[Freeipa-users] Custom ACI entries
Rob Crittenden
rcritten at redhat.com
Thu May 17 17:47:49 UTC 2012
Lucas Yamanishi wrote:
> On 05/17/2012 09:34 AM, Rob Crittenden wrote:
>> ...
>>
>> The ACIs need a little bit of work. The name of the aci needs to
>> match the name of the ACI that permission is being granted to, with a
>> prefix of permission:. So it should look more like:
>>
>> aci: (targetattr = "attribute1 || attribute2 || attribute3")
>> (version 3.0; acl "permission:Read custom attributes"; deny (all)
>> (userdn = "ldap:///anyone" and userdn != "ldap:///self" and groupdn
>> != "ldap:///cn=Read custom
>> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>>
>> For the second ACI you don't need add and delete, those are
>> entry-level permissions. You might want to add compare though.
>>
>> We also tend to separate things you can do to your own entry from
>> things you can do to others. So we would break this out into some
>> selfservice ACIs and permission ACIs. Not saying what you're doing
>> won't work.
>>
>> rob
>
> BTW, what's the origin of the naming restrictions? Is it an IPA thing?
Yes, we are trying to hide the complexity of ACIs behind the permission
concept. We take advantage of nested group membership and use that to
delegate access. We create an ACI that grants permission to do something
to a group (in this case a permission). This permission is then a member
of a privilege which is a member of a role which itself has users,
groups, etc as members. So being a member of a role grants access to all
permissions associated with it.
An ACI is just a string of text so we need some mechanism to link an ACI
with a permission object so we use this comment/name section. We added a
prefix to distinguish between selfservice permissions and normal
permissions (and perhaps future prefixes as well).
>
> Here are my updated ACIs:
>
> <pre>
>
> dn: dc=sesda2,dc=com
> changetype: modify
> add: aci
> aci: (targetattr =
> "privateAttribute1 ||
> privateAttribute2 ||
> privateAttribute3 ||
> privateAttribute4")
> (version 3.0; acl "permission:Read custom attributes"; deny (all)
> (userdn = "ldap:///anyone" and
> groupdn != "ldap:///cn=Read custom
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>
> dn: dc=sesda2,dc=com
> changetype: modify
> add: aci
> aci: (targetattr =
> "privateAttribute1 ||
> privateAttribute2")
> (version 3.0; acl "permission:Does this need a special name?"; allow
> (read, search, compare)
> userdn = "ldap:///self";)
Use the prefix selfservice and name it something like: selfservice:
Users can read their own private attributes
> dn: dc=sesda2,dc=com
> changetype: modify
> add: aci
> aci: (targetattr =
> "privateAttribute1 ||
> privateAttribute2 ||
> privateAttribute3 ||
> privateAttribute4")
> (version 3.0; acl "permission:Manage custom attributes"; allow
> (read, write, search, compare)
> groupdn = "ldap:///cn=Manage custom
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com";)
Otherwise looks ok. ACIs often have subtle problems so I'd test
casefully. Assuming these work ok you might try enhancing them to limit
their scope to just users by adding (target =
"ldap:///uid=*,cn=users,cn=accounts,dc=sesda2,dc=com"). This might speed
up ACI processing ever so slightly, and ever ms counts.
rob
More information about the Freeipa-users
mailing list