On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > By removing the deny rules, do we break compatibility with anything else > than the IPA tech preview in RHEL and upstream FreeIPA 2.0?
Ok we've had a somewhat heated discussion internally about how to deal with the transition phase for those admins that decided to use HBAC DENY rules. Hopefully very few did and so very few people will actually be impacted, but we need to handle those cases the best we can to avoid security issues for those users. Here is a rough plan I'd like to get both developers *AND* users feedback on if you care about it. The premise to the following plan is that very few administrators, unfortunately, carefully read release notes before upgrading, so simply dropping and ignoring DENY rules is felt as something we can't do. We split the solution in 2 parts, one on the SSSD side (the only client currently able to understand IPA HBAC rules), and one on the server side. SSSD: Inconveniencing clients is probably the easiest way to cause the least disruption and attracting the administrators attention. The idea here is to treat any DENY rule as actually a DENY-ALL rule. Basically causing any login attempt for any service to fail as soon as the new sssd package will be installed. Even though admins normally do not read release notes, they still do a few test upgrades before upgrading the whole set of clients they administer. By having SSSD deny logins if any DENY rule is found (and spamming the log with pointers at the same time) we hope to give admins a good enough "wake up something changed" call. This change will be prominently advertised in SSSD release notes. Also to ease the pain for those places where the Server and client admins are different groups, we plan to add a transitional configuration option. This option will allow admins to ignore DENY rules entirely. The option will default to the DENYALL behavior described above, but admins will be able to toggle it to ignore so they can keep testing the client, while they make sure to warn the Server admins that DENY rules support is going to be dropped. FreeIPA: On the server side instead we will add 2 visual cues to the WebUI and probably something to the CLI commands used to manage HBAC rules. In the WebUI, pending UXD and UI developers approval/feedback we will have a prominent error message in the main page only for administrators that are allowed to manage HBAC rules. This warning will be shown if any DENY rule exist on the server. In the HBAC pages, deny rules will be highlighted and text explaining they are not supported anymore and need to be removed will be shown. These warnings will be dropped down the road after 1 more point release. Of course Release notes will prominently highlight this change so that most admins will be prepared to handle this change. Hopefully people will have enough cues to properly handle the situation. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users