[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Alexander Bokovoy abokovoy at redhat.com
Fri Sep 5 11:34:30 UTC 2014 

On Fri, 05 Sep 2014, Petr Viktorin wrote:
> On 09/05/2014 09:18 AM, Martin Kosek wrote:
>> On 09/05/2014 09:03 AM, Alexander Bokovoy wrote:
>>> On Fri, 05 Sep 2014, Alexander Bokovoy wrote:
>>>> On Thu, 04 Sep 2014, Martin Kosek wrote:
>>>>> On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
>>>>>> On Wed, 03 Sep 2014, Martin Kosek wrote:
>>>>>>> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>>>>>>>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>>>>>>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>>>>>>>> Hello,
>>>>>>>>>> This adds managed read permissions to the compat tree.
>>>>>>>>>> 
>>>>>>>>>> For users it grants anonymous access; authenticated users can read
>>>>>>>>>> groups, hosts and netgroups.
>>>>>>>>>> 
>>>>>>>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>>>>>>>> Membership" is only granted to authenticated users by default, and the
>>>>>>>>>> compat tree exposes memberuid.
>>>>>>>>>> 
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>>>>>>> 
>>>>>>>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> Fixed patch attached.
>>>>>>>> 
>>>>>>> 
>>>>>>> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>>>>>>> see if there are no reservations from Alexander or Rob.
>>>>>> I think we need a bit more fixes. Here is ACL log for an anonymous
>>>>>> request:
>>>>>> 
>>>>>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
>>>>>> "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>>>>> entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>>>>>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>>>>>> Configuration", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>>>>> entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>>>>>> matched the subject by aci(27): aciname="permission:System: Read DNS
>>>>>> Configuration", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>>>>> entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>>>>> anonymous: no
>>>>>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>>>>>> Configuration", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>>>>> entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>>>>> anonymous: no aci matched the subject by aci(27): aciname=
>>>>>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>>>>> entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>>>>> anonymous: no aci matched the subject by aci(27): aciname=
>>>>>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>>>>> entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>>>>>> matched the subject by aci(27): aciname="permission:System: Read DNS
>>>>>> Configuration", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
>>>>>> search on
>>>>>> entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
>>>>>> by aci(38): aciname= "permission:System: Read User
>>>>>> Compat Tree", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
>>>>>> search on
>>>>>> entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>>>>>> cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
>>>>>> search on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>>>>> anonymous:
>>>>>> cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
>>>>>> uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
>>>>>> to anonymous: no aci matched the subject by aci(18): aciname= "Admin can
>>>>>> manage
>>>>>> any entry", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
>>>>>> anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
>>>>>> Tree", acidn="dc=ipacloud,dc=test"
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
>>>>>> anonymous: cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
>>>>>> cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
>>>>>> anonymous: cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
>>>>>> anonymous: cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
>>>>>> anonymous: cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
>>>>>> anonymous: cached allow by aci(38)
>>>>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>>>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>>>>> anonymous:
>>>>>> cached allow by aci(38)
>>>>>> 
>>>>>> createTimestamp is operational attribute and is synthesized by
>>>>>> slapi-nis, there is no problem allowing access to it. I think we can
>>>>>> allow following operational attributes:
>>>>>> 
>>>>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>>>>>> entryDN, hasSubordinates, numSubordinates
>>>>> 
>>>>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>>>>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>>>>> for whole FreeIPA DIT. So this change is not so related to these patches.
>>>>> 
>>>>> Do we also want to expose attributes like creatorsName/modifiersName? Do we
>>>>> consider that a public information or juts audit-like information for DM only?
>>>>> 
>>>>>> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
>>>>>> run ipa-adtrust-install on this machine yet.
>>>>> 
>>>>> I do not think that this attribute is written to cn=compat (did not see it in
>>>>> config) - is it?
>>>>> 
>>>>>> 
>>>>>> The same set should be allowed for primary tree.
>>>>>> 
>>>>> 
>>>>> IMO this should be just one global permission/ACI, set for DIT root.
>>>> 
>>>> I experimented a bit, by setting SSSD with a simple LDAP provider
>>>> talking to a compat tree (with views enabled, but that doesn't change
>>>> anything) and I think we need to move to ipabindpermruletype=anonymous
>>>> or otherwise such setup will not work at all. Attached is my take at it
>>>> on top of Petr's patchset.
>>>> 
>>>> You can ignore views-related ACIs for time being.
>>> Scratch that, it was older version with duplicate entries.
>>> 
>>> Proper one is attached.
>>> 
>> 
>> Thanks! Looks sane to me. We would just need to remove Views related ACIs for
>> the 4.0.x version that we will need for today.
> 
> Thanks indeed!
> 
> Here is the patched patch. The Read Operational Attributes permission is 
> split for createtimestamp/modifytimestamp/entryusn (anonymous) and 
> creatorsname/modifiersname (authenticated).
Thanks! ACK.

> 
> Only admins can read the cn=compat entry itself. I don't think that's an 
> issue though.
It is an empty virtual entry that doesn't exist anywhere and is
synthesized by slapi-nis on each request.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list