[Freeipa-devel] freeIPA v2: Access control for things not stored in LDAP
Dmitri Pal
dpal at redhat.com
Mon Nov 17 22:18:07 UTC 2008
Simo Sorce wrote:
> On Mon, 2008-11-17 at 11:42 -0700, Jason Gerard DeRose wrote:
>
>> As I don't myself understand ACI's that well yet, my thought was to do
>> it using groups, something like this:
>>
>> Each command plugin has an optional "requires_group" attribute. If
>> this
>> attribute is None (the default in the base class), it means that the
>> command can be executed by any authenticated user. Otherwise the
>> attribute is a group name... if the user is a member of this group,
>> they
>> are allowed to executed the command.
>>
>> So when a command request comes in over XML-RPC, we do the LDAP bind,
>> locate the command and check the command's "requires_group" attribute.
>> If "requires_group" is a <type "str"> and the user is not a member of
>> this group, we return a 403 Forbidden error.
>>
>
> IIRC we already have some ACI parser code available in python, so I
> would rather have an "ACI" attribute and put an ACI in there.
>
>
I did not get a feeling from Rob that the ACI parser is 100% prime time
ready. But may be I am missing something.
> To make things simpler to manage in v2 without having to implement the
> full meaning of an ACI we might then restricted the accepted syntax for
> this version to the rule "read" and to the targets being either a
> groupdn="ldap:///cn=foobar,cn=..." or "userdn = ldap:///anyone"
>
>
You lost me there. Can you explain it in more details?
> We can later on add a more comprehensive management of the ACI,
> including multiple rules, etc... once we have more time, but that will
> allow us to keep the format unchanged and backward compatible.
>
> Simo.
>
>
More information about the Freeipa-devel
mailing list