[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name
Petr Viktorin
pviktori at redhat.com
Tue Apr 15 11:13:37 UTC 2014
On 04/15/2014 09:43 AM, Martin Kosek wrote:
> On 04/15/2014 09:38 AM, Martin Kosek wrote:
>> On 04/14/2014 07:18 PM, Simo Sorce wrote:
>>> On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
>>>> Hello,
>>>>
>>>> The first patch adds default read permissions to krbtpolicy. Since the
>>>> plugin manages entries in two trees, there are two permissions. Since
>>>> two permissions are needed to cover krbtpolicy, it can't be used as a
>>>> permission's --type.
>>>> The permissions are added to a new privilege, 'Kerberos Ticket Policy
>>>> Readers'.
>>>>
>>>> The second patch adds an ACI for reading the Kerberos realm name. Since
>>>> client enrollment won't work without this, I don't see a reason for
>>>> having it managed by a permission.
>>>>
>>>
>>> LGTM
>>>
>>> Simo.
>>>
>>
>> 521 breaks a unit test:
>>
>> ======================================================================
>> FAIL: test_permission[37]: permission_find: Search for u'Testperm_RN' using
>> --subtree
>> ----------------------------------------------------------------------
>> Traceback (most recent call last):
>> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
>> self.test(*self.arg)
>> File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 301, in
>> <lambda>
>> func = lambda: self.check(nice, **test)
>> File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 319, in
>> check
>> self.check_output(nice, cmd, args, options, expected, extra_check)
>> File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 359, in
>> check_output
>> assert_deepequal(expected, got, nice)
>> File "/root/freeipa-master/ipatests/util.py", line 344, in assert_deepequal
>> assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>> File "/root/freeipa-master/ipatests/util.py", line 352, in assert_deepequal
>> VALUE % (doc, expected, got, stack)
>> AssertionError: assert_deepequal: expected != got.
>> test_permission[37]: permission_find: Search for u'Testperm_RN' using --subtree
>> expected = 1
>> got = 2
>> path = ('count',)
Thanks for the catch, tests updated.
>> Otherwise it works fine (krbtpolicy-show for user cannot be tested yet as we
>> miss permissions for users).
Right; I don't think this permission by itself should allow access to
users. Correct me if that's wrong.
I created a users permission for testing:
ipa permission-add 'allow reading user objectclass' --type user
--right={read,search,compare} --attrs objectclass --bind all
> /me hit Send too soon.
>
> Although 522 works functionally and client now discovers the IPA server, there
> is no path from SUFFIX to cn=REALM for anonymous users.
>
> I would personally change the ACI to
>
> (targetattr = "cn || objectclass")(targetfilter =
> "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl
> "Anonymous read access to Kerberos container";allow (read,compare,search)
> userdn = "ldap:///anyone";)'
>
> and put it to cn=kerberos,$SUFFIX (which is of krbcontainer objectclass).
Right, that's necessary for UIs to list the container.
Simo, are you okay with this?
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0521.2-Add-managed-read-permissions-to-krbtpolicy.patch
Type: text/x-patch
Size: 6986 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140415/e03b052c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0522.2-Allow-anonymous-read-access-to-Kerberos-containers.patch
Type: text/x-patch
Size: 1291 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140415/e03b052c/attachment-0001.bin>
More information about the Freeipa-devel
mailing list