[Freeipa-users] User Roles and access in GUI

Tue Apr 16 07:38:07 UTC 2013

On 04/16/2013 03:16 AM, Dmitri Pal wrote:
> On 04/15/2013 07:42 PM, Chandan Kumar wrote:
>>
>> I agree it won't be a security feature nor you are doing wrong by not adding
>> it. However, it might come as nice to have feature. Let me explain you my
>> condition.
>>
>> We host web application where lot of DNS entries (Public and Internal) are
>> created for different kind of requests and features. Now we already have a
>> separate DNS server, Separate Manual Linux User/Access Control management by
>> puppet. Linux users   ACL have no relationship with the web application user
>> (which is internal to the web app). 
>>
>> So FreeIPA can help me to centralize the Linux user-management as well as
>> (Public and Internal) DNS. However, the problem is : traditionally the access
>> levels were different for DNS users (support guys) and user management
>> (sysadmins). Now bring both system together even the Host based access
>> control, sudoers rule everything becomes visible to non-sysadmin group.
>>
>> You are right that every user could query all entries from command line and
>> hence it won't help  to secure the system, but not having it on GUI may help
>> to avoid "obvious" visibility of the whole directory.
>>
>> I believe similar GUI "views" could be applied for discussion 
>>
>> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html
>>
>> where geographically separate Organization units may share the same directory
>> with limited visibility on other branches.
>>
>>
>> Having said that, I am not sure how feasible/logical my view is owing to my
>> limited knowledge in 389 directory server and IPA.
> 
> I think you are talking about this: https://fedorahosted.org/freeipa/ticket/217
> and somewhat about this https://fedorahosted.org/freeipa/ticket/1313
> 
> Would you mind adding the details of your use case to one of those two tickets?
> 
> Alternatively we can start another ticket.
> However I think we should have some kind of a complete solution that covers
> LDAP, UI and CLI consistently.
> Doing it right would be a huge task IMO.
> For LDAP we would probably have to implement some kind of "smart" proxy that
> would reply only to the requests that user are entitled to. Same with CLI and
> UI. But the point is that one configuration should be respected by all three at
> the same time. For example if you are not allowed to manage sudo the sudo
> commands should not return any data as well as LDAP searches and there should
> be no panel in the UI.
> 
> I am really reluctant to fix just UI because we would end up different
> components of the system behaving differently and it would be hard to evolve
> them and maintain.
> 
> Thanks
> Dmitri
> 

I think there were some related discussions about this. I agree that this a
bigger effort, but I do think that a proxy is needed. We should be able to
achieve that goal by being able to disable global ACI allowing read access to
all entries and attributes unless those explicitly blacklisted.

I think we are talking about this ticket:
https://fedorahosted.org/freeipa/ticket/2786

If there is a solid use case for this ticket (and it seems it is), we can
increase its priority. In order to be able to manage such access also for
system accounts (like sudo for example when SSSD is not used), we may want to
also add API to manage such accounts and control their access too:

https://fedorahosted.org/freeipa/ticket/2801

Martin