[Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool

Petr Spacek pspacek at redhat.com
Thu Jun 20 07:29:44 UTC 2013 

On 19.6.2013 20:56, Alexander Bokovoy wrote:
> On Wed, 19 Jun 2013, Rob Crittenden wrote:
>> Tomas Babej wrote:
>>> [big snip]
>>>
>>> Providing new version which should address mentioned issues:
>>>   - advice plugins now inherit directly from Plugin, initial approach
>>> via Method class was abandoned
>>>   - new Namespace api.Advice collects all the advice plugins
>>>   - tool renamed to ipa-advise to express a more general use case
>>>
>>> Additional improvements:
>>>   - keywords are now generated out of Advice class's name, where
>>> underscores are replaced by hyphens
>>>   - rewritten the example plugin in the docs, and provided more
>>> information there
>>>   - instead of --setup option to provide configuration, ipa-advise
>>> takes one positional argument
>>>   - renamed to ipa-advise
>>>
>>> Concerns:
>>>   - man page might need more improvements
>>>
>>> I'll craft a design page for plugin authors, might be useful, even if
>>> the info is in the package docs.
>>>
>>> -----------------------------------------------
>>> Here's a little preview:
>>>
>>> [tbabej at vm-001 ~]$ sudo ipa-advise fedora-authconfig
>>> ------------------------------------------------------------------------------------------------
>>>
>>>
>>> Authconfig instructions for configuring Fedora 18/19 client with IPA
>>> server without use of SSSD.
>>> ------------------------------------------------------------------------------------------------
>>>
>>>
>>> /sbin/authconfig --enableldap --ldapserver=vm-001.idm.com
>>> --enablerfc2307bis --enablekrb5
>>>
>>> [tbabej at vm-001 ~]$ sudo ipa-advise fedora-authconfig4
>>> invalid 'setup': No instructions are available for 'fedora_authconfig4'.
>>> See the list of available configuration advices using the --list option.
>>>
>>> [tbabej at vm-001 ~]$ sudo ipa-advise
>>> -------------------------
>>> List of available advices
>>> -------------------------
>>>     fedora-authconfig : Authconfig instructions for configuring Fedora
>>> 18/19 client with IPA server without use of SSSD.
>>
>> If it's just providing advise why does it need root access? Or is it
>> expected to provide advise based on current configuration?
> Exactly. Getting ranges, configured trusts, etc. Not all of that
> information may be available under non-privileged account, especially if
> somebody would decide to plug in advices for backup or CA
> handling/configuration of advanced features.

I think that ipa-advise should not require root access *implicitly*. It would 
prevent lower-level admins from ipa-advise tool.

IMHO plugins should try to get required information and print an 'Insufficient 
access rights, try it again as root/admin' error when appropriate.

As a result, basic 'advices' (like recommended client configuration) will be 
accessible anybody and special 'advices' (something related to AD trusts etc.) 
will be accessible only to admins.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list