[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

Dmitri Pal dpal at redhat.com
Thu Dec 9 18:58:32 UTC 2010 

JR Aquino wrote:
> On 12/9/10 10:03 AM, "Dmitri Pal" <dpal at redhat.com> wrote:
>
>   
>> Nalin Dahyabhai wrote:
>>     
>>> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote:
>>>   
>>>       
>>>> I guess the piece that is still missing then is:
>>>>
>>>> Instead of:
>>>>
>>>> sudoHost: hostname.com
>>>>
>>>> It should be:
>>>>
>>>> sudoHost: +production <- which is the group assigned to the
>>>> ipasudorule.
>>>>     
>>>>         
>>> The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in
>>> the rule is a hostgroup but not a netgroup, so I think it's doing the
>>> right thing by resolving the group down to its members' names.
>>>
>>>   
>>>       
>> JR,
>>
>> Can we check that we are running with the same test data set?
>> In the data set that Nalin uses the sudo rule points to a host group so
>> according to the rules it gets expanded.
>> Have you implemented a capability to add a netgroup to the the
>> memberHost in the SUDO plugin?
>> If you make a netgroup a member of the SUDO rule the compat plugin will
>> do what you expect.
>>
>> Thanks
>> Dmitri
>>     
>
> Dmitri, you were absolutely correct!!!
>
> Thank you for setting me straight.
>
> Changing the memberhost in the sudorole from a hostgroup to a netgroup
> solved the issue.  It is representing correctly as +prod now!
>
> Observation:
>
> A ticket was created for me to design a 'Managed Entry' plugin which
> automatically mirrored netgroups out of hostgroups which are created.
>
> FreeIPA's implementation of sudo has thus far been separated between, an
> IPAsudo object, and a compat translated sudo object.
>
> Might it be a more lasting solution to have the compat and sudo plugin
> refer to the hostgroup object and allow for the Managed Entry and 'NIS
> Compat' pieces handle the sudo native translations?
>
> That way we have a stand alone ipa centric model that allows us to
> completely strip away the translation pieces when they are no longer
> necessary (when sudo supports sssd).
>
> Or would it make more sense to just modify the sudo plugin to allow for: a
> single host, a hostgroup, and a netgroup as options for the memberHost
> attr?
>
>   
I think this is how it is designed right now.
The migration to host groups will be slow and painful.
I think that approach we planned covers all main use cases and provides
enough flexibility for administrators transition from old models and
concepts to the new ones.
There will be need to the compatibility for older clients for the years
to come.


> Thoughts?
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list