[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes

JR Aquino wrote:
On May 20, 2011, at 8:32 AM, Rob Crittenden wrote:

JR Aquino wrote:
On May 10, 2011, at 8:14 PM, Adam Young wrote:

On 05/10/2011 11:07 PM, Adam Young wrote:
On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:

JR Aquino wrote:

On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:

Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights.

An Administrator should have the ability to quickly identify the rights a user will have in the system.

For example. With the patch added, my user show looks like this:

# ipa user-show tester --all
  dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
  User login: tester
  First name: Tester
  Last name: Engineering
  Full name: Tester Engineering
  Display name: Tester Engineering
  Initials: TE
  Home directory: /home/tester
  GECOS field: Tester Engineering
  Login shell: /bin/sh
  Kerberos principal:

  UID: 1829800388
  GID: 1829800388
  Account disabled: False
  Member of groups: ipausers, auto-dev-deploy-tools, build-integration
  ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
  krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
  memberofindirect_HBAC rule: development
  memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration
  mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount

Freeipa-devel mailing list

Freeipa-devel redhat com
OPPS, forgot to have PATCH in the subject.

I think you need this as well, right?

-        'memberof': ['group', 'netgroup', 'role'],
+        'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],

Some scope change.

Added memberof and memberofindirect

Added to user.py host.py group.py hostgroup.py

When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof.

xmlrpc tests check out

Please review

Freeipa-devel mailing list

Freeipa-devel redhat com

The reason that this shows up in the UI is that it is generating additional memberof attributes.  It has nothing to do with the memberofindirect:

You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets.  It looks like group at least has things backwards.  The group.js file I think needs a rule like this:

             name: 'memberof_sudorule',
             associator: IPA.serial_associator

THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multiple>other entity>   to<this entity>.

The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170

As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go?

Nack, this adds some additional API that isn't in API.txt.

It would be nice to add test cases for this as well, perhaps in the sudo and hbac tests (create a rule, add a user to it, make sure when showing the user you can see the rule).

New patch attached to address API and Tests.
(Please note Ticket# 1263 incase there are problems testing)

Please review and ack

ack, pushed to master.

I also bumped up the API minor version because of the new options.

JR, in the future when you resubmit a patch can you keep the same name and add an incrementing number so it is easier to tell which version of the patch we're dealing with?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]