[Freeipa-devel] [PATCH] 916 vault: add vault container commands

Jan Cholasta jcholast at redhat.com
Tue Sep 1 14:39:35 UTC 2015 

On 1.9.2015 16:26, Jan Cholasta wrote:
> On 26.8.2015 13:22, Petr Vobornik wrote:
>> On 08/25/2015 08:04 PM, Petr Vobornik wrote:
>>> adds commands:
>>> * vaultcontainer-show [--service <service>|--user <user> ]
>>> * vaultcontainer-add-owner
>>>       [--service <service>|--user <user> ]
>>>       [--users <users>]  [--groups <groups>] [--services <services>]
>>> * vaultcontainer-remove-owner
>>>       [--service <service>|--user <user> ]
>>>       [--users <users>]  [--groups <groups>] [--services <services>]
>>>
>>> https://fedorahosted.org/freeipa/ticket/5250
>>>
>>> Use cases:
>>> 1. When user/service is deleted, associated vault container looses
>>> owner. There was no API command to set the owner.
>>> 2. Change owner of container by admin to manage access.
>>>
>>> Show command was added to show current owners.
>>>
>>> Find command was not added, should it be?
>>>
>>>
>>
>> There is also a design for vault container ownership handling created by
>> Endi - it's for future Vault 2.0.
>>
>> http://www.freeipa.org/page/V4/Password_Vault_2.0#Adding_container_owner
>>
>> This patch has a different API than the proposed - different way of
>> specifying the container. The design page uses path e.g. /users/foobar.
>> This patch uses the same way as vaults e.g. --user=foobar. This means
>> that the implementation in this patch cannot manage ownership of parent
>> vault containers e.g. cn=users,cn=vaults,cn=kra,$SUFFIX.
>>
>> Do we want to go with this approach in 4.2?
>>
>> Attaching also new path which removes setting of owner which doesn't
>> exist so that integrity is OK and that it is consistent with removing of
>> user.
>>
>> Updated patch attached - output fix.
>
> We had a long discussion about this with Petr and we think the best
> approach is as follows:
>
>    * Add new "Vault administrators" privilege. Vault administrators will
> have unrestricted access to vaults and vault containers, including the
> power to add/remove owners of vaults and vault containers.
>
>    * Remove the ability of vault owners to add/remove other vault
> owners. If vault owner needs to be changed, vault administrator has to
> do it. Note that vault owners will still have the ability to add/remove
> vault members.
>
>    * When adding new vault container, set owner to the current user. If
> vault container owner needs to be changed, vault administrator has to do
> it.
>
>    * Allow adding vaults and vault containers only if the owner is set
> to the current user.
>
>    * Introduce commands to modify vault container owner and to delete
> vault container, so the administrator has a choice between assigning
> ownership or deleting an unowned container.

Also:

   * Control access to vault data using an ipaProtectedOperation ACI. 
Users which have read access to "ipaProtectedOperation;accessKRA" on a 
vault can retrieve data from the vault and users which have write access 
to "ipaProtectedOperation;accessKRA" on a vault can archive data in the 
vault.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list