[Freeipa-devel] Proposal: drop DENY rules from HBAC

Dmitri Pal dpal at redhat.com
Tue Jul 5 14:53:39 UTC 2011 

On 07/01/2011 10:28 AM, Simo Sorce wrote:
> On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote:
>
>> By removing the deny rules, do we break compatibility with anything else 
>> than the IPA tech preview in RHEL and upstream FreeIPA 2.0?
>
> Ok we've had a somewhat heated discussion internally about how to deal
> with the transition phase for those admins that decided to use HBAC DENY
> rules. Hopefully very few did and so very few people will actually be
> impacted, but we need to handle those cases the best we can to avoid
> security issues for those users.
>
> Here is a rough plan I'd like to get both developers *AND* users
> feedback on if you care about it.
>
> The premise to the following plan is that very few administrators,
> unfortunately, carefully read release notes before upgrading, so simply
> dropping and ignoring DENY rules is felt as something we can't do.
>
> We split the solution in 2 parts, one on the SSSD side (the only client
> currently able to understand IPA HBAC rules), and one on the server
> side.
>
> SSSD:
> Inconveniencing clients is probably the easiest way to cause the least
> disruption and attracting the administrators attention.
> The idea here is to treat any DENY rule as actually a DENY-ALL rule.
> Basically causing any login attempt for any service to fail as soon as
> the new sssd package will be installed.
> Even though admins normally do not read release notes, they still do a
> few test upgrades before upgrading the whole set of clients they
> administer.
> By having SSSD deny logins if any DENY rule is found (and spamming the
> log with pointers at the same time) we hope to give admins a good enough
> "wake up something changed" call.
>
> This change will be prominently advertised in SSSD release notes.
> Also to ease the pain for those places where the Server and client
> admins are different groups, we plan to add a transitional configuration
> option. This option will allow admins to ignore DENY rules entirely. The
> option will default to the DENYALL behavior described above, but admins
> will be able to toggle it to ignore so they can keep testing the client,
> while they make sure to warn the Server admins that DENY rules support
> is going to be dropped.
>
> FreeIPA:
> On the server side instead we will add 2 visual cues to the WebUI and
> probably something to the CLI commands used to manage HBAC rules.
>
> In the WebUI, pending UXD and UI developers approval/feedback we will
> have a prominent error message in the main page only for administrators
> that are allowed to manage HBAC rules. This warning will be shown if any
> DENY rule exist on the server.
> In the HBAC pages, deny rules will be highlighted and text explaining
> they are not supported anymore and need to be removed will be shown.
>
> These warnings will be dropped down the road after 1 more point release.
>
> Of course Release notes will prominently highlight this change so that
> most admins will be prepared to handle this change.
>
>
> Hopefully people will have enough cues to properly handle the situation.
>
>
> Simo.
>
I disagree with the server side UI changes.
IMO the IPA server should detect the DENY rules at the upgrade step and
fail the upgrade asking administrator to remove the rules first.
Carrying them forward in the UI means that we would allow IPA to have
the rules but it would ignore them creating a security whole.
Since some admins do not use UI it will be even worse.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list