[Freeipa-devel] [PATCHES] 0540-0542 Add managed read permissions to user

Petr Viktorin pviktori at redhat.com
Mon May 26 10:04:30 UTC 2014 

On 05/25/2014 09:29 PM, Martin Kosek wrote:
> On 05/23/2014 04:50 PM, Simo Sorce wrote:
>> On Fri, 2014-05-23 at 10:59 +0200, Martin Kosek wrote:
>>> On 05/22/2014 04:20 PM, Petr Viktorin wrote:
>>>> On 05/21/2014 12:14 PM, Simo Sorce wrote:
>>>>> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
>>>>>> On 05/16/2014 04:33 PM, Petr Viktorin wrote:
>>>>>>> On 05/16/2014 01:54 PM, Martin Kosek wrote:
>>>>>>>> On 04/29/2014 11:00 PM, Petr Viktorin wrote:
>>>>>>>>> Patch 0540 adds a bunch of managed read ACIs for user, as
>>>>>>>>> discussed
>>>>>>>>> previously
>>>>>>>>> [0].
>>>>>>>>>
>>>>>>>>> Patch 0541 is some minor refactoring for the next part.
>>>>>>>>>
>>>>>>>>> Patch 0542 sets the read acces to addressbook attributes to
>>>>>>>>> anonymous when
>>>>>>>>> upgrading from pre-4.0.
>>>>>>>>> I first this by checking if the update is run from
>>>>>>>>> ipa-server-install or
>>>>>>>>> not,
>>>>>>>>> but then I realized the logic I want is simple: if the global
>>>>>>>>> anon read ACI
>>>>>>>>> exists, we want to preserve its spirit by setting addressbook
>>>>>>>>> attribute
>>>>>>>>> ACI to
>>>>>>>>> anonymous.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [0]
>>>>>>>>> http://www.redhat.com/archives/freeipa-devel/2014-April/msg00363.html
>>>>>>>>> et
>>>>>>>>> al.
>>>>>>>>>
>>>>>>>>
>>>>>>>> 540:
>>>>>>>>
>>>>>>>> Looks good! The only attributes I am concerned about are special
>>>>>>>> IPA
>>>>>>>> attributes:
>>>>>>>>
>>>>>>>> - ipauniqueid
>>>>>>>> - ipasshpubkey
>>>>>>>> - ipauserauthtype
>>>>>>>> - userclass
>>>>>>>>
>>>>>>>> I personally do not think they should be included in POSIX
>>>>>>>> attributes
>>>>>>>> permissions, they are far from POSIX definition...
>>>>>>>>
>>>>>>>> What about creating one more permission "System: Read User IPA
>>>>>>>> Attributes" as
>>>>>>>> these are specific to FreeIPA use and allowing that permission
>>>>>>>> for all
>>>>>>>> authenticated users?
>>>>>>>
>>>>>>> Sounds reasonable. I assume we want this one to be also set to
>>>>>>> anonymous when
>>>>>>> upgrading from old versions.
>>>>>>> Attaching updated patches.
>>>>>>
>>>>>> Ok, looks good.
>>>>>>
>>>>>> I am now just pondering whether "System: Read User POSIX
>>>>>> Attributes" is the
>>>>>> right name for the permission as there are not just POSIX
>>>>>> attributes, but also
>>>>>> attributes from organizationalPerson or inetOrgPerson objectclasses.
>>>>>>
>>>>>> Maybe we should name it "System: Read User Core Attributes" or
>>>>>> "System: Read
>>>>>> User Basic Attributes"? Simo, any preference?
>>>>>
>>>>> We could use: "System: Read User Standard Attributes"
>>>>
>>>> I've used this one, then.
>>>>
>>>>>
>>>>> but the 'posix' version is also ok to me.
>>>>
>>>> On Wed, 2014-05-21 at 08:03 +0200, Martin Kosek wrote:
>>>>> Also, I just realized we forgot memberOf attribute - it needs to be
>>>>> available
>>>>> to authenticated users otherwise group membership will fall apart.
>>>>
>>>> Good catch. Added.
>>>>
>>>
>>> We are very close to push this one - I have just one last concern about
>>> userpkcs12 attribute. On upgrade, we previously hidden userpkcs12
>>> from user,
>>> now we added it to be read by default. This results in this warning
>>> during upgrade:
>>>
>>> Excluded attributes for System: Read User Addressbook Attributes:
>>> userpkcs12
>>>
>>> Simo (or others), is this OK or do we want to keep hiding userpkcs12
>>> by default?
>>
>> Is there any client that needs access to that information that we are
>> aware of ?
>>
>> Simo.
>
> I do not think so. Rob, do you know?

This was my mistake. We never allowed non-admins to see that attribute 
by default, so we shouldn't start now.
I'm glad the updater caught it, sorry that I didn't.

-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0540.4-Add-managed-read-permissions-to-user.patch
Type: text/x-patch
Size: 4279 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140526/9c0ac264/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0541.4-update_managed_permissions-Pass-around-anonymous-ACI.patch
Type: text/x-patch
Size: 4962 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140526/9c0ac264/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0542.4-Set-user-addressbook-IPA-attribute-read-ACI-to-anony.patch
Type: text/x-patch
Size: 4174 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140526/9c0ac264/attachment-0002.bin>

More information about the Freeipa-devel mailing list