[Freeipa-devel] Ticket #2293 - permission attribute check
Ondrej Hamada
ohamada at redhat.com
Fri Apr 27 15:52:50 UTC 2012
On 04/27/2012 02:36 PM, Martin Kosek wrote:
> I revisited ticket #2293 after it failed QE check. After some
> considerations, I think we should revert this type of check for
> permissions. Here is my reasoning:
>
> 1) This check fails when the target type does not have all its possible
> objectclasses defined in the LDAPObject, like when users or hosts miss
> kerberos or samba auxiliary classes as they are just classes that the
> object may potentially have:
>
> # ipa permission-mod "Change a user password"
> --attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory
> ipa: ERROR: attribute(s) "sambalmpassword,passwordhistory" not allowed
>
> To fix this point, we would need to add all possible object classes to
> our user, host, ... objectclasses.
>
>
> 2) It severely limits permission flexibility for custom user
> objectclasses. They would need to extend our plugins to make them work.
> Observe this inconsistency:
>
> Setting custom OC+attribute works (replace "sudocmd" with some
> meaningful object class"):
>
> # ipa user-mod fbar --addattr=objectclass=ipasudocmd --setattr=sudocmd=fbar
> --------------------
> Modified user "fbar"
> --------------------
> User login: fbar
> First name: Foo
> Last name: Bar
> Home directory: /home/fbar
> Login shell: /bin/sh
> UID: 61400016
> GID: 61400016
> Account disabled: False
> Password: True
> Member of groups: ipausers
> Kerberos keys available: True
>
> # ipa user-show --all fbar
> dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> User login: fbar
> First name: Foo
> Last name: Bar
> ...
> mepmanagedentry: cn=fbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
> krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys,
> mepOriginEntry, ipasudocmd
> sudocmd: fbar
>
>
> But adding a custom permission to control this attribute fails:
> # ipa permission-add "Can manage user sudocmd" --type=user --permissions=write --attrs=sudocmd
> ipa: ERROR: attribute(s) "sudocmd" not allowed
>
>
> Bottom line is that I would remove this check at all and just check that
> the attribute is right - as we already do for permission without
> "--type" specified:
>
> # ipa permission-add "Can write barbar"
> --filter="(objectclass=posixuser)" --permissions=write --attrs=barbar
> ipa: ERROR: targetattr "barbar" does not exist in schema. Please add
> attributeTypes "barbar" to schema if necessary. ACL Syntax
> Error(-5):(targetattr = \22barbar\22)(targetfilter =
> \22(objectclass=posixuser)\22)(version 3.0;acl \22permission:foo
> \22;allow (write) groupdn =
> \22ldap:///cn=foo,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com\22;): Invalid syntax.
>
> Martin
>
What about simply let the command succeed and print out a warning like:
'Attribute "passwordhistory" is not a default one for specified object
type. The permission might not be properly evaluated.'
--
Regards,
Ondrej Hamada
FreeIPA team
jabber: ohama at jabbim.cz
IRC: ohamada
More information about the Freeipa-devel
mailing list