[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 5 06:56:03 UTC 2014
On Thu, 04 Sep 2014, Martin Kosek wrote:
>On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
>> On Wed, 03 Sep 2014, Martin Kosek wrote:
>>> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>>>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>>>> Hello,
>>>>>> This adds managed read permissions to the compat tree.
>>>>>>
>>>>>> For users it grants anonymous access; authenticated users can read
>>>>>> groups, hosts and netgroups.
>>>>>>
>>>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>>>> Membership" is only granted to authenticated users by default, and the
>>>>>> compat tree exposes memberuid.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>>>
>>>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>>>
>>>>>
>>>>
>>>> Fixed patch attached.
>>>>
>>>
>>> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>>> see if there are no reservations from Alexander or Rob.
>> I think we need a bit more fixes. Here is ACL log for an anonymous
>> request:
>>
>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
>> "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>> matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>> anonymous: no aci matched the subject by aci(27): aciname=
>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>> anonymous: no aci matched the subject by aci(27): aciname=
>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>> matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>> entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
>> by aci(38): aciname= "permission:System: Read User
>> Compat Tree", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>> entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>> cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>> cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
>> uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
>> to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage
>> any entry", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
>> anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
>> Tree", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
>> cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>> cached allow by aci(38)
>>
>> createTimestamp is operational attribute and is synthesized by
>> slapi-nis, there is no problem allowing access to it. I think we can
>> allow following operational attributes:
>>
>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>> entryDN, hasSubordinates, numSubordinates
>
>Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>for whole FreeIPA DIT. So this change is not so related to these patches.
>
>Do we also want to expose attributes like creatorsName/modifiersName? Do we
>consider that a public information or juts audit-like information for DM only?
>
>> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
>> run ipa-adtrust-install on this machine yet.
>
>I do not think that this attribute is written to cn=compat (did not see it in
>config) - is it?
>
>>
>> The same set should be allowed for primary tree.
>>
>
>IMO this should be just one global permission/ACI, set for DIT root.
I experimented a bit, by setting SSSD with a simple LDAP provider
talking to a compat tree (with views enabled, but that doesn't change
anything) and I think we need to move to ipabindpermruletype=anonymous
or otherwise such setup will not work at all. Attached is my take at it
on top of Petr's patchset.
You can ignore views-related ACIs for time being.
--
/ Alexander Bokovoy
-------------- next part --------------
diff --git a/ACI.txt b/ACI.txt
index 6a4e646..8cce4a4 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -51,9 +51,11 @@ aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipause
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || memberuid || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=*,cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=*,cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -239,7 +241,7 @@ aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Ma
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || gecos || gidnumber || homedirectory || loginshell || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
+aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///uid=*,cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -250,6 +252,8 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///uid=*,cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -276,6 +280,8 @@ dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || creatorsname || entryusn || modifiersname || modifytimestamp")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Operational Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=config
aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=replication,cn=etc,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index a4340bb..ad96efe 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -204,12 +204,24 @@ class group(LDAPObject):
},
'System: Read Group Compat Tree': {
'non_object': True,
- 'ipapermbindruletype': 'all',
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('cn=groups', 'cn=compat', api.env.basedn),
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'cn', 'memberuid', 'gidnumber',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
+ },
+ },
+ 'System: Read Group Views Compat Tree': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=groups', 'cn=compat', api.env.basedn),
+ 'ipapermtarget': DN('cn=*', 'cn=groups', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'objectclass', 'cn', 'memberuid',
+ 'objectclass', 'cn', 'memberuid', 'gidnumber',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
},
},
}
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f95b4fd..5c03a09 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -428,11 +428,24 @@ class user(LDAPObject):
'non_object': True,
'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=users', 'cn=compat', api.env.basedn),
+ 'ipapermtarget': DN('cn=users', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
'homedirectory', 'loginshell',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
+ },
+ },
+ 'System: Read User Views Compat Tree': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('uid=*', 'cn=users', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
+ 'homedirectory', 'loginshell',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
},
},
}
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 2051bd4..d2b7dea 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -96,6 +96,17 @@ from ipaserver.install.plugins.baseupdate import PostUpdate
register = Registry()
NONOBJECT_PERMISSIONS = {
+ 'System: Read Operational Attributes': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtargetfilter': {'(objectclass=*)'},
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'createtimestamp', 'modifytimestamp',
+ 'creatorsname', 'modifiersname', 'entryusn',
+ },
+ },
'System: Read IPA Masters': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
More information about the Freeipa-devel
mailing list