Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
On 06/23/2015 03:52 AM, Petr Vobornik wrote: On 06/22/2015 10:09 PM, Rob Crittenden wrote: Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. I'm talking only about the issue where a permission with a bindrule of all cannot be added to a privilege. The fact that it can be added in the UI is a bug. It is the data in LDAP we really care about and a permission with a bindrule of all grants all authenticated users read access to that data, regardless of what you might or might not see in the UI. I'm not entirely sure how Petr does that though I always thought it was through LDAP effective rights which in effect should grant all users HBAC read access, so perhaps he determines it based on other things as well. rob So what is the correct way to grant full read-only permissions in the web UI? The audience for this viewing is managers and they are non technical and have no desire to login to an SSH shell and try to view the data they need using the cli. They have seen me working in the web UI and really like how easy it is to browse the interface. Is there any proper way to do
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
On 06/22/2015 10:09 PM, Rob Crittenden wrote: Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. I'm talking only about the issue where a permission with a bindrule of all cannot be added to a privilege. The fact that it can be added in the UI is a bug. It is the data in LDAP we really care about and a permission with a bindrule of all grants all authenticated users read access to that data, regardless of what you might or might not see in the UI. I'm not entirely sure how Petr does that though I always thought it was through LDAP effective rights which in effect should grant all users HBAC read access, so perhaps he determines it based on other things as well. rob So what is the correct way to grant full read-only permissions in the web UI? The audience for this viewing is managers and they are non technical and have no desire to login to an SSH shell and try to view the data they need using the cli. They have seen me working in the web UI and really like how easy it is to browse the interface. Is there any proper way to do this? Is it possible at all without invoking that bug that I invoke
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. I'm talking only about the issue where a permission with a bindrule of all cannot be added to a privilege. The fact that it can be added in the UI is a bug. It is the data in LDAP we really care about and a permission with a bindrule of all grants all authenticated users read access to that data, regardless of what you might or might not see in the UI. I'm not entirely sure how Petr does that though I always thought it was through LDAP effective rights which in effect should grant all users HBAC read access, so perhaps he determines it based on other things as well. rob So what is the correct way to grant full read-only permissions in the web UI? The audience for this viewing is managers and they are non technical and have no desire to login to an SSH shell and try to view the data they need using the cli. They have seen me working in the web UI and really like how easy it is to browse the interface. Is there any proper way to do this? Is it possible at all without invoking that bug that I invoked to make it happen? That's a question
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
-Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. I'm talking only about the issue where a permission with a bindrule of all cannot be added to a privilege. The fact that it can be added in the UI is a bug. It is the data in LDAP we really care about and a permission with a bindrule of all grants all authenticated users read access to that data, regardless of what you might or might not see in the UI. I'm not entirely sure how Petr does that though I always thought it was through LDAP effective rights which in effect should grant all users HBAC read access, so perhaps he determines it based on other things as well. rob So what is the correct way to grant full read-only permissions in the web UI? The audience for this viewing is managers and they are non technical and have no desire to login to an SSH shell and try to view the data they need using the cli. They have seen me working in the web UI and really like how easy it is to browse the interface. Is there any proper way to do this? Is it possible at all without invoking that bug that I invoked to make it happen? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. I'm talking only about the issue where a permission with a bindrule of all cannot be added to a privilege. The fact that it can be added in the UI is a bug. It is the data in LDAP we really care about and a permission with a bindrule of all grants all authenticated users read access to that data, regardless of what you might or might not see in the UI. I'm not entirely sure how Petr does that though I always thought it was through LDAP effective rights which in effect should grant all users HBAC read access, so perhaps he determines it based on other things as well. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
-Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob What do you mean by it is a no-op? Here is what I did that worked: 1)Create privilege called "Read only privilege" 2)Go to each permission individually that has the world "Read" in it and add them to the "read only privilege" privilege one at a time. There was about 65 of them. This is fine because we are not apply this to users, only apply the permissions to the privilege. 3)Next, go back to the read-only privilege and add some group that contains users. 4)Login to the webui as a user that is in the group that was added to the privilege and now you can see all menu options just like an admin, but everything is read only and any attempt to make changes results in a message that you don't have permission to make that change. This is currently working exactly as I expect it to once I set it up the long way. Result : Member can now browse the entire web ui and see everything, hosts, users, rbac rules, hbac rules, groups etc but in read only mode as expected. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. The UI handles those permissions differently. $ kinit someuser $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. This is a bug. There is a function not available on the command line, permission_add_member, which incorrectly allows this. I opened https://fedorahosted.org/freeipa/ticket/5075 Regardless of whether it is added or not, it is a no-op because the whole idea of permissions is to grant access via groups and there is no group in this permission. It allows all authenticated users. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
> nat...@nathanpeters.com wrote: >> FreeIPA server 4.1.3 on CentOS 7 >> >> I am trying to create a set of privileges or roles that will allow me to >> create a user who has read-only access to as much of the FreeIPA web UI >> as >> possible. Basically my manager want the type of view into FreeIPA that >> they have in AD using the 'AD Users and Computers program). >> >> I note that there are quite a few read permission in the permissions >> list. >> I tried creating a new privilege called Read Only Administrator and >> giving them all the permission that have read only in the name. >> >> For some reason I can add all other system and full access permissions >> but >> when I try to add a read only permission I get the following error : >> invalid 'permission': cannot add permission "System: Read HBAC Rules" >> with >> bindtype "all" to a privilege >> >> This applies not just the HBAC rule, but anything that has Read in the >> name. >> >> How do I create a read only user without getting this error message? > > You can't add a rule with bindtype all because this bindtype already > allows all authenticated users the rights granted by the rule, in this > case read access. > > rob > > That doesn't sound right. When I login to FreeIPA web ui with a user who is not part of any group, the only thing he can do is browse other users and update his own password and SSH key. He does not get the HBAC menu and definitely cannot browse HBAC rules. Also, If I do this step backward and go directly to the RBAC -> Permissions menu and choose a permission and edit it, I can add it to a privilege, but if I go to the privilege and try to add the permission it fails. This makes zero sense. I can post screenshots if that helps. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in AD using the 'AD Users and Computers program). I note that there are quite a few read permission in the permissions list. I tried creating a new privilege called Read Only Administrator and giving them all the permission that have read only in the name. For some reason I can add all other system and full access permissions but when I try to add a read only permission I get the following error : invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege This applies not just the HBAC rule, but anything that has Read in the name. How do I create a read only user without getting this error message? You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
