[Freeipa-devel] [PATCHES] 0473-0477 Managed permission updater, part 1

Petr Viktorin pviktori at redhat.com
Fri Feb 28 13:47:28 UTC 2014 

On 02/28/2014 02:12 PM, Martin Kosek wrote:
> On 02/26/2014 10:44 AM, Petr Viktorin wrote:
>> Hello,
>> Here are a few fixes/improvements, and the first part of a managed permission
>> updater.
>>
>> The patches should go in this order but don't need to be ACKed/pushed all at once.
>>
>>
>> Design:
>> http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
>> Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
>>
>>
>> This part is a "preview" of sorts, to get the basic mechanism and the metadata
>> format reviewed before I add all of the default read permissions.
>> It implements the first section of "Default Permission Updater" in the design;
>> "Replacing legacy default permissions" and "Removing the global anonymous read
>> ACI" is left for later.
>> Metadata is added for the netgroup plugin* for starters, so installing this
>> will give you two shiny new read permissions:
>>
>> $ ipa permission-find ipa: --all
>> ---------------------
>> 2 permissions matched
>> ---------------------
>>    dn: cn=ipa:Read Netgroup Membership,cn=permissions,cn=pbac,$SUFFIX
>>    Permission name: ipa:Read Netgroup Membership
>>    Permissions: read, compare, search
>>    Effective attributes: externalhost, member, memberof, memberuser
>>    Default attributes: member, memberof, memberuser, externalhost
>>    Bind rule type: all
>>    Subtree: cn=ng,cn=alt,$SUFFIX
>>    Target filter: (objectclass=ipanisnetgroup)
>>    Type: netgroup
>>    ipapermissiontype: V2, MANAGED, SYSTEM
>>    objectclass: ipapermission, groupofnames, top, ipapermissionv2
>>
>>    dn: cn=ipa:Read Netgroups,cn=permissions,cn=pbac,$SUFFIX
>>    Permission name: ipa:Read Netgroups
>>    Permissions: read, compare, search
>>    Effective attributes: cn, description, hostcategory, ipaenabledflag,
>> ipauniqueid, nisdomainname, usercategory
>>    Default attributes: cn, usercategory, hostcategory, ipauniqueid,
>> ipaenabledflag, nisdomainname, description
>>    Bind rule type: all
>>    Subtree: cn=ng,cn=alt,$SUFFIX
>>    Target filter: (objectclass=ipanisnetgroup)
>>    Type: netgroup
>>    ipapermissiontype: V2, MANAGED, SYSTEM
>>    objectclass: ipapermission, groupofnames, top, ipapermissionv2
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
>>
>> with corresponding ACIs at cn=ng,cn=alt,$SUFFIX:
>>
>> (targetattr = "externalhost || member || memberof || memberuser")(targetfilter
>> = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:ipa:Read Netgroup
>> Membership";allow (read,compare,search) userdn = "ldap:///all";)
>> (targetattr = "cn || description || hostcategory || ipaenabledflag ||
>> ipauniqueid || nisdomainname || usercategory")(targetfilter =
>> "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:ipa:Read
>> Netgroups";allow (read,compare,search) userdn = "ldap:///all";)
>>
>>
>>
>> Patches:
>>
>> 0473: Enables refactoring that will make it more clear (to humans and machines)
>> what plugins code depends on.
>> https://fedorahosted.org/freeipa/ticket/4185
>>
>> 0474: Fix handling of the search term for legacy permissions
>> My code that's in master now handles the search term incorrectly. This does a
>> better job.
>>
>> 0475: Fix tests that relied on some assumptions I'll be breaking
>>
>> 0476: Allow modifying (but not creating) permissions with ":" in the name
>>
>> 0477: Permission updater & sample metadata
>>
>
> 1) 476: Typo in test name:
>
> +            desc='Search fo rnonexisting permission with ":" in the name',

Will fix.

> 2) 477: do we want to log anything when permission is up to date?
>
> +            try:
> +                ldap.update_entry(entry)
> +            except errors.EmptyModlist:
> +                return

I don't think that's needed, after all that's the expected behavior in 
all but the first upgrade.
But I'll be happy to add it if you think it would be better.

> 3) I am not sure if this was initiated by this patch, but when I checked access
> log for a "permission-find --name ipa" operation, it produced over 170 LDAP
> operations, most of them asking for the same information many times. See
> attached access log excerpt.

It's unrelated to this patch. I've started optimizing permission-find 
with many legacy permissions, expect a patch soon.

> 4) I have been quite resilient to the prefixes for the permissions, but it
> seems it is the easier possible approach to fix conflicts with user permissions
> without having to check that later for every upgrade or doing more complex
> stuff like multiple RDNs or different container for system and user permissions.
>
> I am now just thinking about the prefixing. Now you use this name:
>
> ipa:Read Netgroups
>
> Would it be "nicer" to use:
>
> IPA:Read Netgroups
> or
> IPA: Read Netgroups
> or even
> [IPA] Read Netgroups
> ? :-)

Bikeshedding time!
Everyone on the list, please chime in!


I don't really have a preference.


> 5) Are we sure we want to make our code Python 2.7 dependent?
>
> +            'ipapermright': {'read', 'search', 'compare'},
>
> I did not test if we do not require some python 2.7 feature elsewhere already,
> but this construct raised a warning for me.

That ship has sailed already.
Recently there was commit a8ba5e0 which explicitly mentions set literals 
(and which, coincidentally, you acked...), but I'm pretty sure IPA 
needed Python 2.7+ before that.
After all we don't test on Python 2.6 and don't support any OS with 
Python 2.6.

> Otherwise the patches seemed to work fine. I also tried to play with the global
> ACI blacklist blacklisting and it worked as well, when I for example added
> userpassword to netgroup managed_permissions.

-- 
Petr³

More information about the Freeipa-devel mailing list