[Freeipa-devel] SUDO community changed SUDO schema!!!

Dmitri Pal dpal at redhat.com
Sat Jan 29 23:40:59 UTC 2011 

On 01/29/2011 12:37 PM, JR Aquino wrote:
> On 1/29/11 9:30 AM, "JR Aquino" <JR.Aquino at citrix.com> wrote:
>
>> From: Dmitri Pal <dpal at redhat.com<mailto:dpal at redhat.com>>
>> Organization: Red Hat
>> Reply-To: <dpal at redhat.com<mailto:dpal at redhat.com>>
>> Date: Sat, 29 Jan 2011 11:25:17 -0500
>> To: <freeipa-devel at redhat.com<mailto:freeipa-devel at redhat.com>>
>> Subject: [Freeipa-devel] SUDO community changed SUDO schema!!!
>>
>>
>> sudoNotBefore
>>
>> A timestamp in the form yyyymmddHHMMZ that indicates start of validity of
>> this sudoRole. If multiple sudoNotBefore entries are present, the
>> earliest is used.
>>
>> sudoNotAfter
>>
>> A timestamp in the form yyyymmddHHMMZ that indicates end of validity of
>> this sudoRole. If multiple sudoNotAfter entries are present, the last one
>> is used.
>>
>> sudoOrder
>>
>> The sudoRole entries retrieved from the LDAP directory have no inherent
>> order. The sudoOrder attribute is an integer (or floating point value for
>> LDAP servers that support it) that is used to sort the matching entries.
>> This allows LDAP-based sudoers entries to more closely mimic the
>> behaviour of the sudoers file, where the of the entries influences the
>> result. If multiple entries match, the entry with the highest sudoOrder
>> attribute is chosen. This corresponds to the "last match" behavior of the
>> sudoers file. If thesudoOrder attribute is not present, a value of 0 is
>> assumed.
>>
>>
>> attributetype ( 1.3.6.1.4.1.15953.9.1.8
>>    NAME 'sudoNotBefore'
>>    DESC 'Start of time interval for which the entry is valid'
>>    EQUALITY generalizedTimeMatch
>>    ORDERING generalizedTimeOrderingMatch
>>    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>>
>> attributetype ( 1.3.6.1.4.1.15953.9.1.9
>>    NAME 'sudoNotAfter'
>>    DESC 'End of time interval for which the entry is valid'
>>    EQUALITY generalizedTimeMatch
>>    ORDERING generalizedTimeOrderingMatch
>>    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>>
>> attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
>>     NAME 'sudoOrder'
>>     DESC 'an integer to order the sudoRole entries'
>>     EQUALITY integerMatch
>>     ORDERING integerOrderingMatch
>>     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
>>
>> I have reached out to Todd and the SUDO community to answer these
>> questions and concerns Dmitri.
>>
>> I suspect that we should not have an issue moving forward with the 2.0
>> effort, and that we will want to include the feature support in 2.1.
>>
>> I'll report further once I have more official information from the source.
>>
>> -JR
> It is also worth noting:
>
> These changes are _only_ present in the _developmental_ version of SUDO
> and don't yet exist in the current stable version that would be used by
> the majority of the community.
>
> ---===---
> http://www.gratisoft.us/sudo/devel.html#1.7.5b2
>
> ---===---
> The current stable version is sudo 1.7.4p6 released on January 19, 2011.
> See the download page for a list of binary packages.
> The current development version is sudo 1.7.5b2, released on January 21,
> 2011.
>
>
>  Major changes between version 1.7.5b1 and 1.7.5b2:
>
> * LDAP Sudoers entries may now specify a time period for which the entry
> is valid. This requires an updated sudoers schema that includes the
> sudoNotBefore and sudoNotAfter attributes. Support for timed entries must
> be explicitly enabled in the ldap.conf file. Based on changes from Andreas
> Mueller.
> * LDAP Sudoers entries may now specify a sudoOrder attribute that
> determines the order in which matching entries are applied; the first
> matching entry is used. This requires an updated sudoers schema that
> includes the sudOrder attribute. Based on changes from Andreas Mueller.
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>

I also took a look at the code.

Here are some observations based on review of the:
http://www.sudo.ws/repos/sudo/file/e52bc15de76d/plugins/sudoers/ldap.c
and other parts of the SUDO project

1) There is no community, only one guy
2) He is definitely working on the LDAP I wonder what are the designs
and plans
3) The file has bad formatting, I think nobody is reviewing the code
that has been submitted during last several months
4) The sorting logic is on the client side (search for qsort). It will
check if the order attribute is present. If it is, the value will be
used for sorting, otherwise the default value of 0.0 will be used. This
means that old ldap servers will be supported by the newer clients.
5) The support of the time range attributes is baked into the ldap
filter so only the rules that satisfy the time range are pulled to the
client system.

So far this implementation does not solve the problem of definitive
ordering, only gives the admins some means to do it right if they want
(sudoOrder is optional). If some of the rules have order attributes and
some do not the result will still be unpredictable. My main concern re
2.0 and 2.1 would be that we would have to create migration script that
would populate the sudoOrder attribute with incrementing values once we
add it to the schema. This is a "migration" burden day one that I am
concerned about. This is why I think about declaring SUDO feature a tech
preview so that we can avoid migration burden related to sudoOrder
attribute.

Thoughts?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list