[Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
Adam Young
ayoung at redhat.com
Wed May 11 03:14:45 UTC 2011
On 05/10/2011 11:07 PM, Adam Young wrote:
> On 05/10/2011 04:38 PM, JR Aquino wrote:
>> On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
>>
>>> JR Aquino wrote:
>>>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
>>>>
>>>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights.
>>>>>
>>>>> An Administrator should have the ability to quickly identify the rights a user will have in the system.
>>>>>
>>>>> For example. With the patch added, my user show looks like this:
>>>>>
>>>>> # ipa user-show tester --all
>>>>> dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
>>>>> User login: tester
>>>>> First name: Tester
>>>>> Last name: Engineering
>>>>> Full name: Tester Engineering
>>>>> Display name: Tester Engineering
>>>>> Initials: TE
>>>>> Home directory: /home/tester
>>>>> GECOS field: Tester Engineering
>>>>> Login shell: /bin/sh
>>>>> Kerberos principal:tester at EXAMPLE.COM
>>>>> UID: 1829800388
>>>>> GID: 1829800388
>>>>> Account disabled: False
>>>>> Member of groups: ipausers, auto-dev-deploy-tools, build-integration
>>>>> ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
>>>>> krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
>>>>> memberofindirect_HBAC rule: development
>>>>> memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration
>>>>> mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
>>>>> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount
>>>>>
>>>>> <freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> OPPS, forgot to have PATCH in the subject.
>>>>
>>> I think you need this as well, right?
>>>
>>> - 'memberof': ['group', 'netgroup', 'role'],
>>> + 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
>> Some scope change.
>>
>> Added memberof and memberofindirect
>>
>> Added to user.py host.py group.py hostgroup.py
>>
>> When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof.
>>
>> xmlrpc tests check out
>>
>> Please review
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> The reason that this shows up in the UI is that it is generating
> additional memberof attributes. It has nothing to do with the
> memberofindirect:
You are also going to want need modify the sudo rule and HBAC rule to
use the serial associator on some facets. It looks like group at least
has things backwards. The group.js file I think needs a rule like this:
association_facet({
name: 'memberof_sudorule',
associator: IPA.serial_associator
}).
THis is because the API is for adding multiple groups to the sudo rule,
but the default behaviour is for adding multiple >other entity> to <this
entity>.
>
> "attribute_members": {
> "memberof": [
> "group",
> "netgroup",
> "role",
> "hbacrule",
> "sudorule"
> ],
> "memberofindirect": [
> "group",
> "netgroup",
> "role",
> "hbacrule",
> "sudorule"
> ]
> },
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110510/0127be02/attachment.htm>
More information about the Freeipa-devel
mailing list