[Freeipa-devel] [PATCH] 612 re-implimit permissions

Rob Crittenden rcritten at redhat.com
Wed Dec 1 18:24:08 UTC 2010 

Simo Sorce wrote:
> On Thu, 18 Nov 2010 23:11:51 -0500
> Rob Crittenden<rcritten at redhat.com>  wrote:
>
>> Re-implement access control using an updated model.
>>
>> The new model is based on permissions, privileges and roles. Most
>> importantly it corrects the reverse membership that caused problems
>> in the previous implementation. You add permission to privileges and
>> privileges to roles, not the other way around (even though it works
>> that way behind the scenes).
>>
>> A permission object is a combination of a simple group and an aci.
>> The linkage between the aci and the permission is the description of
>> the permission. This shows as the name/description of the aci.
>>
>> ldap:///self and groups granting groups (v1-style) are not supported
>> by this model (it will be provided separately).
>>
>> ticket 445
>>
>> WARNING. The patch is humongous and changes a whole slew of stuff. It
>> patches cleanly against the master right now but it is quite delicate
>> so the sooner this is reviewed (without pushing anything else) the
>> better.
>>
>> The self-tests all pass for me as well as some spot checking.
>>
>> Also note that I currently define a single role and it has no
>> privileges. We will need to fill that in soon.
>
>
> Sorry Rob, but before I can ACK a change of this proportion in the
> Security model I want a wiki page with the model explained clearly and
> in detail.
>
> I am vetoing this patch until we have that.
>
> Note, I am *not* saying the patch is wrong, only that reviewing it w/o
> a reference model is basically impossible and it touches sensitive
> security stuff so I can't just let it pass hoping we got everything
> right.
>
> Simo.
>

As requested, here are my notes on the design:
http://freeipa.org/page/Permissions

I re-based the patch.

To test this, try the following. It sets up the helpdesk role to be able 
to do user administration. It then creates a new user and adds them that 
role. Finally become that user and try to add a new user, it should be 
successful.

$ kinit admin
$ ipa user-add --first=tim --last=user tuser1 --password
$ ipa user-add --first=jed --last=butler jbutler
   FAIL
$ ipa role-add-member --users=tuser1 helpdesk
$ ipa role-add-privilege --privileges=useradmin helpdesk
$ kinit tuser1
$ ipa user-add --first=jed --last=butler jbutler
   SUCCESS

You might also want to play around with the permissions and privileges, 
you can find out what is available with:

$ ipa permission-find
$ ipa privilege-find

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-612-2-permission.patch
Type: text/x-patch
Size: 221077 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101201/798bca28/attachment.bin>

More information about the Freeipa-devel mailing list