[Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич isaev at fintech.ru
Mon Nov 11 10:28:44 UTC 2013 

Thanks a lot! We will try to work it out.

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: Monday, November 11, 2013 12:52 PM
To: Исаев Виталий Анатольевич; Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Access differentiation in group policy

Normally, when you want to limit the groups that the membership can be applied to, one can use the targetfilter component of the relevant ACI. We did this for example for "Modify Group Membership" so that junior admins with this permission cannot add themselves to the main admins group:

# ipa permission-show "Modify Group membership"
  Permission name: Modify Group membership
  Permissions: write
  Attributes: member
  Type: group
  Filter: (!(cn=admins))
  Granted to Privilege: Modify Group membership, Group Administrators
  Indirect Member of roles: helpdesk, User Administrator

# ipa permission-show "Modify Group membership" --raw
aci: (targetattr = "member")(targetfilter = "(!(cn=admins))")(target = "ldap:///cn=*,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,dc=example,dc=com";)

Unfortunately, you cannot add the filter component to the permission using the CLI at the moment:

# ipa permission-add perm_edit_member_group1 --permission=write --attrs=member
--targetgroup=group1 --filter='(!(cn=admins))'
ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive

This is a bug (https://fedorahosted.org/freeipa/ticket/2355), I speeded up it's resolution to next FreeIPA release.

As for your current options, if you want to add both subtree and a filter, you can either manually edit the ACI itself via ldapmodify or update /usr/lib/python2.7/site-packages/ipalib/plugins/aci.py and remove "valid['filter']" part of the respective validation check and reload httpd.

Martin

On 11/11/2013 08:17 AM, Исаев Виталий Анатольевич wrote:
> Here is our attempt to describe the problem in terms of IPA CLI commands:
> 
> kinit admin
> ipa group-add --desc="Group 1" group1
> ipa group-add --desc="Group 2" group2
> ipa user-add --first="Admin" --last="Group 1" --password admin_group1 
> ipa user-add --first="Admin" --last="Group 2" --password admin_group2 
> ipa user-add --first="User" --last="Group 1" user_group1 ipa user-add 
> --first="User" --last="Group 2" user_group2 ipa group-add-member 
> --users=user_group1 group1 ipa group-add-member --users=admin_group1 
> group1 ipa group-add-member --users=user_group2 group2 ipa 
> group-add-member --users=admin_group2 --password group2 ipa 
> group-remove-member 
> --users=user_group1,admin_group1,user_group2,admin_group2 ipausers ipa 
> permission-add perm_edit_sn_group1 --permission=write --attrs=sn 
> --memberof=group1 --type=user ipa permission-add perm_edit_member_group1 --permission=write --attrs=member --targetgroup=group1 ipa privilege-add priv_group1 --desc="Privilege Group1"
> ipa privilege-add-permission priv_group1 
> --permissions=perm_edit_sn_group1,perm_edit_member_group1
> ipa role-add role_group1 --desc="Role Group1"
> ipa role-add-privilege role_group1 --privileges=priv_group1 ipa 
> role-add-member role_group1 --users=admin_group1 kinit admin_group1 
> ipa user-mod user_group1 --last="Group 1"
> // I can't change user_group2's lastname.
> ipa user-mod user_group2 --last="Group 1"
> // But I can add to group1 any users or user groups existing in IPA. How can I disallow the admin_group1 to add users or user groups from other isolated groups?
> ipa group-add-member --users=user_group2 group1 // And now I can 
> change user_group2's lastname.
> ipa user-mod user_group2 --last="Group 1"
> 
> Thanks a lot. 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Friday, November 08, 2013 8:48 PM
> To: Исаев Виталий Анатольевич; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Access differentiation in group policy
> 
> Исаев Виталий Анатольевич wrote:
>> Rob, I apologize, just one more question. We dealt with the editing of attributes, but it is still not clear if it is possible to restrict the user adding to isolated group in case of the user's membership in other isolated group.
> 
> I'm not sure I follow. As you can see, this sort of access control can get very complex :-) Can you provide an example of what you want to do?
> 
> rob
> 
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Friday, November 08, 2013 7:47 PM
>> To: Исаев Виталий Анатольевич; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Access differentiation in group policy
>>
>> Исаев Виталий Анатольевич wrote:
>>> Dear colleagues, we faced with an issue of access differentiation 
>>> for junior IPA admins. Our idea was to create several (say, three – 
>>> group1, group2, group3) isolated groups with one junior admin per group.
>>>
>>> The group isolation means that admin of group1 is not able to add to 
>>> his group neither users nor subgroups – members of other global groups (i.e.
>>> group2, group3)
>>>
>>> We have attempted to accomplish this by RBAC for every junior admin.
>>> It was pointed out, that the admin can modify the objects (users,
>>> subgroups) belonging to his group only.  However, every user 
>>> enrolled to IPA can see all the other objects by default, therefore 
>>> any junior admin can add users and subgroups FROM THE OTHER isolated 
>>> group to his group with no restrictions.
>>>
>>> So the question is – how to implement (the specified) group “isolation”
>>> in IPA?
>>>
>>> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.
>>
>> You need to create some custom permissions that limit the capabilities by memberof.
>>
>> I set up a simple system with a couple of users:
>>
>> kinit admin
>> ipa group-add --desc=g1 g1
>> ipa group-add --desc=g2 g2
>> ipa user-add --first=group1 --last=user1 g1u1 ipa user-add
>> --first=group2 --last=user1 g2u1 ipa group-add-member --users g1u1 g1 
>> ipa group-add-member --users g2u1 g2 ipa user-add --first=group1
>> --last=admin1 g1a1 ipa group-add-member --users g1a1 g1 ipa passwd
>> g1a1
>>
>> g1a1 is going to be my junior admin
>>
>> Next I created a permission so junior admins can manage the telephone number. This permission allows the phone number attribute to be written only for members of the group g1.
>>
>> ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior admin'
>> ipa privilege-add-permission --permissions=g1_modify_members 
>> g1_junior_admin ipa role-add --desc='Group 1 junior admin' group1 ipa 
>> role-add-privilege --privileges=g1_junior_admin group1 ipa 
>> role-add-member --users=g1a1 group1
>>
>> So members of the group1 role can modify the telephonenumber attribute of its members.
>>
>> Let's see it in action:
>>
>> kinit g1a1
>> ipa user-mod --phone=410-555-1212 g1u1
>> --------------------
>> Modified user "g1u1"
>> --------------------
>>     User login: g1u1
>>     First name: group1
>>     Last name: user1
>>     Home directory: /home/g1u1
>>     Login shell: /bin/sh
>>     Email address: g1u1 at example.com
>>     UID: 1197000004
>>     GID: 1197000004
>>     Telephone Number: 410-555-1212
>>     Account disabled: False
>>     Password: False
>>     Member of groups: ipausers, g1
>>     Kerberos keys available: False
>>
>> Try another attribute and it fails as expected:
>> ipa user-mod --fax=410-555-1212 g1u1
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'facsimileTelephoneNumber' attribute of entry 'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.
>>
>> Change the phone number of a non-member of the group and it also fails as expected:
>> ipa user-mod --phone=410-555-1213 g2u1
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'telephoneNumber' attribute of entry 'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.
>>
>> rob
>>
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list