[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Petr Vobornik pvoborni at redhat.com
Fri Oct 3 15:03:30 UTC 2014 

On 3.10.2014 16:46, Simo Sorce wrote:
>>>
>>> I did not do any ACI work in the patch yet. I assume that we would like
>>> to add the attr into  'System: Read Host|Service' permission. But I
>>> think that write right should have it's own permission.
>>
>> I have added 2 new permissions. Simo, are they OK?
>>
>> for services:
>> 'System: Manage Service Keytab Permissions': {
>>       'ipapermright': {'read', 'search', 'compare', 'write'},
>>       'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
>>       'default_privileges': {'Service Administrators', 'Host
>> Administrators'},
>> },
>>
>> for hosts:
>> 'System: Manage Host Keytab Permissions': {
>>       'ipapermright': {'read', 'search', 'compare', 'write'},
>>       'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
>>       'default_privileges': {'Host Administrators'},
>> },
>>
>> I'm not sure about the write right for 'objectclass' but it's required
>> in order to add 'ipaallowedoperations' oc.
>
> As long as it allows only to add/remove the specific value it should be fine.
>
> Can you please send the raw ACIs ?
> I still find it difficult to reason on the security of the result withouth
> looking at the lower level.
>

in cn=computers,cn=accounts,dc=example,dc=com:

(targetattr = "createtimestamp || entryusn || ipaallowedtoperform || 
modifytimestamp || objectclass")(targetfilter = 
"(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host 
Keytab Permissions";allow (compare,read,search,write) groupdn = 
"ldap:///cn=System: Manage Host Keytab 
Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)

in cn=services,cn=accounts,dc=idm,dc=example,dc=com:

(targetattr = "createtimestamp || entryusn || ipaallowedtoperform || 
modifytimestamp || objectclass")(targetfilter = 
"(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage 
Service Keytab Permissions";allow (compare,read,search,write) groupdn = 
"ldap:///cn=System: Manage Service Keytab 
Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)

>
> Simo.
>
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list