[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
JR Aquino
JR.Aquino at citrix.com
Thu Dec 9 20:29:37 UTC 2010
On 12/9/10 11:59 AM, "Dmitri Pal" <dpal at redhat.com> wrote:
>http://www.freeipa.org/page/SUDO_Schema_Design#Why_we_must_support_netgrou
>ps_in_the_SUDO_rules.3F
>Last paragraph of the section. Also see last open question and answer to
>it on the page :-)
>
>However... read further...
Ah Ha!
>I just talked to Nalin and you might be right we can eliminate the need
>to support the netgroups in the sudo rule for hosts altogether.
>Since each host group will have a corresponding netgroup (until it is
>explicitly turned off by admin and it can be turned off only when the
>clients do not need netgroups any more which will be many years from
>now) the compat plugin can check if there is a corresponding netgroup,
>and if there is, use netgroup notation in the generated SUDO rule
>instead of expanding the rule to contain the host attributes verbatim.
>
>This looks like a nice and elegant solution but this means that we
>*require* the use of the host groups with netgroups. So if the
>deployment has a netgroup that has hosts A,B,C we require the hosts A,B
>& C be put into a host group. If admin just creates a new netgroup with
>hosts A, B, C in IPA he would not be able to use this netgroup in the
>SUDO part at all. May be it is Ok. It will really discourage people from
>using the netgroups. If we can require admins to always create a top
>level host group for any netgroup they want to have for whatever reason
>and this is acceptable then we can avoid allowing direct referencing
>netgroups in the rule and thus do not need to add this capability to
>SUDO plugin. It will actually save some future work on SSSD too since it
>would not need to resolve the netgroups - just host groups.
Agreed.
As a side note to think about:
Currently, with the proposed Managed Plungins, netgroups which are created
as a result of the hostgroup creation, are not searchable via the IPA Cli.
This requested by Item #3 (https://fedorahosted.org/freeipa/ticket/543).
This generally means that by default, all hostgroups get an implied (but
invisible) netgroup.
The only netgroups that turn up in the search are those created directly
through the cli.
Not sure how this effects the greater world at large.
>
>After some thinking IMO the right approach would be:
>1) Adjust the compat plugin as described above
>2) Do not add capability to SODO mgmt plugin to point to the netgroup in
>the SUDO rule
>3) Document the considerations about the netgroups migration
>(https://fedorahosted.org/freeipa/ticket/37)
I agree, this sounds like the most sane path to follow.
I do think it would be courteous to the potential nis/netgroup users of
the world, for us to be very clear about the backend behavior regarding
the Managed Entries though.
More information about the Freeipa-devel
mailing list