[Freeipa-devel] freeIPA v2: Access control for things not stored in LDAP
Jason Gerard DeRose
jderose at redhat.com
Tue Nov 18 15:53:37 UTC 2008
Simo Sorce wrote:
> On Mon, 2008-11-17 at 17:18 -0500, Dmitri Pal wrote:
>> Simo Sorce wrote:
>>> On Mon, 2008-11-17 at 11:42 -0700, Jason Gerard DeRose wrote:
>>>
>>>> As I don't myself understand ACI's that well yet, my thought was to do
>>>> it using groups, something like this:
>>>>
>>>> Each command plugin has an optional "requires_group" attribute. If
>>>> this
>>>> attribute is None (the default in the base class), it means that the
>>>> command can be executed by any authenticated user. Otherwise the
>>>> attribute is a group name... if the user is a member of this group,
>>>> they
>>>> are allowed to executed the command.
>>>>
>>>> So when a command request comes in over XML-RPC, we do the LDAP bind,
>>>> locate the command and check the command's "requires_group" attribute.
>>>> If "requires_group" is a <type "str"> and the user is not a member of
>>>> this group, we return a 403 Forbidden error.
>>>>
>>> IIRC we already have some ACI parser code available in python, so I
>>> would rather have an "ACI" attribute and put an ACI in there.
>>>
>>>
>> I did not get a feeling from Rob that the ACI parser is 100% prime time
>> ready. But may be I am missing something.
>
> For v2 we do not need full parsing, just enough to determine what dn is
> referenced.
>
>>> To make things simpler to manage in v2 without having to implement the
>>> full meaning of an ACI we might then restricted the accepted syntax for
>>> this version to the rule "read" and to the targets being either a
>>> groupdn="ldap:///cn=foobar,cn=..." or "userdn = ldap:///anyone"
>>>
>>>
>> You lost me there. Can you explain it in more details?
>
> The proposal would be to use a subset of ACI capabilities so that in
> fact we just check some group membership for now (or check for
> everybody), but we already use the right syntax so that going forward we
> do not have to change ACI rules, but just improve the parsing and
> validation code to support a full fledged ACI.
>
> Simo.
>
+1.
This sounds simple enough that it will be quick to implement and I
definitely like that we can extend it later while remaining backward
compatible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081118/2fcdc6f7/attachment.sig>
More information about the Freeipa-devel
mailing list