[Freeipa-users] Permission not working as expected

Alexander Bokovoy abokovoy at redhat.com
Tue Aug 30 17:35:42 UTC 2016 

On Tue, 30 Aug 2016, Deepak Dimri wrote:
>Ok i got it now. Let me try this with role + privilege having three set
>of permissions 1) memberOf hostgroup to manage the permissions to the
>hosts 2) permission on cn=hostgroup to manage the hosts membership with
>in the given group 3) permission for "member attribute" to allow
>add/delation of hosts membership based on the "member attribute"
>value.I need to go through the link you shared in the meanwhile a quick
>question can i add a custom attribute something like AWS EC2 resource
>tag as the member attribute of an host? i am just wondering what
>all/else could be an member attribute other than AWS EC2 instance
>name...
Each ipaHost object has userClass attribute. The semantics are described
in RFC 4524, section 2.25. We don't use it for anything ourselves, it
has a DirectoryString type (UTF-8-encoded string).


>
>Best Regards,Deepak
>> Date: Tue, 30 Aug 2016 18:36:21 +0300
>> From: abokovoy at redhat.com
>> To: deepak_dimri at hotmail.com
>> CC: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Permission not working as expected
>>
>> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>> >Hi Alexander,
>> >
>> >Since i do not want myadmin1 to be able to add or remove the host from
>> >other xyzhostgroups into myhostgroup membership.  Is it possible that
>> >myadmin1 only sees objects i specifically given the permissions to  and
>> >not any other hosts outside of myhostgroup?  That way he cannot add the
>> >host he is not supposed to manage within myhostgroup
>> OK, now I get it. An easiest way to solve this problem, no surprise, is
>> organizational: do not give host group admin rights to include hosts to
>> the hostgroup or delete them, only allow them to manage what's in the
>> host group.
>>
>> You then need to create a separate permission for 'add'/'del' rights
>> against 'member' attribute that would allow to include/remove hosts.
>> That's easy but it would not allow you to limit *what* hosts could be
>> added/removed from the host group.
>>
>> Unfortunately, to make that possible, permission-add/permission-mod
>> should be extended to allow specifying target attribute's values like
>> described in the RHDS Administration Guide:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters
>>
>> Even then to define something like this, you need to have specific
>> naming of hosts to be able to specify a pattern as a 'member' attribute
>> value. Not sure how this is going to work for you in AWS, though, so
>> this is why I'm saying it is an organizational issue, not really a
>> technical one.
>>
>>
>>
>> >Thanks for your great support!
>> >regards,Deepak
>> >
>> >From: deepak_dimri at hotmail.com
>> >To: abokovoy at redhat.com
>> >CC: freeipa-users at redhat.com
>> >Subject: RE: [Freeipa-users] Permission not working as expected
>> >Date: Tue, 30 Aug 2016 09:54:38 -0400
>> >
>> >
>> >
>> >
>> >Let me try summarize it!
>> >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the xyzhostgroup  - which means he should be able to delete/ add/ modify the hosts under xyzhostgroup .  This is what i currently  have in the role :  myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group where i have added the hosts) --> my-hostgroup-privilege --> my-hostgroup-permission
>> >The problem is that the moment i add memberOf =cn=.... in the target filter then myadmin1 cannot add/delete the hosts with in myhostgroup and any other hosts in other hostgroups. However if i assign the role permission with with subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as  (&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then myadmin1 gets the expected access to manage the hosts within myhostgroup but then he also gets access to delete and manage other hosts outside of myhostgroup which i dont want!
>> >
>> >Thanks & Regards,Deepak
>> >> Date: Tue, 30 Aug 2016 16:10:00 +0300
>> >> From: abokovoy at redhat.com
>> >> To: deepak_dimri at hotmail.com
>> >> CC: freeipa-users at redhat.com
>> >> Subject: Re: [Freeipa-users] Permission not working as expected
>> >>
>> >> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>> >> >Hi Alexander,
>> >> >i did try adding the "member" effective attribute in GUI and also from
>> >> >the command prompt But the error is not going away when i try to delete
>> >> >the host from my taphostgroup. for me it only works if i have
>> >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then
>> >> >the i am allowed access to all the hosts in all the hostgroup :( I am
>> >> >kinda stuck with this issue.  Would be great if you can suggest any
>> >> >further headway!
>> >> Isn't this is what you wanted: a user has ability to manage all hosts in
>> >> the host group but not other hosts.
>> >>
>> >> --
>> >> / Alexander Bokovoy
>> > 		 	   		   		 	   		
>>
>> --
>> / Alexander Bokovoy
> 		 	   		

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list