[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Martin Kosek
mkosek at redhat.com
Thu Sep 4 13:55:14 UTC 2014
On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
> On Wed, 03 Sep 2014, Martin Kosek wrote:
>> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>>> Hello,
>>>>> This adds managed read permissions to the compat tree.
>>>>>
>>>>> For users it grants anonymous access; authenticated users can read
>>>>> groups, hosts and netgroups.
>>>>>
>>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>>> Membership" is only granted to authenticated users by default, and the
>>>>> compat tree exposes memberuid.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>>
>>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>>
>>>>
>>>
>>> Fixed patch attached.
>>>
>>
>> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>> see if there are no reservations from Alexander or Rob.
> I think we need a bit more fixes. Here is ACL log for an anonymous
> request:
>
> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
> "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
> aci matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
> matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
> aci matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
> anonymous: no aci matched the subject by aci(27): aciname=
> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
> anonymous: no aci matched the subject by aci(27): aciname=
> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
> matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
> entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
> by aci(38): aciname= "permission:System: Read User
> Compat Tree", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
> entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
> uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
> to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage
> any entry", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
> anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
> Tree", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
> cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> cached allow by aci(38)
>
> createTimestamp is operational attribute and is synthesized by
> slapi-nis, there is no problem allowing access to it. I think we can
> allow following operational attributes:
>
> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
> entryDN, hasSubordinates, numSubordinates
Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.
Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?
> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
> run ipa-adtrust-install on this machine yet.
I do not think that this attribute is written to cn=compat (did not see it in
config) - is it?
>
> The same set should be allowed for primary tree.
>
IMO this should be just one global permission/ACI, set for DIT root.
Martin
More information about the Freeipa-devel
mailing list