check access when ACI cannot be used. I admit it is a bit clumsy. I agree that we should indeed allow reading the list of virtual operations as the list can be retrieved from our git anyway. The virtual operations do not even show list of it's members as permissions hold it, so it really should not leak any sensitive information. Anyway, I poked around in how it works now: for cert-show you need write access to the objectClass of the retrieve certificate virt op entry. So that right you can actually remove the ipaVirtualOperation objectClass. Aand the new Anonymous read access to containers ACI has a (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt op can allow everyone see that virt op). Shouldn't we base the check on some other attribute instead? And curiously, for cert-find there is no virt op based access check. I think we should eventually invent something better than current virtual operations. For now (4.0), we should do something simple and straightforward. The simplest thing to do is stick to the old behavior, i.e.: 1) Remove the (!(objectclass=ipaVirtualOperation)) part of the filter (should improve performance, right?) 2) Remove the ipaVirtualOperation objectclass again from the virtual operations as it would be useless after change 1) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote: I'll address the other issues separately. On 06/18/2014 05:46 PM, Martin Kosek wrote: 3) I hit one issue when I open the Web UI host tab, I get Insufficient access: No such virtual command error triggered by cert-show command. We will need to add the permission System: Read Virtual Operations that Honza is creating also to Host Administrators to fix that part. I'm not familiar with Honza's effort, but that seems right. I'm curious, why don't we just allow reading virtual operations by anybody? It seems to me they're the same in every IPA installation, what's there to hide? Anyway, I poked around in how it works now: for cert-show you need write access to the objectClass of the retrieve certificate virt op entry. So that right you can actually remove the ipaVirtualOperation objectClass. Aand the new Anonymous read access to containers ACI has a (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt op can allow everyone see that virt op). Shouldn't we base the check on some other attribute instead? And curiously, for cert-find there is no virt op based access check. I wonder if we can replace some of these with the ipaProtectedOperation machinery, it works better for protecting itself from manipulation. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
On 06/19/2014 02:43 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote: I'll address the other issues separately. On 06/18/2014 05:46 PM, Martin Kosek wrote: 3) I hit one issue when I open the Web UI host tab, I get Insufficient access: No such virtual command error triggered by cert-show command. We will need to add the permission System: Read Virtual Operations that Honza is creating also to Host Administrators to fix that part. I'm not familiar with Honza's effort, but that seems right. I'm curious, why don't we just allow reading virtual operations by anybody? It seems to me they're the same in every IPA installation, what's there to hide? Anyway, I poked around in how it works now: for cert-show you need write access to the objectClass of the retrieve certificate virt op entry. So that right you can actually remove the ipaVirtualOperation objectClass. Aand the new Anonymous read access to containers ACI has a (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt op can allow everyone see that virt op). Shouldn't we base the check on some other attribute instead? And curiously, for cert-find there is no virt op based access check. I wonder if we can replace some of these with the ipaProtectedOperation machinery, it works better for protecting itself from manipulation. Simo. Yup, as I said in other part of this thread, we should invent something better eventually for Virtual Operations. For 4.0, I would just keep previous behavior and dump ipaVirtualOperation objectclass. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote: On 06/19/2014 02:43 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote: I'll address the other issues separately. On 06/18/2014 05:46 PM, Martin Kosek wrote: 3) I hit one issue when I open the Web UI host tab, I get Insufficient access: No such virtual command error triggered by cert-show command. We will need to add the permission System: Read Virtual Operations that Honza is creating also to Host Administrators to fix that part. I'm not familiar with Honza's effort, but that seems right. I'm curious, why don't we just allow reading virtual operations by anybody? It seems to me they're the same in every IPA installation, what's there to hide? Anyway, I poked around in how it works now: for cert-show you need write access to the objectClass of the retrieve certificate virt op entry. So that right you can actually remove the ipaVirtualOperation objectClass. Aand the new Anonymous read access to containers ACI has a (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt op can allow everyone see that virt op). Shouldn't we base the check on some other attribute instead? And curiously, for cert-find there is no virt op based access check. I wonder if we can replace some of these with the ipaProtectedOperation machinery, it works better for protecting itself from manipulation. Simo. Yup, as I said in other part of this thread, we should invent something better Well given we already have something better introduced with the getkeytab patches, maybe we can go ahead and start using them ? eventually for Virtual Operations. For 4.0, I would just keep previous behavior and dump ipaVirtualOperation objectclass. Are we concerned that older replicas will not work if we change these to ipaProtectedOperation based ACIs ? (unless their DS is fixed, there were bugs). Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
On 06/19/2014 02:54 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 14:49 +0200, Martin Kosek wrote: On 06/19/2014 02:43 PM, Simo Sorce wrote: On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote: I'll address the other issues separately. On 06/18/2014 05:46 PM, Martin Kosek wrote: 3) I hit one issue when I open the Web UI host tab, I get Insufficient access: No such virtual command error triggered by cert-show command. We will need to add the permission System: Read Virtual Operations that Honza is creating also to Host Administrators to fix that part. I'm not familiar with Honza's effort, but that seems right. I'm curious, why don't we just allow reading virtual operations by anybody? It seems to me they're the same in every IPA installation, what's there to hide? Anyway, I poked around in how it works now: for cert-show you need write access to the objectClass of the retrieve certificate virt op entry. So that right you can actually remove the ipaVirtualOperation objectClass. Aand the new Anonymous read access to containers ACI has a (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt op can allow everyone see that virt op). Shouldn't we base the check on some other attribute instead? And curiously, for cert-find there is no virt op based access check. I wonder if we can replace some of these with the ipaProtectedOperation machinery, it works better for protecting itself from manipulation. Simo. Yup, as I said in other part of this thread, we should invent something better Well given we already have something better introduced with the getkeytab patches, maybe we can go ahead and start using them ? Well yeah, I have the same opinion as you do, we should consider using ipaProtectedOperation for Virtual Operations. I just said we may not be able to do it directly in 4.0. eventually for Virtual Operations. For 4.0, I would just keep previous behavior and dump ipaVirtualOperation objectclass. Are we concerned that older replicas will not work if we change these to ipaProtectedOperation based ACIs ? (unless their DS is fixed, there were bugs). I am concerned. One more reason to wait a bit and keep the old Virtual Operation behavior in 4.0 :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
Petr Viktorin wrote: I'll address the other issues separately. On 06/18/2014 05:46 PM, Martin Kosek wrote: 3) I hit one issue when I open the Web UI host tab, I get Insufficient access: No such virtual command error triggered by cert-show command. We will need to add the permission System: Read Virtual Operations that Honza is creating also to Host Administrators to fix that part. I'm not familiar with Honza's effort, but that seems right. I'm curious, why don't we just allow reading virtual operations by anybody? It seems to me they're the same in every IPA installation, what's there to hide? Anyway, I poked around in how it works now: for cert-show you need write access to the objectClass of the retrieve certificate virt op entry. So that right you can actually remove the ipaVirtualOperation objectClass. Aand the new Anonymous read access to containers ACI has a (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt op can allow everyone see that virt op). Shouldn't we base the check on some other attribute instead? Jumping back in the thread a bit, I agree with Martin's and Simo's sentiment that a new model is needed. Backwards compatibility is going to be a challenge. Ideally I'd have done this using a read aci but the global read anything aci prevented this, so I went with write, accepting the less-than-perfect solution. The expectation was that not too much damage could be done just allowing write to objectclass and it would be fairly obvious if someone did it. And curiously, for cert-find there is no virt op based access check. This is because it is executed against the public dogtag API. Given the new read-based aci system is probably prudent to add one, defaulting to letting everyone read it (for compatibility). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel