[Freeipa-devel] using pyhbac for CA ACLs
Martin Kosek
mkosek at redhat.com
Mon May 25 11:14:59 UTC 2015
On 05/25/2015 09:35 AM, Fraser Tweedale wrote:
> Hi everyone,
>
> CA ACLs (the forthcoming `caacl' plugin) will be used to declare
> which users/hosts/services can get certificates from which CAs and
> profiles. For v4.2, we will enforce the ACLs in the framework; the
> plan is to move ACL enforcement to Dogtag in a future release
> (https://fedorahosted.org/freeipa/ticket/5011).
>
> I have written most of the caacl plugin and now I must update
> cert-request to enforce the ACLs. Using hbacrule as the guide, I
> had a look at pyhbac and it seems to be a reasonable fit for
> implementing this. In particular:
>
> - "targethost" and "service" correspond nicely to "(sub)CA" and
> "profile-id" for evaluation.
>
> - A certificate request can be for a user, host or service; these
> will be overloaded into the pyhbac "user" concept. But because we
> will always know who the requesting principal is, we will only
> ever need to deal with whatever of {user,host,service} the
> principal actually is, to be able to evaluate access.
>
> - The "srchost" concept will be unused (therefore fixed to
> HBAC_CATEGORY_ALL). Perhaps there could be some future use.
>
> So, please provide feedback if you think this is a great idea or a
> terrible idea :)
CCing Jakub as pyhbac is owned by SSSD to advise. I think pyhbac rule
evaluation could be hacked to do what you want to do, but IMO, we would be
really calling for trouble if we reuse an evaluation mechanism for HBAC for
different ACL (though similar in concept).
Now question is if the risk of implementing the whole ACL mechanism on your own
is bigger than reusing existing proven HBAC evaluation mechanism for another
purpose...
If we go with implementing the evaluation purely in the framework code, I would
if it makes sense to "Is user $USER member of group $GROUP" via SSSD
interfaces or if we need to evaluate manually the user groups in the framework
(direct and indirect) manually as in hbactest:
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/hbactest.py#n404
Martin
More information about the Freeipa-devel
mailing list