[Freeipa-devel] using pyhbac for CA ACLs
Alexander Bokovoy
abokovoy at redhat.com
Mon May 25 11:28:52 UTC 2015
On Mon, 25 May 2015, Martin Kosek wrote:
>On 05/25/2015 09:35 AM, Fraser Tweedale wrote:
>> Hi everyone,
>>
>> CA ACLs (the forthcoming `caacl' plugin) will be used to declare
>> which users/hosts/services can get certificates from which CAs and
>> profiles. For v4.2, we will enforce the ACLs in the framework; the
>> plan is to move ACL enforcement to Dogtag in a future release
>> (https://fedorahosted.org/freeipa/ticket/5011).
>>
>> I have written most of the caacl plugin and now I must update
>> cert-request to enforce the ACLs. Using hbacrule as the guide, I
>> had a look at pyhbac and it seems to be a reasonable fit for
>> implementing this. In particular:
>>
>> - "targethost" and "service" correspond nicely to "(sub)CA" and
>> "profile-id" for evaluation.
>>
>> - A certificate request can be for a user, host or service; these
>> will be overloaded into the pyhbac "user" concept. But because we
>> will always know who the requesting principal is, we will only
>> ever need to deal with whatever of {user,host,service} the
>> principal actually is, to be able to evaluate access.
>>
>> - The "srchost" concept will be unused (therefore fixed to
>> HBAC_CATEGORY_ALL). Perhaps there could be some future use.
>>
>> So, please provide feedback if you think this is a great idea or a
>> terrible idea :)
>
>CCing Jakub as pyhbac is owned by SSSD to advise. I think pyhbac rule
>evaluation could be hacked to do what you want to do, but IMO, we would be
>really calling for trouble if we reuse an evaluation mechanism for HBAC for
>different ACL (though similar in concept).
No, it is just fine. The engine is abstracted away from the real
knowledge of where the data comes in and really does very simple task
that perfectly fitted for purpose here.
>Now question is if the risk of implementing the whole ACL mechanism on your own
>is bigger than reusing existing proven HBAC evaluation mechanism for another
>purpose...
>
>If we go with implementing the evaluation purely in the framework code, I would
>if it makes sense to "Is user $USER member of group $GROUP" via SSSD
>interfaces or if we need to evaluate manually the user groups in the framework
>(direct and indirect) manually as in hbactest:
>
>https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/hbactest.py#n404
Just do the explicit filling of the data in case of 'cert-request'
because we need to handle not only users but also hosts and services.
As for hbactest, it might be good to pull the data from SSSD because
that would allow us to solve some long standing corner cases.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list