[Freeipa-users] Permission not working as expected

Alexander Bokovoy abokovoy at redhat.com
Tue Aug 30 09:54:06 UTC 2016 

On Tue, 30 Aug 2016, Alexander Bokovoy wrote:
>On Tue, 30 Aug 2016, Alexander Bokovoy wrote:
>>On Mon, 29 Aug 2016, Deepak Dimri wrote:
>>>Hi All,
>>>I have created below permission for my "testhostgroup" with the
>>>expectation that this permission will only allow write permission to
>>>the members of "testhostgroup" but, then it allows me to add/delete
>>>other hostgroup members as well. I tried changing the effective
>>>attribute to "memberof" instead of "member" but in vain as with that i
>>>started getting permission denied error even on  testhostgroup itself.
>>>*****
>>>
>>>ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
>>>--------------------------------------
>>>Added permission "testhostgroup-modify"
>>>--------------------------------------
>>>Permission name: testhostgroup-modify
>>>Granted rights: write
>>>Effective attributes: member
>>>Bind rule type: permission
>>>Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
>>>Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))******
>>>How can i restrict permissions to manage only those hosts which are
>>>part of a particular hostgroup? any help you could offer on this would
>>>be much appreciated. I could not find much on similar issue in the
>>>forum :( Thanks,Deepak 		 	   		
>>The permission above says: "Allow changing 'member' attribute in the
>>testhostgroup object". I don't think this is what you wanted, according
>>to your explanation above.
>>
>>Let's say you have host group 'myhostgroup':
>># ipa hostgroup-add myhostgroup
>>-----------------------------
>>Added hostgroup "myhostgroup"
>>-----------------------------
>>Host-group: myhostgroup
>>
>>and now you want to create a permission that would target hosts in the
>>host group. A member of that permission would be able to do anything
>>with the host.
>>
>>First, you need to create a basic permission which applies to hosts:
>>
>># ipa permission-add manage-my-hostgroup --right=all 
>>--bindtype=permission --type=host 
>>--------------------------------------
>>Added permission "manage-my-hostgroup"
>>--------------------------------------
>>Permission name: manage-my-hostgroup
>>Granted rights: all
>>Bind rule type: permission
>>Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
>>Type: host
>>Permission flags: V2, SYSTEM
>>
>>Now, look at the permission in detail:
>>
>># ipa permission-show --all --raw manage-my-hostgroup
>>dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
>>cn: manage-my-hostgroup
>>ipapermright: all
>>ipapermbindruletype: permission
>>ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
>>ipapermtargetfilter: (objectclass=ipahost)
>>ipapermissiontype: V2
>>ipapermissiontype: SYSTEM
>>aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
>>objectclass: ipapermission
>>objectclass: top
>>objectclass: groupofnames
>>objectclass: ipapermissionv2
>>
>>As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX
>>subtree, and target filter is set to (objectclass=ipahost). So it would
>>apply to any host. To further limit the permission, you have to add more
>>target filters. But to do so, you need to know DN of the hostgroup that
>>will be our target limit:
>>
>># ipa hostgroup-show --raw --all myhostgroup
>>dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
>>cn: myhostgroup
>>ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe
>>mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test
>>objectClass: ipahostgroup
>>objectClass: ipaobject
>>objectClass: nestedGroup
>>objectClass: groupOfNames
>>objectClass: top
>>objectClass: mepOriginEntry
>>
>>Now, using DN of the myhostgroup, you can add a filter to the
>>permission:
>>
>># ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)'
>Sorry, a typo here^^ I copied wrong DN, it should be
>cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
>
>not the managed entry DN.
>
>>-----------------------------------------
>>Modified permission "manage-my-hostgroup"
>>-----------------------------------------
>>Permission name: manage-my-hostgroup
>>Granted rights: all
>>Bind rule type: permission
>>Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
>>Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
>>Type: host
>>Permission flags: V2, SYSTEM
>>
>>Check all details of the permission to see that ACI was actually
>>modified to include the filter:
>>
>># ipa permission-show --all --raw manage-my-hostgroup
>>dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
>>cn: manage-my-hostgroup
>>ipapermright: all
>>ipapermbindruletype: permission
>>ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
>>ipapermtargetfilter: (objectclass=ipahost)
>>ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
>>ipapermissiontype: V2
>>ipapermissiontype: SYSTEM
>>aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipahost))")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
>>objectclass: ipapermission
>>objectclass: top
>>objectclass: groupofnames
>>objectclass: ipapermissionv2
>>
>>
>>Our ACI says: "Allow any changes to be done in all objects of
>>objectclass ipahost that belong to a host group 'myhostgroup' to members
>>of the permission group 'manage-my-hostgroup'"
>>
>>Now you can add the 'manage-my-hostgroup' permission to a new privilege
>>and a role, and then assign users to that role. Those users will be able
>>to manage hosts targeted by the permission.
It takes a bit more to make a successful permission, so I wrote it all
down in a blog post:
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list