[Freeipa-devel] freeIPA v2: Access control for things not stored in LDAP

Jason Gerard DeRose jderose at redhat.com
Mon Nov 17 03:57:47 UTC 2008 

Say we have some operation that should be subject to access control, but
does not involve something stored in LDAP... how should we enforce the
access control?

Here's the situation I'm thinking of: v2 has an "env" command that
returns a list of (key, value) pairs describing the configuration state
(run-time configuration, not the configuration stored in LDAP). In a
client context, the command returns the client environment.  But with
the --server option, it is forwarded to the server and returns the
configuration state on the server.

Although this configuration data does not contain anything sensitive, we
might want to restrict who can retrieve the server configuration.

I know our general paradigm is to make LDAP responsible for enforcing
access control. So should IPA be in the business of enforcing access
control in special cases like the "env" command, or should we just avoid
capabilities like this altogether? Does v1 have any special cases like this?

That's the end of what I have to say about access control, but while I'm
on the subject of the "env" command, I'll update everyone on a few new
features.

You can now specify particular environment variables to look up by
including them as positional arguments, like this:

  [root at fedora freeipa2]# ./ipa env conf
    conf = '/root/.ipa/cli.conf'


If you include multiple arguments, you get back multiple variables, like
this:

  [root at fedora freeipa2]# ./ipa env conf in_server
  ----
  env:
  ----
    conf = '/root/.ipa/cli.conf'
    in_server = False
  -----------
  2 variables
  -----------


Lastly, you can now do wild-card matching, like this:

  [root at fedora freeipa2]# ./ipa env container*
  ----
  env:
  ----
    container_accounts = 'cn=accounts'
    container_automount = 'cn=automount'
    container_group = 'cn=groups,cn=accounts'
    container_host = 'cn=computers,cn=accounts'
    container_hostgroup = 'cn=hostgroups,cn=accounts'
    container_service = 'cn=services,cn=accounts'
    container_user = 'cn=users,cn=accounts'
  -----------
  7 variables
  -----------


Cheers,
Jason DeRose

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081116/c106a762/attachment.sig>

More information about the Freeipa-devel mailing list