[Freeipa-users] Permission not working as expected

Tue Aug 30 06:03:23 UTC 2016

On Tue, 30 Aug 2016, Alexander Bokovoy wrote:
>On Mon, 29 Aug 2016, Deepak Dimri wrote:
>>Hi All,
>>I have created below permission for my "testhostgroup" with the
>>expectation that this permission will only allow write permission to
>>the members of "testhostgroup" but, then it allows me to add/delete
>>other hostgroup members as well. I tried changing the effective
>>attribute to "memberof" instead of "member" but in vain as with that i
>>started getting permission denied error even on  testhostgroup itself.
>>*****
>>
>>ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
>>--------------------------------------
>>Added permission "testhostgroup-modify"
>>--------------------------------------
>> Permission name: testhostgroup-modify
>> Granted rights: write
>> Effective attributes: member
>> Bind rule type: permission
>> Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
>> Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))******
>>How can i restrict permissions to manage only those hosts which are
>>part of a particular hostgroup? any help you could offer on this would
>>be much appreciated. I could not find much on similar issue in the
>>forum :( Thanks,Deepak 		 	   		
>The permission above says: "Allow changing 'member' attribute in the
>testhostgroup object". I don't think this is what you wanted, according
>to your explanation above.
>
>Let's say you have host group 'myhostgroup':
># ipa hostgroup-add myhostgroup
>-----------------------------
>Added hostgroup "myhostgroup"
>-----------------------------
> Host-group: myhostgroup
>
>and now you want to create a permission that would target hosts in the
>host group. A member of that permission would be able to do anything
>with the host.
>
>First, you need to create a basic permission which applies to hosts:
>
># ipa permission-add manage-my-hostgroup --right=all 
>--bindtype=permission --type=host 
>--------------------------------------
>Added permission "manage-my-hostgroup"
>--------------------------------------
> Permission name: manage-my-hostgroup
> Granted rights: all
> Bind rule type: permission
> Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> Type: host
> Permission flags: V2, SYSTEM
>
>Now, look at the permission in detail:
>
># ipa permission-show --all --raw manage-my-hostgroup
> dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
> cn: manage-my-hostgroup
> ipapermright: all
> ipapermbindruletype: permission
> ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> ipapermtargetfilter: (objectclass=ipahost)
> ipapermissiontype: V2
> ipapermissiontype: SYSTEM
> aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
> objectclass: ipapermission
> objectclass: top
> objectclass: groupofnames
> objectclass: ipapermissionv2
>
>As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX
>subtree, and target filter is set to (objectclass=ipahost). So it would
>apply to any host. To further limit the permission, you have to add more
>target filters. But to do so, you need to know DN of the hostgroup that
>will be our target limit:
>
># ipa hostgroup-show --raw --all myhostgroup
> dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
> cn: myhostgroup
> ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe
> mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test
> objectClass: ipahostgroup
> objectClass: ipaobject
> objectClass: nestedGroup
> objectClass: groupOfNames
> objectClass: top
> objectClass: mepOriginEntry
>
>Now, using DN of the myhostgroup, you can add a filter to the
>permission:
>
># ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)'
Sorry, a typo here^^ I copied wrong DN, it should be
cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test

not the managed entry DN.

>-----------------------------------------
>Modified permission "manage-my-hostgroup"
>-----------------------------------------
> Permission name: manage-my-hostgroup
> Granted rights: all
> Bind rule type: permission
> Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
> Type: host
> Permission flags: V2, SYSTEM
>
>Check all details of the permission to see that ACI was actually
>modified to include the filter:
>
># ipa permission-show --all --raw manage-my-hostgroup
> dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
> cn: manage-my-hostgroup
> ipapermright: all
> ipapermbindruletype: permission
> ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> ipapermtargetfilter: (objectclass=ipahost)
> ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
> ipapermissiontype: V2
> ipapermissiontype: SYSTEM
> aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipahost))")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
> objectclass: ipapermission
> objectclass: top
> objectclass: groupofnames
> objectclass: ipapermissionv2
>
>
>Our ACI says: "Allow any changes to be done in all objects of
>objectclass ipahost that belong to a host group 'myhostgroup' to members
>of the permission group 'manage-my-hostgroup'"
>
>Now you can add the 'manage-my-hostgroup' permission to a new privilege
>and a role, and then assign users to that role. Those users will be able
>to manage hosts targeted by the permission.
>
>-- 
>/ Alexander Bokovoy
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy