[Freeipa-devel] Draft: Read permissions for user

Petr Viktorin pviktori at redhat.com
Tue Apr 29 11:03:35 UTC 2014 

On 04/24/2014 11:35 AM, Martin Kosek wrote:
> On 04/23/2014 10:53 PM, Martin Kosek wrote:
>> On 04/23/2014 08:07 PM, Simo Sorce wrote:
[...]
>>>
>>> I know, we may need to provide another permission admins can use to turn
>>> on anonymous searches for those attributes too.
>>> We may also decide that on upgrade vs new install we retain anonymous
>>> access.
>>>
>>> Simo.

This is an interesting challenge.
We want the permission to be set to anonymous when:
1) we're creating it, and
2) the updater is *not* run from ipa-server-install (which would mean 
we're installing a new cluster).
Full analysis below, [0]

We discussed this on a meeting and it was mentioned that we can just 
start with anonymous, and simply change to "all authenticated" at the 
end of ipa-server-install. Thinking about it, I don't like that approach.
We may want an ACI audit tool [1] to list differences from defaults.
For uses like this, the metadata should list to up-to-date "best 
practices", i.e. what you'd get with a fresh ipa-server-install.
So the metadata should list the bind type as all authenticated, and 
setting it to anonymous should be handled as a special operation.

This will be somewhat harder to code but I think it's worth it.

>> That permission is called
>>
>> $ ipa permission-mod "System: User Information" --bindtype all
>>
>> This is all that's needed to make all the user attributes above readable by
>> authenticated users and not by anonymous.
>>
>> Martin
>
> BTW, we already open groups to anonymous - i.e. we might want to keep the same
> level of default access to users too.
>
> Martin

-- 
Petr³

[0]:
- upgrade
   - permission doesn't exist (first 4.x master in cluster):
     - permission created
     - bind rule: anonymous
   - permission already exists:
     - bind rule not changed
- ipa-server-install:
   - permission created
   - bind rule: all
- ipa-replica-install:
   - permission doesn't exist (first 4.x master in cluster)
     - permission created
     - bind rule: anonymous
   - permission already exists:
     - bind rule not changed

[1] https://fedorahosted.org/freeipa/ticket/4035

More information about the Freeipa-devel mailing list