[Freeipa-devel] Who can make the CA requests
Dmitri Pal
dpal at redhat.com
Mon Dec 1 23:50:32 UTC 2008
Hi,
We are building the integration of the CA into the IPA. The CA will be
silently installed together with IPA. The CA will have access to the
IPAs DS and will use it as its own back end storage.
The interaction with CA will be done via RA (Registration Authority).
The RA will have a secure connection to CA. There are several operations
that can be performed against CA. Among them :
a) Request a new certificate
b) Renew a certificate
c) Revoke certificate
d) Check the status of the request
(may be others, Andrew please confirm)
The CA will perform the whatever action the RA has requested in v2.
There is no CA management interface planned. Also there is no plan for
approval process in v2. If the request made through the RA to CA it will
be trusted and executed. These limitations create a requirement to
validate user permissions before passing a request to RA in the XML-RPC
back end. Since there would be no other way to call the RA and thus get
access to CA, implementing access control enforcement point in the
XML-RPC back end management plugin will be sufficient.
The XML-RPC management plugin would have to check if the current user
who runs the session is authorized to access RA and make calls to CA.
There are different ways we can implement this access control
enforcement check:
a) We can define a special group that can perform certificate operations
and hard code it in the management plugin. The management plugin will
just check if the user is a member of the group and if he is it will
proxy the request to RA and thus to CA. This approach is inflexible and
not granular. Though it is simple it might not be acceptable for v2.
b) The approach can be improved by creating an entry in the cn=config
area that would contain the name of the group instead of hard coding the
name of the group in the plugin. We can add more granularity by having
an attribute per operation thus allowing grunting different right to
different groups of people. This approach is generally better but still
does not match the overall ACI based access control morel used in IPA.
c) The ACI based approach can also be implemented in different ways. For
example we can say that the operations mentioned above map in the
following way to the DS permission on a attribute:
* Request a new certificate - add an attribute
* Renew a certificate - update an attribute
* Revoke certificate - delete an attribute
* Check the status of the request - read an attribute
Using this approach we can define ACIs for example for the
userCertificate attribute. When the user tries to ask for a new cert
the managment plugin will get the rights regarding userCertificate
attribute. If current user is allowed to add userCertificate attribute
he will be allowed to request a new certificate via RA. If he is allowed
to edit the userCertificate attribute the user will be allowed renew the
cert and so on. Such approach will work for a special CA case but it is
not generic.
d) If we want to make the solution more generic and be able to handle
other cases in a plaggable way we would need create a mapping between
entry points advertised in the XML-RPC frame work and some attributes.
In most cases we do not need this since the XML-RPC call will deal with
the DS entry and its rights will dictate what a user can do. But in the
case of where there is no actual direct DS modification happening we
would need a mapping. We can create a configuration object with a multi
valued attribute. This attribute will contain a triplet:
entrypoint name; attribute; right
The XML-RPC framework will read this configuration entry at the
initialization moment and create an internal lookup table. For each XML
RPC entry it will do a lookup in this table before executing the entry.
If there is no mapping then the entry will be executed. If the entry is
mapped to some attribute and the right the framework will check (using
Get Effective Rights feature of DS) if the user has a specified right
against the specified attribute. If the user has the right, the entry
point will be invoked, if not then the exception will be risen and the
event will be logged.
This approach is generic and if implemented once inside the framework
itself, there is no need to implement something like this for any other
use case. It would be enough to just add an attribute with the mapping
to the configuration entry. This will make the IPA management framework
be attractive for additional extensions.
Well the generic approach is most always more work. But it does not seem
to be in this case and Jason most likely already thought about this issue.
Does everybody agree that the d) approach is the way to go?
Is userCertificate attribute the right attribute to map the access
control decision to when we need to do a cert operation? May be it would
be better to define a new attribute per operation and map the
operations to those "virtual" attributes (and object class) rather than
real attributes that can be defined in an entry. This way we would be
able to accomplish maximum granularity.
Any comments or suggestions are welcome!
Thank you,
Dmitri
More information about the Freeipa-devel
mailing list