[Freeipa-users] Restrict WebUI access

Thu Apr 14 12:39:09 UTC 2016

On 04/14/2016 01:57 PM, dev at mdfive.dz wrote:
> Hi,
> 
> By default, a simple user which authenticate on WebUI has access to his
> profile info page and can list all users and access to their infos (read
> only).
> 
> I want to limit a simple user to his profile info page only (where he
> can change its own password) and disable access to users list and their
> info.

Check RBAC in the previous mail, otherwise it is security by obscurity.

E.g it is possible to use following UI plugin (created for demonstration
purposes):

https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js

The plugin limits capabilities of self-service page, basically by
replacing it, disabling breadcrumb navigation and removing menu items.

Installation (on each IPA server):

# cd /usr/share/ipa/ui/js/plugins/
# mkdir simpleuser
# cd simpleuser/
# wget https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js

then access Web UI...

But anybody can change URL and view information of certain user.

Other possibility is to run the attached script locally(example usable
only on server, but can be easily changed) to run ipa user-find by
communicating with FreeIPA API.

> 
> Best regards.
> 
> On 2016-04-14 10:22, dev at mdfive.dz wrote:
>> Hi,
>>
>> Yes, I want to restrict simple authenticated users on the WebUI from
>> seeying the list of all users.
>>
>> Is it configurable with the role based access control?
>>
>> Best regards.
>>
>> On 2016-04-13 13:04, Petr Vobornik wrote:
>>> On 04/13/2016 11:30 AM, dev at mdfive.dz wrote:
>>>> Hi,
>>>>
>>>> I want to restrict FreeIP WebUI access to a limited users only. How can
>>>> I proceed.
>>>>
>>>> Thanks in advance,
>>>> Regards
>>>> -- 
>>>> Omar AKHAM
>>>>
>>>
>>> What do you mean by restrict access to Web UI?
>>>
>>> Prevent certain group of users to log in? This is not possible to
>>> configure atm. It is possible to develop a Web UI plugin that does it
>>> but it is not straightforward. Either-way it won't prevent users from
>>> using FreeIPA API or CLI to get the information if it is not restricted
>>> via RBAC.
>>>
>>> Limit what user can see/search for? This is possible to configure via
>>> Role-based access control (RBAC)[1].
>>>
>>>
>>> [1]
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html
>>>
> 

-- 
Petr Vobornik
-------------- next part --------------
#!/bin/bash

echo '{"method":"user_find","params":[[],{"sizelimit":0,"pkey_only":true}]}' > /tmp/js1

curl --cacert /etc/ipa/ca.crt \
     -c /tmp/ipauicookie \
     --data "user=admin&password=Secret123" \
     https://$(hostname)/ipa/session/login_password 

curl -H "Content-Type:application/json" \
    -H "Referer: https://$(hostname)/ipa/xml" \
    -H "Accept:application/json"  \
    -H "Accept-Language:en" \
    --cacert /etc/ipa/ca.crt \
    -d  @/tmp/js1 \
    -X POST \
    -b /tmp/ipauicookie \
    -c /tmp/ipauicookie \
    https://$(hostname)/ipa/session/json