[Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed
Petr Viktorin
pviktori at redhat.com
Thu Jun 19 11:41:17 UTC 2014
On 06/18/2014 05:46 PM, Martin Kosek wrote:
> On 06/11/2014 06:39 PM, Petr Viktorin wrote:
>> Patch 0578 does the conversion
>>
>> Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
>> permissions needed for automatic enrollment (from
>> http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)
>
> 1) Inconsistent casing in permission names:
>
> System: Add Hosts
> System: Add krbPrincipalName to a host
> System: Enroll a host
> System: Manage Host SSH Public Keys
> System: Manage host keytab
> System: Modify Hosts
> System: Remove Hosts
Fixed
> 2) This ACI does not look right, missing enrolledby:
>
> + 'System: Enroll a host': {
> + 'ipapermright': {'write'},
> + 'ipapermdefaultattr': {'objectclass'},
>
> When I fixed 2) via permission-mod, client enrollment with user with "Host
> Administrators" privilege worked fine.
Added
> 3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
> No such virtual command" error triggered by "cert-show" command.
Virtual operations seem to be quite a can of worms.
I've sent a separate reply for these.
> We will need to add the permission "System: Read Virtual Operations" that Honza
> is creating also to "Host Administrators" to fix that part.
>
>
> 4) I ran unit tests and few missing attributes:
> - update hosts ACI should get "macaddress" attribute
Added
> 5) I hit one nasty issue when running the unit tests (when my master stopped
> working as host account was deleted) - host_is_master function in baseldap no
> longer works as we hid cn=masters from regular users:
>
> def host_is_master(ldap, fqdn):
> """
> Check to see if this host is a master.
>
> Raises an exception if a master, otherwise returns nothing.
> """
> master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn',
> 'etc'), api. env.basedn)
> try:
> ldap.get_entry(master_dn, ['objectclass'])
> raise errors.ValidationError(name='hostname', error=_('An IPA master
> host cannot be deleted or disabled'))
> except errors.NotFound:
> # Good, not a master
> return
>
> This means, that host-del on a master machine or service-del on master service
> happily passes.
>
> We need to make sure this functionality is still working after the permission
> refactoring. Should we reconsider the cn=masters tree and allow authenticated
> users see the list of IPA servers (without digging into any other detail like
> services) then?
Nasty indeed, thanks for the catch!
Sent as patch 0590, since it's a different issue than converting the
host permissions.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0578.3-Convert-Host-default-permissions-to-managed.patch
Type: text/x-patch
Size: 20371 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140619/396fa3f8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0579.3-host-permissions-Allow-writing-attributes-needed-for.patch
Type: text/x-patch
Size: 4702 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140619/396fa3f8/attachment-0001.bin>
More information about the Freeipa-devel
mailing list