[Freeipa-devel] freeIPA v2: Access control for things not stored in LDAP
Simo Sorce
ssorce at redhat.com
Tue Nov 18 13:26:48 UTC 2008
On Mon, 2008-11-17 at 17:18 -0500, Dmitri Pal wrote:
> Simo Sorce wrote:
> > On Mon, 2008-11-17 at 11:42 -0700, Jason Gerard DeRose wrote:
> >
> >> As I don't myself understand ACI's that well yet, my thought was to do
> >> it using groups, something like this:
> >>
> >> Each command plugin has an optional "requires_group" attribute. If
> >> this
> >> attribute is None (the default in the base class), it means that the
> >> command can be executed by any authenticated user. Otherwise the
> >> attribute is a group name... if the user is a member of this group,
> >> they
> >> are allowed to executed the command.
> >>
> >> So when a command request comes in over XML-RPC, we do the LDAP bind,
> >> locate the command and check the command's "requires_group" attribute.
> >> If "requires_group" is a <type "str"> and the user is not a member of
> >> this group, we return a 403 Forbidden error.
> >>
> >
> > IIRC we already have some ACI parser code available in python, so I
> > would rather have an "ACI" attribute and put an ACI in there.
> >
> >
> I did not get a feeling from Rob that the ACI parser is 100% prime time
> ready. But may be I am missing something.
For v2 we do not need full parsing, just enough to determine what dn is
referenced.
> > To make things simpler to manage in v2 without having to implement the
> > full meaning of an ACI we might then restricted the accepted syntax for
> > this version to the rule "read" and to the targets being either a
> > groupdn="ldap:///cn=foobar,cn=..." or "userdn = ldap:///anyone"
> >
> >
> You lost me there. Can you explain it in more details?
The proposal would be to use a subset of ACI capabilities so that in
fact we just check some group membership for now (or check for
everybody), but we already use the right syntax so that going forward we
do not have to change ACI rules, but just improve the parsing and
validation code to support a full fledged ACI.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list