[Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege

Dmitri Pal dpal at redhat.com
Sat Jun 27 13:32:07 UTC 2015 

On 06/23/2015 03:52 AM, Petr Vobornik wrote:
> On 06/22/2015 10:09 PM, Rob Crittenden wrote:
>> Nathan Peters wrote:
>>>
>>>
>>> -----Original Message----- From: Rob Crittenden
>>> Sent: Saturday, June 20, 2015 1:17 PM
>>> To: Nathan Peters
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] invalid 'permission': cannot add 
>>> permission
>>> "System: Read HBAC Rules" with bindtype "all" to a privilege
>>>
>>> Nathan Peters wrote:
>>>>
>>>>
>>>> -----Original Message----- From: Rob Crittenden
>>>> Sent: Friday, June 19, 2015 3:38 PM
>>>> To: nathan at nathanpeters.com
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] invalid 'permission': cannot add 
>>>> permission
>>>> "System: Read HBAC Rules" with bindtype "all" to a privilege
>>>>
>>>> nathan at nathanpeters.com wrote:
>>>>>> nathan at nathanpeters.com wrote:
>>>>>>> FreeIPA server 4.1.3 on CentOS 7
>>>>>>>
>>>>>>> I am trying to create a set of privileges or roles that will allow
>>>>>>> me to
>>>>>>> create a user who has read-only access to as much of the FreeIPA
>>>>>>> web UI
>>>>>>> as
>>>>>>> possible.  Basically my manager want the type of view into FreeIPA
>>>>>>> that
>>>>>>> they have in AD using the 'AD Users and Computers program).
>>>>>>>
>>>>>>> I note that there are quite a few read permission in the 
>>>>>>> permissions
>>>>>>> list.
>>>>>>>    I tried creating a new privilege called Read Only Administrator
>>>>>>> and
>>>>>>> giving them all the permission that have read only in the name.
>>>>>>>
>>>>>>> For some reason I can add all other system and full access
>>>>>>> permissions
>>>>>>> but
>>>>>>> when I try to add a read only permission I get the following 
>>>>>>> error :
>>>>>>> invalid 'permission': cannot add permission "System: Read HBAC 
>>>>>>> Rules"
>>>>>>> with
>>>>>>> bindtype "all" to a privilege
>>>>>>>
>>>>>>> This applies not just the HBAC rule, but anything that has Read in
>>>>>>> the
>>>>>>> name.
>>>>>>>
>>>>>>> How do I create a read only user without getting this error 
>>>>>>> message?
>>>>>>
>>>>>> You can't add a rule with bindtype all because this bindtype already
>>>>>> allows all authenticated users the rights granted by the rule, in 
>>>>>> this
>>>>>> case read access.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>
>>>>>
>>>>> That doesn't sound right.  When I login to FreeIPA web ui with a user
>>>>> who
>>>>> is not part of any group, the only thing he can do is browse other
>>>>> users
>>>>> and update his own password and SSH key.  He does not get the HBAC 
>>>>> menu
>>>>> and definitely cannot browse HBAC rules.
>>>>
>>>> The UI handles those permissions differently.
>>>>
>>>> $ kinit someuser
>>>> $ ldapsearch -Y GSSAPI -b cn=hbac,dc=example,dc=com
>>>>
>>>>>
>>>>> Also, If I do this step backward and go directly to the RBAC ->
>>>>> Permissions menu and choose a permission and edit it, I can add it 
>>>>> to a
>>>>> privilege, but if I go to the privilege and try to add the
>>>>> permission it
>>>>> fails.  This makes zero sense.
>>>>>
>>>>> I can post screenshots if that helps.
>>>>>
>>>>
>>>> This is a bug. There is a function not available on the command line,
>>>> permission_add_member, which incorrectly allows this. I opened
>>>> https://fedorahosted.org/freeipa/ticket/5075
>>>>
>>>> Regardless of whether it is added or not, it is a no-op because the
>>>> whole idea of permissions is to grant access via groups and there 
>>>> is no
>>>> group in this permission. It allows all authenticated users.
>>>>
>>>> rob
>>>>
>>>> What do you mean by it is a no-op?
>>>>
>>>> Here is what I did that worked:
>>>>
>>>> 1)Create privilege called "Read only privilege"
>>>>
>>>> 2)Go to each permission individually that has the world "Read" in 
>>>> it and
>>>> add them to the "read only privilege" privilege one at a time.  There
>>>> was about 65 of them.  This is fine because we are not apply this to
>>>> users, only apply the permissions to the privilege.
>>>>
>>>> 3)Next, go back to the read-only privilege and add some group that
>>>> contains users.
>>>>
>>>> 4)Login to the webui as a user that is in the group that was added to
>>>> the privilege and now you can see all menu options just like an admin,
>>>> but everything is read only and any attempt to make changes results 
>>>> in a
>>>> message that you don't have permission to make that change. This is
>>>> currently working exactly as I expect it to once I set it up the long
>>>> way.
>>>>
>>>> Result : Member can now browse the entire web ui and see everything,
>>>> hosts, users, rbac rules, hbac rules, groups etc but in read only mode
>>>> as expected.
>>>>
>>>> I'm talking only about the issue where a permission with a bindrule of
>>>> all cannot be added to a privilege. The fact that it can be added in
>>>> the UI is a bug.
>>>>
>>>> It is the data in LDAP we really care about and a permission with a
>>>> bindrule of all grants all authenticated users read access to that
>>>> data, regardless of what you might or might not see in the UI.
>>>>
>>>> I'm not entirely sure how Petr does that though I always thought it
>>>> was through LDAP effective rights which in effect should grant all
>>>> users HBAC read access, so perhaps he determines it based on other
>>>> things as well.
>>>>
>>>> rob
>>>
>>> So what is the correct way to grant full read-only permissions in the
>>> web UI?  The audience for this viewing is managers and they are non
>>> technical and have no desire to login to an SSH shell and try to view
>>> the data they need using the cli.
>>>
>>> They have seen me working in the web UI and really like how easy it is
>>> to browse the interface.
>>>
>>> Is there any proper way to do this?  Is it possible at all without
>>> invoking that bug that I invoked to make it happen?
>>
>> That's a question for Petr. I don't know how the UI determines which
>> tabs to make visible. I thought it was based on the effective rights but
>> perhaps it is more complex than that.
>>
>> rob
>
> It's as described in #4. Web UI displays all tabs if a user is 
> assigned to at least one RBAC role either directly or indirectly 
> trough user group. Effective rights are used only for attributes 
> (attributeslevelrights). Object level rights are not provided to Web 
> UI yet.
>
> In other words:
> 1. create empty RBAC role
> 2. assign there all users who should read stuff.
>
> Exception is DNS (and maybe some other entries). DNS is not readable 
> by everybody by default.

Is there any RFE that we need to file based on this conversation?

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list