[Freeipa-devel] freeIPA v2: Access control for things not stored in LDAP
Simo Sorce
ssorce at redhat.com
Mon Nov 17 19:05:02 UTC 2008
On Mon, 2008-11-17 at 11:42 -0700, Jason Gerard DeRose wrote:
>
> As I don't myself understand ACI's that well yet, my thought was to do
> it using groups, something like this:
>
> Each command plugin has an optional "requires_group" attribute. If
> this
> attribute is None (the default in the base class), it means that the
> command can be executed by any authenticated user. Otherwise the
> attribute is a group name... if the user is a member of this group,
> they
> are allowed to executed the command.
>
> So when a command request comes in over XML-RPC, we do the LDAP bind,
> locate the command and check the command's "requires_group" attribute.
> If "requires_group" is a <type "str"> and the user is not a member of
> this group, we return a 403 Forbidden error.
IIRC we already have some ACI parser code available in python, so I
would rather have an "ACI" attribute and put an ACI in there.
To make things simpler to manage in v2 without having to implement the
full meaning of an ACI we might then restricted the accepted syntax for
this version to the rule "read" and to the targets being either a
groupdn="ldap:///cn=foobar,cn=..." or "userdn = ldap:///anyone"
We can later on add a more comprehensive management of the ACI,
including multiple rules, etc... once we have more time, but that will
allow us to keep the format unchanged and backward compatible.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list