[Freeipa-users] Permission not working as expected

Deepak Dimri deepak_dimri at hotmail.com
Tue Aug 30 09:55:36 UTC 2016 

Hi Alexander,
Thanks for the reply 
i tried exact steps below but it still not working.  the admin user added to new role and privilege we have created is  getting an error when trying to add or remove host of myhostgroup.  
ip-172-31-29-153.us-west-2.compute.internal: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=myhostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com'. 
not sure if DN (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test) would make any difference? I also noticed i dont get  Permission flags: V2, SYSTEM in my ipa output.  not sure if that would make any difference
I would really appreciate if this can be resolved...
Best Regards,Deepak
> Date: Tue, 30 Aug 2016 09:03:23 +0300
> From: abokovoy at redhat.com
> To: deepak_dimri at hotmail.com
> CC: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> 
> On Tue, 30 Aug 2016, Alexander Bokovoy wrote:
> >On Mon, 29 Aug 2016, Deepak Dimri wrote:
> >>Hi All,
> >>I have created below permission for my "testhostgroup" with the
> >>expectation that this permission will only allow write permission to
> >>the members of "testhostgroup" but, then it allows me to add/delete
> >>other hostgroup members as well. I tried changing the effective
> >>attribute to "memberof" instead of "member" but in vain as with that i
> >>started getting permission denied error even on  testhostgroup itself.
> >>*****
> >>
> >>ipa permission-add 'testhostgroup-modify' --permission=write --attrs=member --filter='(&(cn=testhostgroup)(objectclass=ipahostgroup ))'
> >>--------------------------------------
> >>Added permission "testhostgroup-modify"
> >>--------------------------------------
> >> Permission name: testhostgroup-modify
> >> Granted rights: write
> >> Effective attributes: member
> >> Bind rule type: permission
> >> Subtree: dc=us-west-2,dc=compute,dc=amazonaws,dc=com
> >> Extra target filter: (&(cn= testhostgroup)(objectclass=ipahostgroup ))******
> >>How can i restrict permissions to manage only those hosts which are
> >>part of a particular hostgroup? any help you could offer on this would
> >>be much appreciated. I could not find much on similar issue in the
> >>forum :( Thanks,Deepak 		 	   		
> >The permission above says: "Allow changing 'member' attribute in the
> >testhostgroup object". I don't think this is what you wanted, according
> >to your explanation above.
> >
> >Let's say you have host group 'myhostgroup':
> ># ipa hostgroup-add myhostgroup
> >-----------------------------
> >Added hostgroup "myhostgroup"
> >-----------------------------
> > Host-group: myhostgroup
> >
> >and now you want to create a permission that would target hosts in the
> >host group. A member of that permission would be able to do anything
> >with the host.
> >
> >First, you need to create a basic permission which applies to hosts:
> >
> ># ipa permission-add manage-my-hostgroup --right=all 
> >--bindtype=permission --type=host 
> >--------------------------------------
> >Added permission "manage-my-hostgroup"
> >--------------------------------------
> > Permission name: manage-my-hostgroup
> > Granted rights: all
> > Bind rule type: permission
> > Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> > Type: host
> > Permission flags: V2, SYSTEM
> >
> >Now, look at the permission in detail:
> >
> ># ipa permission-show --all --raw manage-my-hostgroup
> > dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
> > cn: manage-my-hostgroup
> > ipapermright: all
> > ipapermbindruletype: permission
> > ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> > ipapermtargetfilter: (objectclass=ipahost)
> > ipapermissiontype: V2
> > ipapermissiontype: SYSTEM
> > aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
> > objectclass: ipapermission
> > objectclass: top
> > objectclass: groupofnames
> > objectclass: ipapermissionv2
> >
> >As you can see, it applies to hosts: cn=computers,cn=accounts,$SUFFIX
> >subtree, and target filter is set to (objectclass=ipahost). So it would
> >apply to any host. To further limit the permission, you have to add more
> >target filters. But to do so, you need to know DN of the hostgroup that
> >will be our target limit:
> >
> ># ipa hostgroup-show --raw --all myhostgroup
> > dn: cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
> > cn: myhostgroup
> > ipaUniqueID: 6d8c72f2-6e6d-11e6-b9e4-525400bf08fe
> > mepManagedEntry: cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test
> > objectClass: ipahostgroup
> > objectClass: ipaobject
> > objectClass: nestedGroup
> > objectClass: groupOfNames
> > objectClass: top
> > objectClass: mepOriginEntry
> >
> >Now, using DN of the myhostgroup, you can add a filter to the
> >permission:
> >
> ># ipa permission-mod manage-my-hostgroup --filter '(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)'
> Sorry, a typo here^^ I copied wrong DN, it should be
> cn=myhostgroup,cn=hostgroups,cn=accounts,dc=ipa,dc=ad,dc=test
> 
> not the managed entry DN.
> 
> >-----------------------------------------
> >Modified permission "manage-my-hostgroup"
> >-----------------------------------------
> > Permission name: manage-my-hostgroup
> > Granted rights: all
> > Bind rule type: permission
> > Subtree: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> > Extra target filter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
> > Type: host
> > Permission flags: V2, SYSTEM
> >
> >Check all details of the permission to see that ACI was actually
> >modified to include the filter:
> >
> ># ipa permission-show --all --raw manage-my-hostgroup
> > dn: cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test
> > cn: manage-my-hostgroup
> > ipapermright: all
> > ipapermbindruletype: permission
> > ipapermlocation: cn=computers,cn=accounts,dc=ipa,dc=ad,dc=test
> > ipapermtargetfilter: (objectclass=ipahost)
> > ipapermtargetfilter: (memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)
> > ipapermissiontype: V2
> > ipapermissiontype: SYSTEM
> > aci: (targetfilter = "(&(memberOf=cn=myhostgroup,cn=ng,cn=alt,dc=ipa,dc=ad,dc=test)(objectclass=ipahost))")(version 3.0;acl "permission:manage-my-hostgroup";allow (all) groupdn = "ldap:///cn=manage-my-hostgroup,cn=permissions,cn=pbac,dc=ipa,dc=ad,dc=test";)
> > objectclass: ipapermission
> > objectclass: top
> > objectclass: groupofnames
> > objectclass: ipapermissionv2
> >
> >
> >Our ACI says: "Allow any changes to be done in all objects of
> >objectclass ipahost that belong to a host group 'myhostgroup' to members
> >of the permission group 'manage-my-hostgroup'"
> >
> >Now you can add the 'manage-my-hostgroup' permission to a new privilege
> >and a role, and then assign users to that role. Those users will be able
> >to manage hosts targeted by the permission.
> >
> >-- 
> >/ Alexander Bokovoy
> >
> >-- 
> >Manage your subscription for the Freeipa-users mailing list:
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> >Go to http://freeipa.org for more info on the project
> 
> -- 
> / Alexander Bokovoy
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160830/e54a2583/attachment.htm>

More information about the Freeipa-users mailing list