Re: [Freeipa-users] Permission not working as expected
Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Deepak Dimri wrote: Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Each ipaHost object has userClass attribute. The semantics are described in RFC 4524, section 2.25. We don't use it for anything ourselves, it has a DirectoryString type (UTF-8-encoded string). userClass is used for auto membership. You mean it can be used. At least I don't see pre-defined automember rules with userClass. We even tell in the 'ipa host-mod' about --class option: --class=STR Host category (semantics placed on this attribute are for local interpretation) Perhaps but this attribute was added specifically for this use case, http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Sure, it still means semantics are locally interpreted by whoever does the deployment. I doubt anything in Deepak's setup relies on userClass yet. Yet being the operative word. Overload it if you want but you might come to regret it. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Deepak Dimri wrote: Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Each ipaHost object has userClass attribute. The semantics are described in RFC 4524, section 2.25. We don't use it for anything ourselves, it has a DirectoryString type (UTF-8-encoded string). userClass is used for auto membership. You mean it can be used. At least I don't see pre-defined automember rules with userClass. We even tell in the 'ipa host-mod' about --class option: --class=STR Host category (semantics placed on this attribute are for local interpretation) Perhaps but this attribute was added specifically for this use case, http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems Sure, it still means semantics are locally interpreted by whoever does the deployment. I doubt anything in Deepak's setup relies on userClass yet. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Deepak Dimri wrote: Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Each ipaHost object has userClass attribute. The semantics are described in RFC 4524, section 2.25. We don't use it for anything ourselves, it has a DirectoryString type (UTF-8-encoded string). userClass is used for auto membership. You mean it can be used. At least I don't see pre-defined automember rules with userClass. We even tell in the 'ipa host-mod' about --class option: --class=STR Host category (semantics placed on this attribute are for local interpretation) Perhaps but this attribute was added specifically for this use case, http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Deepak Dimri wrote: Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Each ipaHost object has userClass attribute. The semantics are described in RFC 4524, section 2.25. We don't use it for anything ourselves, it has a DirectoryString type (UTF-8-encoded string). userClass is used for auto membership. You mean it can be used. At least I don't see pre-defined automember rules with userClass. We even tell in the 'ipa host-mod' about --class option: --class=STR Host category (semantics placed on this attribute are for local interpretation) -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Deepak Dimri wrote: Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Each ipaHost object has userClass attribute. The semantics are described in RFC 4524, section 2.25. We don't use it for anything ourselves, it has a DirectoryString type (UTF-8-encoded string). userClass is used for auto membership. rob Best Regards,Deepak Date: Tue, 30 Aug 2016 18:36:21 +0300 From: aboko...@redhat.com To: deepak_di...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Permission not working as expected On Tue, 30 Aug 2016, Deepak Dimri wrote: >Hi Alexander, > >Since i do not want myadmin1 to be able to add or remove the host from >other xyzhostgroups into myhostgroup membership. Is it possible that >myadmin1 only sees objects i specifically given the permissions to and >not any other hosts outside of myhostgroup? That way he cannot add the >host he is not supposed to manage within myhostgroup OK, now I get it. An easiest way to solve this problem, no surprise, is organizational: do not give host group admin rights to include hosts to the hostgroup or delete them, only allow them to manage what's in the host group. You then need to create a separate permission for 'add'/'del' rights against 'member' attribute that would allow to include/remove hosts. That's easy but it would not allow you to limit *what* hosts could be added/removed from the host group. Unfortunately, to make that possible, permission-add/permission-mod should be extended to allow specifying target attribute's values like described in the RHDS Administration Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters Even then to define something like this, you need to have specific naming of hosts to be able to specify a pattern as a 'member' attribute value. Not sure how this is going to work for you in AWS, though, so this is why I'm saying it is an organizational issue, not really a technical one. >Thanks for your great support! >regards,Deepak > >From: deepak_di...@hotmail.com >To: aboko...@redhat.com >CC: freeipa-users@redhat.com >Subject: RE: [Freeipa-users] Permission not working as expected >Date: Tue, 30 Aug 2016 09:54:38 -0400 > > > > >Let me try summarize it! >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the xyzhostgroup - which means he should be able to delete/ add/ modify the hosts under xyzhostgroup . This is what i currently have in the role : myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group where i have added the hosts) --> my-hostgroup-privilege --> my-hostgroup-permission >The problem is that the moment i add memberOf =cn= in the target filter then myadmin1 cannot add/delete the hosts with in myhostgroup and any other hosts in other hostgroups. However if i assign the role permission with with subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as (&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then myadmin1 gets the expected access to manage the hosts within myhostgroup but then he also gets access to delete and manage other hosts outside of myhostgroup which i dont want! > >Thanks & Regards,Deepak >> Date: Tue, 30 Aug 2016 16:10:00 +0300 >> From: aboko...@redhat.com >> To: deepak_di...@hotmail.com >> CC: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Permission not working as expected >> >> On Tue, 30 Aug 2016, Deepak Dimri wrote: >> >Hi Alexander, >> >i did try adding the "member" effective attribute in GUI and also from >> >the command prompt But the error is not going away when i try to delete >> >the host from my taphostgroup. for me it only works if i have >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then >> >the i am allowed access to all the hosts in all the hostgroup :( I am >> >kinda stuck with this issue. Would be great if you can suggest any >> >further headway! >> Isn't
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Deepak Dimri wrote: Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Each ipaHost object has userClass attribute. The semantics are described in RFC 4524, section 2.25. We don't use it for anything ourselves, it has a DirectoryString type (UTF-8-encoded string). Best Regards,Deepak Date: Tue, 30 Aug 2016 18:36:21 +0300 From: aboko...@redhat.com To: deepak_di...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Permission not working as expected On Tue, 30 Aug 2016, Deepak Dimri wrote: >Hi Alexander, > >Since i do not want myadmin1 to be able to add or remove the host from >other xyzhostgroups into myhostgroup membership. Is it possible that >myadmin1 only sees objects i specifically given the permissions to and >not any other hosts outside of myhostgroup? That way he cannot add the >host he is not supposed to manage within myhostgroup OK, now I get it. An easiest way to solve this problem, no surprise, is organizational: do not give host group admin rights to include hosts to the hostgroup or delete them, only allow them to manage what's in the host group. You then need to create a separate permission for 'add'/'del' rights against 'member' attribute that would allow to include/remove hosts. That's easy but it would not allow you to limit *what* hosts could be added/removed from the host group. Unfortunately, to make that possible, permission-add/permission-mod should be extended to allow specifying target attribute's values like described in the RHDS Administration Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters Even then to define something like this, you need to have specific naming of hosts to be able to specify a pattern as a 'member' attribute value. Not sure how this is going to work for you in AWS, though, so this is why I'm saying it is an organizational issue, not really a technical one. >Thanks for your great support! >regards,Deepak > >From: deepak_di...@hotmail.com >To: aboko...@redhat.com >CC: freeipa-users@redhat.com >Subject: RE: [Freeipa-users] Permission not working as expected >Date: Tue, 30 Aug 2016 09:54:38 -0400 > > > > >Let me try summarize it! >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the xyzhostgroup - which means he should be able to delete/ add/ modify the hosts under xyzhostgroup . This is what i currently have in the role : myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group where i have added the hosts) --> my-hostgroup-privilege --> my-hostgroup-permission >The problem is that the moment i add memberOf =cn= in the target filter then myadmin1 cannot add/delete the hosts with in myhostgroup and any other hosts in other hostgroups. However if i assign the role permission with with subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as (&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then myadmin1 gets the expected access to manage the hosts within myhostgroup but then he also gets access to delete and manage other hosts outside of myhostgroup which i dont want! > >Thanks & Regards,Deepak >> Date: Tue, 30 Aug 2016 16:10:00 +0300 >> From: aboko...@redhat.com >> To: deepak_di...@hotmail.com >> CC: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Permission not working as expected >> >> On Tue, 30 Aug 2016, Deepak Dimri wrote: >> >Hi Alexander, >> >i did try adding the "member" effective attribute in GUI and also from >> >the command prompt But the error is not going away when i try to delete >> >the host from my taphostgroup. for me it only works if i have >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then >> >the i am allowed access to all the hosts in all the hostgroup :( I am >> >kinda stuck with this issue. Would be great if you can suggest any >> >further headway! >> Isn't this is what you wanted: a user has ability to manage a
Re: [Freeipa-users] Permission not working as expected
Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name... Best Regards,Deepak > Date: Tue, 30 Aug 2016 18:36:21 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >Hi Alexander, > > > >Since i do not want myadmin1 to be able to add or remove the host from > >other xyzhostgroups into myhostgroup membership. Is it possible that > >myadmin1 only sees objects i specifically given the permissions to and > >not any other hosts outside of myhostgroup? That way he cannot add the > >host he is not supposed to manage within myhostgroup > OK, now I get it. An easiest way to solve this problem, no surprise, is > organizational: do not give host group admin rights to include hosts to > the hostgroup or delete them, only allow them to manage what's in the > host group. > > You then need to create a separate permission for 'add'/'del' rights > against 'member' attribute that would allow to include/remove hosts. > That's easy but it would not allow you to limit *what* hosts could be > added/removed from the host group. > > Unfortunately, to make that possible, permission-add/permission-mod > should be extended to allow specifying target attribute's values like > described in the RHDS Administration Guide: > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters > > Even then to define something like this, you need to have specific > naming of hosts to be able to specify a pattern as a 'member' attribute > value. Not sure how this is going to work for you in AWS, though, so > this is why I'm saying it is an organizational issue, not really a > technical one. > > > > >Thanks for your great support! > >regards,Deepak > > > >From: deepak_di...@hotmail.com > >To: aboko...@redhat.com > >CC: freeipa-users@redhat.com > >Subject: RE: [Freeipa-users] Permission not working as expected > >Date: Tue, 30 Aug 2016 09:54:38 -0400 > > > > > > > > > >Let me try summarize it! > >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the > >xyzhostgroup - which means he should be able to delete/ add/ modify the > >hosts under xyzhostgroup . This is what i currently have in the role : > >myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group > >where i have added the hosts) --> my-hostgroup-privilege --> > >my-hostgroup-permission > >The problem is that the moment i add memberOf =cn= in the target filter > >then myadmin1 cannot add/delete the hosts with in myhostgroup and any other > >hosts in other hostgroups. However if i assign the role permission with with > >subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as > >(&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added > >then myadmin1 gets the expected access to manage the hosts within > >myhostgroup but then he also gets access to delete and manage other hosts > >outside of myhostgroup which i dont want! > > > >Thanks & Regards,Deepak > >> Date: Tue, 30 Aug 2016 16:10:00 +0300 > >> From: aboko...@redhat.com > >> To: deepak_di...@hotmail.com > >> CC: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] Permission not working as expected > >> > >> On Tue, 30 Aug 2016, Deepak Dimri wrote: > >> >Hi Alexander, > >> >i did try adding the "member" effective attribute in GUI and also from > >> >the command prompt But the error is not going away when i try to delete > >> >the host from my taphostgroup. for me it only works if i have > >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then > >> >the i am allowed access to all the hosts in all the
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Deepak Dimri wrote: Hi Alexander, Since i do not want myadmin1 to be able to add or remove the host from other xyzhostgroups into myhostgroup membership. Is it possible that myadmin1 only sees objects i specifically given the permissions to and not any other hosts outside of myhostgroup? That way he cannot add the host he is not supposed to manage within myhostgroup OK, now I get it. An easiest way to solve this problem, no surprise, is organizational: do not give host group admin rights to include hosts to the hostgroup or delete them, only allow them to manage what's in the host group. You then need to create a separate permission for 'add'/'del' rights against 'member' attribute that would allow to include/remove hosts. That's easy but it would not allow you to limit *what* hosts could be added/removed from the host group. Unfortunately, to make that possible, permission-add/permission-mod should be extended to allow specifying target attribute's values like described in the RHDS Administration Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters Even then to define something like this, you need to have specific naming of hosts to be able to specify a pattern as a 'member' attribute value. Not sure how this is going to work for you in AWS, though, so this is why I'm saying it is an organizational issue, not really a technical one. Thanks for your great support! regards,Deepak From: deepak_di...@hotmail.com To: aboko...@redhat.com CC: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Permission not working as expected Date: Tue, 30 Aug 2016 09:54:38 -0400 Let me try summarize it! I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the xyzhostgroup - which means he should be able to delete/ add/ modify the hosts under xyzhostgroup . This is what i currently have in the role : myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group where i have added the hosts) --> my-hostgroup-privilege --> my-hostgroup-permission The problem is that the moment i add memberOf =cn= in the target filter then myadmin1 cannot add/delete the hosts with in myhostgroup and any other hosts in other hostgroups. However if i assign the role permission with with subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as (&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then myadmin1 gets the expected access to manage the hosts within myhostgroup but then he also gets access to delete and manage other hosts outside of myhostgroup which i dont want! Thanks & Regards,Deepak Date: Tue, 30 Aug 2016 16:10:00 +0300 From: aboko...@redhat.com To: deepak_di...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Permission not working as expected On Tue, 30 Aug 2016, Deepak Dimri wrote: >Hi Alexander, >i did try adding the "member" effective attribute in GUI and also from >the command prompt But the error is not going away when i try to delete >the host from my taphostgroup. for me it only works if i have >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then >the i am allowed access to all the hosts in all the hostgroup :( I am >kinda stuck with this issue. Would be great if you can suggest any >further headway! Isn't this is what you wanted: a user has ability to manage all hosts in the host group but not other hosts. -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
Let me try summarize it! I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the xyzhostgroup - which means he should be able to delete/ add/ modify the hosts under xyzhostgroup . This is what i currently have in the role : myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group where i have added the hosts) --> my-hostgroup-privilege --> my-hostgroup-permission The problem is that the moment i add memberOf =cn= in the target filter then myadmin1 cannot add/delete the hosts with in myhostgroup and any other hosts in other hostgroups. However if i assign the role permission with with subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as (&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then myadmin1 gets the expected access to manage the hosts within myhostgroup but then he also gets access to delete and manage other hosts outside of myhostgroup which i dont want! Thanks & Regards,Deepak > Date: Tue, 30 Aug 2016 16:10:00 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >Hi Alexander, > >i did try adding the "member" effective attribute in GUI and also from > >the command prompt But the error is not going away when i try to delete > >the host from my taphostgroup. for me it only works if i have > >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then > >the i am allowed access to all the hosts in all the hostgroup :( I am > >kinda stuck with this issue. Would be great if you can suggest any > >further headway! > Isn't this is what you wanted: a user has ability to manage all hosts in > the host group but not other hosts. > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
typo correction below! From: deepak_di...@hotmail.com To: aboko...@redhat.com CC: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Permission not working as expected Date: Tue, 30 Aug 2016 09:04:36 -0400 Hi Alexander, i did try adding the "member" effective attribute in GUI and also from the command prompt But the error is not going away when i try to delete the host from my taphostgroup. for me it only works if i have (&(cn=taphostgroup)(objectclass=ipahostgroup)) in the --filter & dc=us-west-2,dc=compute,dc=amazonaws,dc=com in the subtree BUT then the i am allowed access to all the hosts in all the hostgroups :( I am kinda stuck with this issue. Would be great if you can suggest any further headway! ipa permission-mod manage-taphostgroup --attrs={'userPassword','description','nshardwareplatform','nsosversion','usercertificate','userclass','macaddress','ipaassignedidview','ipasshpubkey','member'} - Modified permission "manage-taphostgroup" - Permission name: manage-taphostgroup Granted rights: all Effective attributes: description, ipaassignedidview, ipasshpubkey, macaddress, member, nshardwareplatform, nsosversion, userPassword, usercertificate, userclass Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com Extra target filter: (memberOf=cn=taphostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com) Type: host Granted to Privilege: tap-hostgroup-privilege Indirect Member of roles: taphostgroup-role Many thanks,Deepak > Date: Tue, 30 Aug 2016 13:27:59 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >I did try the exact steps from the blog but alas still it did not work. > >getting same error :( > I don't give rights to write to 'member' attribute in the blog. You have > to adopt to your situation, obviously. > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Deepak Dimri wrote: Hi Alexander, i did try adding the "member" effective attribute in GUI and also from the command prompt But the error is not going away when i try to delete the host from my taphostgroup. for me it only works if i have (&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then the i am allowed access to all the hosts in all the hostgroup :( I am kinda stuck with this issue. Would be great if you can suggest any further headway! Isn't this is what you wanted: a user has ability to manage all hosts in the host group but not other hosts. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
Hi Alexander, i did try adding the "member" effective attribute in GUI and also from the command prompt But the error is not going away when i try to delete the host from my taphostgroup. for me it only works if i have (&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then the i am allowed access to all the hosts in all the hostgroup :( I am kinda stuck with this issue. Would be great if you can suggest any further headway! ipa permission-mod manage-taphostgroup --attrs={'userPassword','description','nshardwareplatform','nsosversion','usercertificate','userclass','macaddress','ipaassignedidview','ipasshpubkey','member'} - Modified permission "manage-taphostgroup" - Permission name: manage-taphostgroup Granted rights: all Effective attributes: description, ipaassignedidview, ipasshpubkey, macaddress, member, nshardwareplatform, nsosversion, userPassword, usercertificate, userclass Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com Extra target filter: (memberOf=cn=taphostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com) Type: host Granted to Privilege: tap-hostgroup-privilege Indirect Member of roles: taphostgroup-role Many thanks,Deepak > Date: Tue, 30 Aug 2016 13:27:59 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >I did try the exact steps from the blog but alas still it did not work. > >getting same error :( > I don't give rights to write to 'member' attribute in the blog. You have > to adopt to your situation, obviously. > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Deepak Dimri wrote: I did try the exact steps from the blog but alas still it did not work. getting same error :( I don't give rights to write to 'member' attribute in the blog. You have to adopt to your situation, obviously. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
I did try the exact steps from the blog but alas still it did not work. getting same error :( p-172-31-29-153.us-west-2.compute.internal: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=my-hostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'. Regards,Deepak > Date: Tue, 30 Aug 2016 13:04:07 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >Hi Alexander, > >Thanks for the reply > >i tried exact steps below but it still not working. the admin user > >added to new role and privilege we have created is getting an error > >when trying to add or remove host of myhostgroup. > >ip-172-31-29-153.us-west-2.compute.internal: Insufficient access: > >Insufficient 'write' privilege to the 'member' attribute of entry > >'cn=myhostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'. > >not sure if DN (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) > >would make any difference? I also noticed i dont get Permission flags: V2, > >SYSTEM in my ipa output. not sure if that would make any difference > >I would really appreciate if this can be resolved... > Read the other emails I sent in this thread. > > The whole story is here: > https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Deepak Dimri wrote: Hi Alexander, Thanks for the reply i tried exact steps below but it still not working. the admin user added to new role and privilege we have created is getting an error when trying to add or remove host of myhostgroup. ip-172-31-29-153.us-west-2.compute.internal: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=myhostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'. not sure if DN (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) would make any difference? I also noticed i dont get Permission flags: V2, SYSTEM in my ipa output. not sure if that would make any difference I would really appreciate if this can be resolved... Read the other emails I sent in this thread. The whole story is here: https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Permission not working as expected
Hi Alexander, Thanks for the reply i tried exact steps below but it still not working. the admin user added to new role and privilege we have created is getting an error when trying to add or remove host of myhostgroup. ip-172-31-29-153.us-west-2.compute.internal: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=myhostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'. not sure if DN (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) would make any difference? I also noticed i dont get Permission flags: V2, SYSTEM in my ipa output. not sure if that would make any difference I would really appreciate if this can be resolved... Best Regards,Deepak > Date: Tue, 30 Aug 2016 09:03:23 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Alexander Bokovoy wrote: > >On Mon, 29 Aug 2016, Deepak Dimri wrote: > >>Hi All, > >>I have created below permission for my "testhostgroup" with the > >>expectation that this permission will only allow write permission to > >>the members of "testhostgroup" but, then it allows me to add/delete > >>other hostgroup members as well. I tried changing the effective > >>attribute to "memberof" instead of "member" but in vain as with that i > >>started getting permission denied error even on testhostgroup itself. > >>* > >> > >>ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member > >>--filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))' > >>-- > >>Added permission "testhostgroup-modify" > >>-- > >> Permission name: testhostgroup-modify > >> Granted rights: write > >> Effective attributes: member > >> Bind rule type: permission > >> Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com > >> Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup > >> ))** > >>How can i restrict permissions to manage only those hosts which are > >>part of a particular hostgroup? any help you could offer on this would > >>be much appreciated. I could not find much on similar issue in the > >>forum :( Thanks,Deepak > >The permission above says: "Allow changing 'member' attribute in the > >testhostgroup object". I don't think this is what you wanted, according > >to your explanation above. > > > >Let's say you have host group 'myhostgroup': > ># ipa hostgroup-add myhostgroup > >- > >Added hostgroup "myhostgroup" > >- > > Host-group: myhostgroup > > > >and now you want to create a permission that would target hosts in the > >host group. A member of that permission would be able to do anything > >with the host. > > > >First, you need to create a basic permission which applies to hosts: > > > ># ipa permission-add manage-my-hostgroup --right=all > >--bindtype=permission --type=host > >-- > >Added permission "manage-my-hostgroup" > >-- > > Permission name: manage-my-hostgroup > > Granted rights: all > > Bind rule type: permission > > Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test > > Type: host > > Permission flags: V2, SYSTEM > > > >Now, look at the permission in detail: > > > ># ipa permission-show --all --raw manage-my-hostgroup > > dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test > > cn: manage-my-hostgroup > > ipapermright: all > > ipapermbindruletype: permission > > ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test > > ipapermtargetfilter: (objectclass=ipahost) > > ipapermissiontype: V2 > > ipapermissiontype: SYSTEM > > aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl > > "permission:manage-my-hostgroup";allow (all) groupdn = > > "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";;) > > objectclass: ipapermission > > objectclass: top > > objectclass: groupofnames > > objectclass: ipapermissionv2 > > > >As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX > >subtr
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Alexander Bokovoy wrote: On Tue, 30 Aug 2016, Alexander Bokovoy wrote: On Mon, 29 Aug 2016, Deepak Dimri wrote: Hi All, I have created below permission for my "testhostgroup" with the expectation that this permission will only allow write permission to the members of "testhostgroup" but, then it allows me to add/delete other hostgroup members as well. I tried changing the effective attribute to "memberof" instead of "member" but in vain as with that i started getting permission denied error even on testhostgroup itself. * ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))' -- Added permission "testhostgroup-modify" -- Permission name: testhostgroup-modify Granted rights: write Effective attributes: member Bind rule type: permission Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))** How can i restrict permissions to manage only those hosts which are part of a particular hostgroup? any help you could offer on this would be much appreciated. I could not find much on similar issue in the forum :( Thanks,Deepak The permission above says: "Allow changing 'member' attribute in the testhostgroup object". I don't think this is what you wanted, according to your explanation above. Let's say you have host group 'myhostgroup': # ipa hostgroup-add myhostgroup - Added hostgroup "myhostgroup" - Host-group: myhostgroup and now you want to create a permission that would target hosts in the host group. A member of that permission would be able to do anything with the host. First, you need to create a basic permission which applies to hosts: # ipa permission-add manage-my-hostgroup --right=all --bindtype=permission --type=host -- Added permission "manage-my-hostgroup" -- Permission name: manage-my-hostgroup Granted rights: all Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test Type: host Permission flags: V2, SYSTEM Now, look at the permission in detail: # ipa permission-show --all --raw manage-my-hostgroup dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test cn: manage-my-hostgroup ipapermright: all ipapermbindruletype: permission ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test ipapermtargetfilter: (objectclass=ipahost) ipapermissiontype: V2 ipapermissiontype: SYSTEM aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";;) objectclass: ipapermission objectclass: top objectclass: groupofnames objectclass: ipapermissionv2 As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX subtree, and target filter is set to (objectclass=ipahost). So it would apply to any host. To further limit the permission, you have to add more target filters. But to do so, you need to know DN of the hostgroup that will be our target limit: # ipa hostgroup-show --raw --all myhostgroup dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test cn: myhostgroup ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test objectClass: ipahostgroup objectClass: ipaobject objectClass: nestedGroup objectClass: groupOfNames objectClass: top objectClass: mepOriginEntry Now, using DN of the myhostgroup, you can add a filter to the permission: # ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)' Sorry, a typo here^^ I copied wrong DN, it should be cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test not the managed entry DN. - Modified permission "manage-my-hostgroup" - Permission name: manage-my-hostgroup Granted rights: all Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) Type: host Permission flags: V2, SYSTEM Check all details of the permission to see that ACI was actually modified to include the filter: # ipa permission-show --all --raw manage-my-hostgroup dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test cn: manage-my-hostgroup ipapermright: all ipapermbindruletype: permission ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test ipapermtargetfilter: (objectclass=ipahost) ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) ipapermissiontype: V2 ipapermissiontype: SYSTEM aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=n
Re: [Freeipa-users] Permission not working as expected
On Tue, 30 Aug 2016, Alexander Bokovoy wrote: On Mon, 29 Aug 2016, Deepak Dimri wrote: Hi All, I have created below permission for my "testhostgroup" with the expectation that this permission will only allow write permission to the members of "testhostgroup" but, then it allows me to add/delete other hostgroup members as well. I tried changing the effective attribute to "memberof" instead of "member" but in vain as with that i started getting permission denied error even on testhostgroup itself. * ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))' -- Added permission "testhostgroup-modify" -- Permission name: testhostgroup-modify Granted rights: write Effective attributes: member Bind rule type: permission Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))** How can i restrict permissions to manage only those hosts which are part of a particular hostgroup? any help you could offer on this would be much appreciated. I could not find much on similar issue in the forum :( Thanks,Deepak The permission above says: "Allow changing 'member' attribute in the testhostgroup object". I don't think this is what you wanted, according to your explanation above. Let's say you have host group 'myhostgroup': # ipa hostgroup-add myhostgroup - Added hostgroup "myhostgroup" - Host-group: myhostgroup and now you want to create a permission that would target hosts in the host group. A member of that permission would be able to do anything with the host. First, you need to create a basic permission which applies to hosts: # ipa permission-add manage-my-hostgroup --right=all --bindtype=permission --type=host -- Added permission "manage-my-hostgroup" -- Permission name: manage-my-hostgroup Granted rights: all Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test Type: host Permission flags: V2, SYSTEM Now, look at the permission in detail: # ipa permission-show --all --raw manage-my-hostgroup dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test cn: manage-my-hostgroup ipapermright: all ipapermbindruletype: permission ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test ipapermtargetfilter: (objectclass=ipahost) ipapermissiontype: V2 ipapermissiontype: SYSTEM aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";;) objectclass: ipapermission objectclass: top objectclass: groupofnames objectclass: ipapermissionv2 As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX subtree, and target filter is set to (objectclass=ipahost). So it would apply to any host. To further limit the permission, you have to add more target filters. But to do so, you need to know DN of the hostgroup that will be our target limit: # ipa hostgroup-show --raw --all myhostgroup dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test cn: myhostgroup ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test objectClass: ipahostgroup objectClass: ipaobject objectClass: nestedGroup objectClass: groupOfNames objectClass: top objectClass: mepOriginEntry Now, using DN of the myhostgroup, you can add a filter to the permission: # ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)' Sorry, a typo here^^ I copied wrong DN, it should be cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test not the managed entry DN. - Modified permission "manage-my-hostgroup" - Permission name: manage-my-hostgroup Granted rights: all Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) Type: host Permission flags: V2, SYSTEM Check all details of the permission to see that ACI was actually modified to include the filter: # ipa permission-show --all --raw manage-my-hostgroup dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test cn: manage-my-hostgroup ipapermright: all ipapermbindruletype: permission ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test ipapermtargetfilter: (objectclass=ipahost) ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) ipapermissiontype: V2 ipapermissiontype: SYSTEM aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipah
Re: [Freeipa-users] Permission not working as expected
On Mon, 29 Aug 2016, Deepak Dimri wrote: Hi All, I have created below permission for my "testhostgroup" with the expectation that this permission will only allow write permission to the members of "testhostgroup" but, then it allows me to add/delete other hostgroup members as well. I tried changing the effective attribute to "memberof" instead of "member" but in vain as with that i started getting permission denied error even on testhostgroup itself. * ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))' -- Added permission "testhostgroup-modify" -- Permission name: testhostgroup-modify Granted rights: write Effective attributes: member Bind rule type: permission Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))** How can i restrict permissions to manage only those hosts which are part of a particular hostgroup? any help you could offer on this would be much appreciated. I could not find much on similar issue in the forum :( Thanks,Deepak The permission above says: "Allow changing 'member' attribute in the testhostgroup object". I don't think this is what you wanted, according to your explanation above. Let's say you have host group 'myhostgroup': # ipa hostgroup-add myhostgroup - Added hostgroup "myhostgroup" - Host-group: myhostgroup and now you want to create a permission that would target hosts in the host group. A member of that permission would be able to do anything with the host. First, you need to create a basic permission which applies to hosts: # ipa permission-add manage-my-hostgroup --right=all --bindtype=permission --type=host -- Added permission "manage-my-hostgroup" -- Permission name: manage-my-hostgroup Granted rights: all Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test Type: host Permission flags: V2, SYSTEM Now, look at the permission in detail: # ipa permission-show --all --raw manage-my-hostgroup dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test cn: manage-my-hostgroup ipapermright: all ipapermbindruletype: permission ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test ipapermtargetfilter: (objectclass=ipahost) ipapermissiontype: V2 ipapermissiontype: SYSTEM aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";;) objectclass: ipapermission objectclass: top objectclass: groupofnames objectclass: ipapermissionv2 As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX subtree, and target filter is set to (objectclass=ipahost). So it would apply to any host. To further limit the permission, you have to add more target filters. But to do so, you need to know DN of the hostgroup that will be our target limit: # ipa hostgroup-show --raw --all myhostgroup dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test cn: myhostgroup ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test objectClass: ipahostgroup objectClass: ipaobject objectClass: nestedGroup objectClass: groupOfNames objectClass: top objectClass: mepOriginEntry Now, using DN of the myhostgroup, you can add a filter to the permission: # ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)' - Modified permission "manage-my-hostgroup" - Permission name: manage-my-hostgroup Granted rights: all Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) Type: host Permission flags: V2, SYSTEM Check all details of the permission to see that ACI was actually modified to include the filter: # ipa permission-show --all --raw manage-my-hostgroup dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test cn: manage-my-hostgroup ipapermright: all ipapermbindruletype: permission ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test ipapermtargetfilter: (objectclass=ipahost) ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) ipapermissiontype: V2 ipapermissiontype: SYSTEM aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipahost))")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc
[Freeipa-users] Permission not working as expected
Hi All, I have created below permission for my "testhostgroup" with the expectation that this permission will only allow write permission to the members of "testhostgroup" but, then it allows me to add/delete other hostgroup members as well. I tried changing the effective attribute to "memberof" instead of "member" but in vain as with that i started getting permission denied error even on testhostgroup itself. * ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))' -- Added permission "testhostgroup-modify" -- Permission name: testhostgroup-modify Granted rights: write Effective attributes: member Bind rule type: permission Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))** How can i restrict permissions to manage only those hosts which are part of a particular hostgroup? any help you could offer on this would be much appreciated. I could not find much on similar issue in the forum :( Thanks,Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project