[Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege

Mon Jun 22 20:09:45 UTC 2015

Nathan Peters wrote:
>
>
> -----Original Message----- From: Rob Crittenden
> Sent: Saturday, June 20, 2015 1:17 PM
> To: Nathan Peters
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission
> "System: Read HBAC Rules" with bindtype "all" to a privilege
>
> Nathan Peters wrote:
>>
>>
>> -----Original Message----- From: Rob Crittenden
>> Sent: Friday, June 19, 2015 3:38 PM
>> To: nathan at nathanpeters.com
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission
>> "System: Read HBAC Rules" with bindtype "all" to a privilege
>>
>> nathan at nathanpeters.com wrote:
>>>> nathan at nathanpeters.com wrote:
>>>>> FreeIPA server 4.1.3 on CentOS 7
>>>>>
>>>>> I am trying to create a set of privileges or roles that will allow
>>>>> me to
>>>>> create a user who has read-only access to as much of the FreeIPA
>>>>> web UI
>>>>> as
>>>>> possible.  Basically my manager want the type of view into FreeIPA
>>>>> that
>>>>> they have in AD using the 'AD Users and Computers program).
>>>>>
>>>>> I note that there are quite a few read permission in the permissions
>>>>> list.
>>>>>    I tried creating a new privilege called Read Only Administrator and
>>>>> giving them all the permission that have read only in the name.
>>>>>
>>>>> For some reason I can add all other system and full access permissions
>>>>> but
>>>>> when I try to add a read only permission I get the following error :
>>>>> invalid 'permission': cannot add permission "System: Read HBAC Rules"
>>>>> with
>>>>> bindtype "all" to a privilege
>>>>>
>>>>> This applies not just the HBAC rule, but anything that has Read in the
>>>>> name.
>>>>>
>>>>> How do I create a read only user without getting this error message?
>>>>
>>>> You can't add a rule with bindtype all because this bindtype already
>>>> allows all authenticated users the rights granted by the rule, in this
>>>> case read access.
>>>>
>>>> rob
>>>>
>>>>
>>>
>>> That doesn't sound right.  When I login to FreeIPA web ui with a user
>>> who
>>> is not part of any group, the only thing he can do is browse other users
>>> and update his own password and SSH key.  He does not get the HBAC menu
>>> and definitely cannot browse HBAC rules.
>>
>> The UI handles those permissions differently.
>>
>> $ kinit someuser
>> $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com
>>
>>>
>>> Also, If I do this step backward and go directly to the RBAC ->
>>> Permissions menu and choose a permission and edit it, I can add it to a
>>> privilege, but if I go to the privilege and try to add the permission it
>>> fails.  This makes zero sense.
>>>
>>> I can post screenshots if that helps.
>>>
>>
>> This is a bug. There is a function not available on the command line,
>> permission_add_member, which incorrectly allows this. I opened
>> https://fedorahosted.org/freeipa/ticket/5075
>>
>> Regardless of whether it is added or not, it is a no-op because the
>> whole idea of permissions is to grant access via groups and there is no
>> group in this permission. It allows all authenticated users.
>>
>> rob
>>
>> What do you mean by it is a no-op?
>>
>> Here is what I did that worked:
>>
>> 1)Create privilege called "Read only privilege"
>>
>> 2)Go to each permission individually that has the world "Read" in it and
>> add them to the "read only privilege" privilege one at a time.  There
>> was about 65 of them.  This is fine because we are not apply this to
>> users, only apply the permissions to the privilege.
>>
>> 3)Next, go back to the read-only privilege and add some group that
>> contains users.
>>
>> 4)Login to the webui as a user that is in the group that was added to
>> the privilege and now you can see all menu options just like an admin,
>> but everything is read only and any attempt to make changes results in a
>> message that you don't have permission to make that change.  This is
>> currently working exactly as I expect it to once I set it up the long
>> way.
>>
>> Result : Member can now browse the entire web ui and see everything,
>> hosts, users, rbac rules, hbac rules, groups etc but in read only mode
>> as expected.
>>
>> I'm talking only about the issue where a permission with a bindrule of
>> all cannot be added to a privilege. The fact that it can be added in
>> the UI is a bug.
>>
>> It is the data in LDAP we really care about and a permission with a
>> bindrule of all grants all authenticated users read access to that
>> data, regardless of what you might or might not see in the UI.
>>
>> I'm not entirely sure how Petr does that though I always thought it
>> was through LDAP effective rights which in effect should grant all
>> users HBAC read access, so perhaps he determines it based on other
>> things as well.
>>
>> rob
>
> So what is the correct way to grant full read-only permissions in the
> web UI?  The audience for this viewing is managers and they are non
> technical and have no desire to login to an SSH shell and try to view
> the data they need using the cli.
>
> They have seen me working in the web UI and really like how easy it is
> to browse the interface.
>
> Is there any proper way to do this?  Is it possible at all without
> invoking that bug that I invoked to make it happen?

That's a question for Petr. I don't know how the UI determines which 
tabs to make visible. I thought it was based on the effective rights but 
perhaps it is more complex than that.

rob