[Freeipa-devel] Fwd: [PATCH] 912 Display the value of memberOf ACIs in permission plugin.

Endi Sukma Dewata edewata at redhat.com
Wed Jan 4 19:41:38 UTC 2012 

On 1/4/2012 12:20 PM, Rob Crittenden wrote:
>> Also another thing, in _make_aci() in aci.py there are 2 exclusivity
>> rules:
>> * type, filter, subtree and targetgroup are mutually exclusive
>> * filter and memberof are mutually exclusive
>>
>> Based on these rules it's possible to have memberof and targetgroup in
>> the same permission, but not filter with targetgroup, which seems to be
>> inconsistent because memberof generates a subset of ACI's generated by
>> filter.
>>
>> The filter generates an ACI with a generic 'targetfilter=<filter>', and
>> memberof seems to be a convenience method to generate an ACI with a more
>> specific 'targetfilter=(memberOf=<memberof>)'.
>>
>> So the 2 rules should be combined because, like filter, memberof should
>> be mutually exclusive from the other targets too.
>
> This is specifically allowed because it lets you restrict the members of
> the memberof group to modify only the values of the targetgroup (e.g.
> group membership). If anything I'd relax it so filter and targetgroup
> aren't mutually exclusive. I'm not sure of the use case for this though.

Hmm.. I think the memberof is used to define ACI target instead of the 
subject (bind rule). See the following command:

   ipa permission-add test --permissions=all
     --memberof=editors --targetgroup=ipausers

It generates the following ACI:

   (targetfilter = "(memberOf=cn=editors,cn=groups,cn=accounts,
                    dc=example,dc=com)")
   (target = "ldap:///cn=ipausers,cn=groups,cn=accounts,
              dc=example,dc=com")
   (version 3.0;acl "permission:test";allow (all)
    groupdn = "ldap:///cn=test,cn=permissions,cn=pbac,
               dc=example,dc=com";)

If I understand correctly this ACI gives members of cn=test full access 
to members of cn=editors under the cn=ipausers subtree.

To give members of cn=editors full access to cn=ipausers subtree I think 
the cn=editors would have to be added as a member of cn=test permission 
indirectly via privileges and roles.

Since target and targetfilter attributes can co-exist in the ACI, I 
agree that we might want to relax the rules. So the permission target 
can be defined with a subtree, or a filter, or both. With a subtree we 
can specify either a generic subtree, a type, or a targetgroup. With a 
filter we can specify either a generic filter or a memberof. Is this 
correct?

This will require some UI changes too.

-- 
Endi S. Dewata

More information about the Freeipa-devel mailing list