[Freeipa-devel] [PATCHES] 0552-0554 Upgrading write permissions

Petr Viktorin pviktori at redhat.com
Mon May 26 14:44:09 UTC 2014 

On 05/22/2014 03:07 PM, Petr Viktorin wrote:
> Hello,
> Here I start upgrading  the existing default permissions to the new
> Managed style.
>
> https://fedorahosted.org/freeipa/ticket/4346
>
> The patches rely on my patch 0551
> (https://fedorahosted.org/freeipa/ticket/4349)
> You may run into what seems to be a 389 bug. If you get a "Midair
> Collision" (NO_SUCH_ATTRIBUTE) error, restart the DS and try running
> ipa-ldap-updater again. I'm working with Ludwig on this one.
>
>
>
> The operation is now described at
> http://www.freeipa.org/page/V4/Managed_Read_permissions#Replacing_legacy_default_permissions
>
>
> If there user has modified an old default permission, a warning is
> logged the replacement permission is not added/updated. The user needs
> to evaluate the situation: either update the old permission to match the
> original default, or remove the old permission, and then run
> ipa-ldap-updater will create the new one.
> Is bailing out the right thing to do if the old entry was modified?
> It could be possible to parse the permission, figure out the changes the
> user made, and apply them to the new one, but that seems like too much
> guesswork to me.
> On the other hand, my approach has a downside as well: if the
> 'memberallowcmd' attribute was removed from 'Modify Sudo rule', there's
> now no way to upgrade while allowing access but keeping that attribute
> off-limits, short of writing deny a ACI by hand. How big a problem is
> this? It might be worth it to create a special tool that upgrades a
> single permission and allows setting the excluded/included attributes
> explicitly.
>
>
>
> There are some interesting scenarios to think about with respect to
> upgrades and user changes:
>
> * Upgrade to old version, e.g.
>    - have IPA 3.2 master, IPA 3.2 replica
>    - upgrade master to 4.0 (old permissions are updated)
>    - then upgrade replica to 3.3 (old permissions are added again!)
>
> This is AFAIK not supported but it does happen.
> We can't change old IPA versions, so any upgrade to a pre-4.0 IPA will
> always add the old permissions, but with this patch, a subsequent
> upgrade to 4.0+, or running a 4.0+ ipa-ldap-update, will remove the old
> permissions again.
>
> Tied to that is another scenario:
>
> * Re-create permissions with old names
>    - have IPA 4.0 master
>    - Create a permission named 'Modify Sudo rule'
>    - Upgrade to IPA 4.1
>
> Here we need to make sure the new permission is *not* removed, because a
> new 'Modify Sudo rule' permission is no longer special in any way. To
> ensure this the updater only removes old-style permissions.
>
> One thing that can happen when 4.0 masters are still mixed with 3.x is
> that an old permission named 'Modify Sudo rule' is added on the old
> server. Any update to 4.0+ will remove that.
> Old-style default permissions were sorta-kinda managed by IPA itself
> anyway, so users should expect this. We should still point it out in the
> docs though, since I expect some users to start messing with the
> permissions before upgrading all of the infrastructure to 4.0.
>
>
> The second patch upgrades sudorule permissions, this server as an
> example of how the  will work.
> The third patch fixes https://fedorahosted.org/freeipa/ticket/4344

The user read permissions patches had a conflict with these; attaching 
rebased version.


-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0552.2-Add-mechanism-for-updating-permissions-to-managed.patch
Type: text/x-patch
Size: 5699 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140526/f2d0199a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0553.2-Convert-Sudo-rule-default-permissions-to-managed.patch
Type: text/x-patch
Size: 6658 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140526/f2d0199a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0554.2-Add-missing-attributes-to-Modify-Sudo-rule-permissio.patch
Type: text/x-patch
Size: 1711 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140526/f2d0199a/attachment-0002.bin>

More information about the Freeipa-devel mailing list