[Freeipa-devel] SUDO community changed SUDO schema!!!
JR Aquino
JR.Aquino at citrix.com
Mon Jan 31 16:34:38 UTC 2011
On 1/30/11 8:53 PM, "Dmitri Pal" <dpal at redhat.com> wrote:
>...
>The main concern about the solution is the following scenario.
>1) IPA releases as is without support of the order attribute.
>2) Some time passes and new version of SUDO gets released into some
>distros we care about
>3) Support for ordered attribute needs to be added to IPA
> Option 1: Allow some entries to have ordered attribute while some
>other entries would not. This would allow admin to slowly migrate SUDO
>rules from unordered to ordered mode. I see two problems with this:
> a) If some entries get populated with order
>attribute and some do not the clients that have newer version of SUDO
>will assume that everything is sorted but the result will be different
>from the older clients leading to inconsistency between client
>behaviour. This problem can be solved in the SUDO code would have a
>config flag to enable and disable sorting but this is outside of our
>control.
New sudoRules which happen to have sudoOrder set, WILL be sorted against
those who do not have sudoOrder set. The ones lacking the attribute will
be measured with a 0.0 metric.
But more importantly... As we have discussed before.
Sudo processes rules as complete objects, with permit and deny attributes
contained all in the 1 rule.
The new sudoOrder attribute does not change that, and you still lack
granularity that allows you to have overlapping rules that take a
cumulative effect similar to the way HBAC is processed.
If sudoOrder is set on 2 rules which have overlapping matching contents,
it will still only choose one rule over the other.
SUDO has always generally discouraged the use of multiple overlapping LDAP
rules.
It is still basically a first match operation, except now, if you have 1
complete rule vs 1 other complete rule which overlap, you can give
preference to one over the other.
This is why I was hinting that it might be a good time to start planning
discussions with Todd regarding operations / methods of cumulative
processing that FreeIPA finds successful/optimized like HBAC.
It looks like Todd had intended the patch/feature to be a solution for
edge cases rather than an evolutionary control that would govern all rules
in deployments.
-JR
More information about the Freeipa-devel
mailing list