[Freeipa-devel] New ACIs for cn=etc
Petr Viktorin
pviktori at redhat.com
Wed Apr 16 13:00:27 UTC 2014
On 04/16/2014 02:55 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 13:31 +0200, Martin Kosek wrote:
>> On 04/16/2014 12:50 PM, Petr Viktorin wrote:
>>> On 04/14/2014 04:00 PM, Simo Sorce wrote:
>>>> On Mon, 2014-04-14 at 12:55 +0200, Martin Kosek wrote:
>>>>> When heading for a lunch today, I had a discussion with Petr3 about ACIs for
>>>>> cn=etc,SUFFIX. On our initial meeting back at DevConf.cz time, we said we will
>>>>> simply allow all attributes in cn=etc for authenticated users and will just
>>>>> exclude the blacklisted attributes (for context, see ticket #3566).
>>>>>
>>>>> I personally think it is not the best thing to do as it will just move the
>>>>> problem we had with all-allowing ACI one level down from SUFFIX to cn=etc. It
>>>>> would be better to add normal ACIs for cn=etc as well.
>>>>>
>>>>> I searched for nsContainer's in cn=etc and IMO the situation is not so bad, it
>>>>> seems straightforward what ACIs would be needed:
>>>>>
>>>>> ==========================================================================
>>>>> dn: cn=etc,SUFFIX
>>>>> - ADD aci allowing reading nsContainer for anonymous, EXCEPT:
>>>
>>> We can combine this with the general nsContainer read ACI. The problem is that
>>> we can only have one target-based exclusion rule.
>>
>> Right.
>>
>>>
>>>>> - cn=virtual operations,cn=etc,SUFFIX
>>>
>>> Could we use a special objectClass rather than nsContainer for these?
>>
>> We would need to invent one, like ipaVirtualOperation with one MUST attribute
>> "cn" and then apply it to all virtual operations and replace nsContainer. It
>> should not be a problem though as we do not provide API to handle the virtual
>> operations. There are very static.
>>
>> Simo, Rob, would you be OK with changing virtual operation objectclass to our
>> own one to have a better control over it?
>
> No, in general I am not ok to change objects that already exist in IPA
> as it make upgrades with new and old replicas break the old replicas.
>
> Also we can add new auxiliray classes but removing structural classes is
> not possible, you would have to delete and recreate the object, and that
> would be racy too.
I see.
How about adding a new objectClass in addition to nsContainer, and using
a negative targetfilter?
>>>>> - cn=masters,cn=ipa,cn=etc,SUFFIX
>>>
>>> This is the one I'd exclude with the target rule.
>>
>> Ok.
>>
>>>
>>>>> - cn=Managed Entries,cn=etc,SUFFIX
>>>
>>> Why exclude this one? Aren't the containers the same in all IPA installs?
>>
>> Hm, exclusion of this one is probably not needed. User would really only see
>> the containers for Definitions and Templates, not the real configuration (NGP/UGP).
>>
>>>>> dn: cn=sysaccounts,cn=etc,SUFFIX
>>>>> - ADD aci allowing reading all attributes but password attributes (people may
>>>>> add unstructured accounts following different objectclasses)
>>>
>>> I'd rather list the attributes and let people add custom attributes themselves.
>>
>> Makes sense. Right now, we have 2 types of objects here:
>>
>> 1) system users: simpleSecurityObject objectclass
>> 2) system groups: groupofnames objectclass
>>
>> We can make 2 ACIs, allowing those:
>>
>> - allow reading "uid, objectclass" of "simplesecurityobject" to authenticated users
>> - allow reading "cn, member, objectclass" of "groupofnames" to authenticated users
>
> Yeah we do not need fancy stuff, and we are planning (since forever ?)
> to give a command to create these entities, so eventually the format
> will be clear.
>
> Simo.
>
--
Petr³
More information about the Freeipa-devel
mailing list