[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] Proposal about ACI management in IPA v2

Dmitri Pal wrote:
Simo Sorce wrote:
On Sun, 10 Oct 2010 23:27:33 -0400
Dmitri Pal<dpal redhat com>  wrote:

Actually the whole thing was inspired by the ACI UI from the LDAP book
that is based on Netscape DS.
Rob you say "What it lacks is a way to *output* an aci so it can be
easily represented in a UI or on the command line. That is where our
focus should be." But I do not understand what the problem is. You
either have to display a raw ACI or some abstraction. But how you map
the abstraction that you need to show to the raw ACI you have in the
system? I was trying to solve exactly this problem. And I really do
not see a way to do it differently. Do you?

The strongest objection is against creating a new LDAP object to hold a
duplicate of the ACIs. And I fully agree with the objection we do not
need duplicates in the Directory.

I do not see it as duplicate. It is a helper. And it is a loose coupling
so there is really not harm for parts to get out of sync. But this all
does not matter if this is not the problem we are trying to solve.

It is, by definition, duplicate. You're storing exactly the same data in two places in different formats.

Simo you are talking about hash tables or sets of hash tables to
represent what?
The following rule does not decompose well to the set of hash tables:

(targetattr = "streetAddress || postalCode || c || l ||
st")(targetfilter =
3.0;acl "Secretaries can write engineering addresses";allow (write)
groupdn =

It is really a:
1) Set of attributes (can be hash table, but rather just a list)
2) Filter - a string but I am not sure one can formalize it
3) Name - a string
4) Right
5) Bind DN - a string that is similar to a filter

As I said, this is already done. Internally I represent ACIs as:

name: string
action: string (one of an enumeration)
permssions: list
target: hash table
bindrule: hash table

A bindrule is a hash of: keyword, operator, expression, e.g. groupdn != ldap:///cn=admins,...

Targets are similar, with an operator and an expression, e.g. targetattr != "foo || bar". The targets supported are targetfilter, targetattr and target (e.g. a subtree).

My parser probably doesn't support every possible kind of ACI but it does support those that are allowed in the aci plugin.

It seems that the biggest problem is: with filter and Bind DN. Those
correspond to an object in the system. We can replace the "groupdn =
"ldap:///cn=secretaries,cn=groups,cn=accounts,dc=example,dc=com"; with
more readable group=secretaries or user=someone or host=mycomputer etc.
Is this the abstraction that we are looking for? It is harder with the
target filter to do the similar simplification.
Can we a simplify it to things like?:
a) A member of a group
b) An object of the class
c) Its attribute has a specific value
If we can parse it out to one of these three (or may be some other case
that I missed) we can replace it with a much more readable representation.
For example:
a) A member of a group will translate into: "a member of group
secretary", similarly with other groups "a member of hostgroup
lab-machines" etc
b) An object of the class will translate into: "a user" or "a group" or
"a host group"
c) Its attribute has a specific value "user.cn is 'blah' " or "host.fqdn
is 'host123' "

Please take a look at the existing aci plugin. Most of this is already covered. Remember that ideally acis will grant access to taskgroups and not direct objects, so make them more generic. Granting access to hostgroups isn't supported right now. In fact, there is no way to grant access to hosts or hostgroups right now, just users and groups.

If the problem here is how we do this via the UI then as I said, I need to enhance the output of the aci plugin to provide the data in a format that the UI can handle.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]