[Freeipa-users] Permission not working as expected

Alexander Bokovoy abokovoy at redhat.com
Tue Aug 30 05:20:38 UTC 2016 

On Mon, 29 Aug 2016, Deepak Dimri wrote:
>Hi All,
>I have created below permission for my "testhostgroup" with the
>expectation that this permission will only allow write permission to
>the members of "testhostgroup" but, then it allows me to add/delete
>other hostgroup members as well. I tried changing the effective
>attribute to "memberof" instead of "member" but in vain as with that i
>started getting permission denied error even on  testhostgroup itself.
>*****
>
>ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
>--------------------------------------
>Added permission "testhostgroup-modify"
>--------------------------------------
>  Permission name: testhostgroup-modify
>  Granted rights: write
>  Effective attributes: member
>  Bind rule type: permission
>  Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
>  Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))******
>How can i restrict permissions to manage only those hosts which are
>part of a particular hostgroup? any help you could offer on this would
>be much appreciated. I could not find much on similar issue in the
>forum :( Thanks,Deepak 		 	   		
The permission above says: "Allow changing 'member' attribute in the
testhostgroup object". I don't think this is what you wanted, according
to your explanation above.

Let's say you have host group 'myhostgroup':
# ipa hostgroup-add myhostgroup
-----------------------------
Added hostgroup "myhostgroup"
-----------------------------
  Host-group: myhostgroup

and now you want to create a permission that would target hosts in the
host group. A member of that permission would be able to do anything
with the host.

First, you need to create a basic permission which applies to hosts:

# ipa permission-add manage-my-hostgroup --right=all --bindtype=permission --type=host 
--------------------------------------
Added permission "manage-my-hostgroup"
--------------------------------------
  Permission name: manage-my-hostgroup
  Granted rights: all
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
  Type: host
  Permission flags: V2, SYSTEM

Now, look at the permission in detail:

# ipa permission-show --all --raw manage-my-hostgroup
  dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
  cn: manage-my-hostgroup
  ipapermright: all
  ipapermbindruletype: permission
  ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
  ipapermtargetfilter: (objectclass=ipahost)
  ipapermissiontype: V2
  ipapermissiontype: SYSTEM
  aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
  objectclass: ipapermission
  objectclass: top
  objectclass: groupofnames
  objectclass: ipapermissionv2

As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX
subtree, and target filter is set to (objectclass=ipahost). So it would
apply to any host. To further limit the permission, you have to add more
target filters. But to do so, you need to know DN of the hostgroup that
will be our target limit:

# ipa hostgroup-show --raw --all myhostgroup
  dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
  cn: myhostgroup
  ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe
  mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test
  objectClass: ipahostgroup
  objectClass: ipaobject
  objectClass: nestedGroup
  objectClass: groupOfNames
  objectClass: top
  objectClass: mepOriginEntry

Now, using DN of the myhostgroup, you can add a filter to the
permission:

# ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)'
-----------------------------------------
Modified permission "manage-my-hostgroup"
-----------------------------------------
  Permission name: manage-my-hostgroup
  Granted rights: all
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
  Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
  Type: host
  Permission flags: V2, SYSTEM

Check all details of the permission to see that ACI was actually
modified to include the filter:

# ipa permission-show --all --raw manage-my-hostgroup
  dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
  cn: manage-my-hostgroup
  ipapermright: all
  ipapermbindruletype: permission
  ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
  ipapermtargetfilter: (objectclass=ipahost)
  ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
  ipapermissiontype: V2
  ipapermissiontype: SYSTEM
  aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipahost))")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
  objectclass: ipapermission
  objectclass: top
  objectclass: groupofnames
  objectclass: ipapermissionv2


Our ACI says: "Allow any changes to be done in all objects of
objectclass ipahost that belong to a host group 'myhostgroup' to members
of the permission group 'manage-my-hostgroup'"

Now you can add the 'manage-my-hostgroup' permission to a new privilege
and a role, and then assign users to that role. Those users will be able
to manage hosts targeted by the permission.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list