[Freeipa-users] Permission not working as expected
Rob Crittenden
rcritten at redhat.com
Tue Aug 30 17:47:14 UTC 2016
Alexander Bokovoy wrote:
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>> Ok i got it now. Let me try this with role + privilege having three set
>> of permissions 1) memberOf hostgroup to manage the permissions to the
>> hosts 2) permission on cn=hostgroup to manage the hosts membership with
>> in the given group 3) permission for "member attribute" to allow
>> add/delation of hosts membership based on the "member attribute"
>> value.I need to go through the link you shared in the meanwhile a quick
>> question can i add a custom attribute something like AWS EC2 resource
>> tag as the member attribute of an host? i am just wondering what
>> all/else could be an member attribute other than AWS EC2 instance
>> name...
> Each ipaHost object has userClass attribute. The semantics are described
> in RFC 4524, section 2.25. We don't use it for anything ourselves, it
> has a DirectoryString type (UTF-8-encoded string).
userClass is used for auto membership.
rob
>
>
>>
>> Best Regards,Deepak
>>> Date: Tue, 30 Aug 2016 18:36:21 +0300
>>> From: abokovoy at redhat.com
>>> To: deepak_dimri at hotmail.com
>>> CC: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Permission not working as expected
>>>
>>> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>>> >Hi Alexander,
>>> >
>>> >Since i do not want myadmin1 to be able to add or remove the host from
>>> >other xyzhostgroups into myhostgroup membership. Is it possible that
>>> >myadmin1 only sees objects i specifically given the permissions to and
>>> >not any other hosts outside of myhostgroup? That way he cannot add the
>>> >host he is not supposed to manage within myhostgroup
>>> OK, now I get it. An easiest way to solve this problem, no surprise, is
>>> organizational: do not give host group admin rights to include hosts to
>>> the hostgroup or delete them, only allow them to manage what's in the
>>> host group.
>>>
>>> You then need to create a separate permission for 'add'/'del' rights
>>> against 'member' attribute that would allow to include/remove hosts.
>>> That's easy but it would not allow you to limit *what* hosts could be
>>> added/removed from the host group.
>>>
>>> Unfortunately, to make that possible, permission-add/permission-mod
>>> should be extended to allow specifying target attribute's values like
>>> described in the RHDS Administration Guide:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters
>>>
>>>
>>> Even then to define something like this, you need to have specific
>>> naming of hosts to be able to specify a pattern as a 'member' attribute
>>> value. Not sure how this is going to work for you in AWS, though, so
>>> this is why I'm saying it is an organizational issue, not really a
>>> technical one.
>>>
>>>
>>>
>>> >Thanks for your great support!
>>> >regards,Deepak
>>> >
>>> >From: deepak_dimri at hotmail.com
>>> >To: abokovoy at redhat.com
>>> >CC: freeipa-users at redhat.com
>>> >Subject: RE: [Freeipa-users] Permission not working as expected
>>> >Date: Tue, 30 Aug 2016 09:54:38 -0400
>>> >
>>> >
>>> >
>>> >
>>> >Let me try summarize it!
>>> >I want xyzadmin of xyzhostgroup be able to mange all the hosts with
>>> in the xyzhostgroup - which means he should be able to delete/ add/
>>> modify the hosts under xyzhostgroup . This is what i currently have
>>> in the role : myhostgroup-role (role)--> myadmin1 (admin user)-->
>>> myhostgroup (host group where i have added the hosts) -->
>>> my-hostgroup-privilege --> my-hostgroup-permission
>>> >The problem is that the moment i add memberOf =cn=.... in the target
>>> filter then myadmin1 cannot add/delete the hosts with in myhostgroup
>>> and any other hosts in other hostgroups. However if i assign the role
>>> permission with with
>>> subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as
>>> (&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute
>>> added then myadmin1 gets the expected access to manage the hosts
>>> within myhostgroup but then he also gets access to delete and manage
>>> other hosts outside of myhostgroup which i dont want!
>>> >
>>> >Thanks & Regards,Deepak
>>> >> Date: Tue, 30 Aug 2016 16:10:00 +0300
>>> >> From: abokovoy at redhat.com
>>> >> To: deepak_dimri at hotmail.com
>>> >> CC: freeipa-users at redhat.com
>>> >> Subject: Re: [Freeipa-users] Permission not working as expected
>>> >>
>>> >> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>>> >> >Hi Alexander,
>>> >> >i did try adding the "member" effective attribute in GUI and also
>>> from
>>> >> >the command prompt But the error is not going away when i try to
>>> delete
>>> >> >the host from my taphostgroup. for me it only works if i have
>>> >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT
>>> then
>>> >> >the i am allowed access to all the hosts in all the hostgroup :(
>>> I am
>>> >> >kinda stuck with this issue. Would be great if you can suggest any
>>> >> >further headway!
>>> >> Isn't this is what you wanted: a user has ability to manage all
>>> hosts in
>>> >> the host group but not other hosts.
>>> >>
>>> >> --
>>> >> / Alexander Bokovoy
>>> >
>>>
>>> --
>>> / Alexander Bokovoy
>>
>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
More information about the Freeipa-users
mailing list