[Freeipa-devel] Ticket #2293 - permission attribute check
Martin Kosek
mkosek at redhat.com
Fri Apr 27 12:36:10 UTC 2012
I revisited ticket #2293 after it failed QE check. After some
considerations, I think we should revert this type of check for
permissions. Here is my reasoning:
1) This check fails when the target type does not have all its possible
objectclasses defined in the LDAPObject, like when users or hosts miss
kerberos or samba auxiliary classes as they are just classes that the
object may potentially have:
# ipa permission-mod "Change a user password"
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory
ipa: ERROR: attribute(s) "sambalmpassword,passwordhistory" not allowed
To fix this point, we would need to add all possible object classes to
our user, host, ... objectclasses.
2) It severely limits permission flexibility for custom user
objectclasses. They would need to extend our plugins to make them work.
Observe this inconsistency:
Setting custom OC+attribute works (replace "sudocmd" with some
meaningful object class"):
# ipa user-mod fbar --addattr=objectclass=ipasudocmd --setattr=sudocmd=fbar
--------------------
Modified user "fbar"
--------------------
User login: fbar
First name: Foo
Last name: Bar
Home directory: /home/fbar
Login shell: /bin/sh
UID: 61400016
GID: 61400016
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
# ipa user-show --all fbar
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
User login: fbar
First name: Foo
Last name: Bar
...
mepmanagedentry: cn=fbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys,
mepOriginEntry, ipasudocmd
sudocmd: fbar
But adding a custom permission to control this attribute fails:
# ipa permission-add "Can manage user sudocmd" --type=user --permissions=write --attrs=sudocmd
ipa: ERROR: attribute(s) "sudocmd" not allowed
Bottom line is that I would remove this check at all and just check that
the attribute is right - as we already do for permission without
"--type" specified:
# ipa permission-add "Can write barbar"
--filter="(objectclass=posixuser)" --permissions=write --attrs=barbar
ipa: ERROR: targetattr "barbar" does not exist in schema. Please add
attributeTypes "barbar" to schema if necessary. ACL Syntax
Error(-5):(targetattr = \22barbar\22)(targetfilter =
\22(objectclass=posixuser)\22)(version 3.0;acl \22permission:foo
\22;allow (write) groupdn =
\22ldap:///cn=foo,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com\22;): Invalid syntax.
Martin
More information about the Freeipa-devel
mailing list