[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Martin Kosek mkosek at redhat.com
Wed Apr 16 15:29:36 UTC 2014 

On 04/16/2014 05:22 PM, Alexander Bokovoy wrote:
> On Wed, 16 Apr 2014, Martin Kosek wrote:
>> On 04/16/2014 05:10 PM, Alexander Bokovoy wrote:
>>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>> On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
>>>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>>>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
>>>>>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>>>>> >> +                'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>>>>>>> >> +                'ipanttrustposixoffset',
>>>>>>> >> 'ipantsupportedencryptiontypes',
>>>>>>> >> +                'ipantsidblacklistincoming',
>>>>>>> >> 'ipantsidblacklistoutgoing',
>>>>>>> >> +                # ipaNTDomainAttrs:
>>>>>>> >> +                'ipantsecurityidentifier', 'ipantflatname',
>>>>>>> >> 'ipantdomainguid',
>>>>>>> >> +                'ipantfallbackprimarygroup',
>>>>>>> >> +            },
>>>>>>> >> +        },
>>>>>>> >> +    }
>>>>>>> >>
>>>>>>> >>      label = _('Trusts')
>>>>>>> >>      label_singular = _('Trust')
>>>>>>> >
>>>>>>> >In general I am not sure all authenticated users need access to all this
>>>>>>> >info. Alexander ?
>>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>
>>>>>> Can you please list exactly which ones are needed ?
>>>>> SSSD subdomains support needs:
>>>>>   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>     - ipaNTFlatName
>>>>>     - ipaNTSecurityIdentifier
>>>>>     - ipaNTTrustedDomainSID
>>>>>     - cn
>>>>
>>>> Question is - is there any added value in hiding part of the
>>>> trust information from authenticated users? I.e. attributes like
>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>>> attribute anyway?), SID blacklists...
>>> Yes. Some of those attributes are needed as internal detail of ipasam --
>>> part of how Samba stores this information taken from specific DCE RPC
>>> structures.
>>>
>>>> If yes, we would need to split this permission in 2 and have one for
>>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
>>> Yes. Authenticated users shouldn't get any access to those details:
>>>   ipantsupportedencryptiontypes
>>>   ipanttrustattributes
>>>   ipanttrustauthincoming
>>>   ipanttrustauthoutgoing
>>>
>>>
>>
>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
>> then have this permission assigned so that samba can operate the attributes.
> 'adtrust agents' and 'trust administrators' should have read, modify,
> delete, and search on cn=trusts.
> 

Right. We will probably want to turn most of ACIs in
install/updates/60-trusts.update in managed permissions (i.e. defined in
trust.py) and make "adtrust agents" and "trust admins" it's members.

It'd make the ACIs more maintainable and install/updates/60-trusts.update would
get much shorter.

Martin

More information about the Freeipa-devel mailing list