[Freeipa-devel] New ACIs for cn=etc

Petr Viktorin pviktori at redhat.com
Wed Apr 16 10:50:45 UTC 2014 

On 04/14/2014 04:00 PM, Simo Sorce wrote:
> On Mon, 2014-04-14 at 12:55 +0200, Martin Kosek wrote:
>> When heading for a lunch today, I had a discussion with Petr3 about ACIs for
>> cn=etc,SUFFIX. On our initial meeting back at DevConf.cz time, we said we will
>> simply allow all attributes in cn=etc for authenticated users and will just
>> exclude the blacklisted attributes (for context, see ticket #3566).
>>
>> I personally think it is not the best thing to do as it will just move the
>> problem we had with all-allowing ACI one level down from SUFFIX to cn=etc. It
>> would be better to add normal ACIs for cn=etc as well.
>>
>> I searched for nsContainer's in cn=etc and IMO the situation is not so bad, it
>> seems straightforward what ACIs would be needed:
>>
>> ==========================================================================
>> dn: cn=etc,SUFFIX
>> - ADD aci allowing reading nsContainer for anonymous, EXCEPT:

We can combine this with the general nsContainer read ACI. The problem 
is that we can only have one target-based exclusion rule.

>>    - cn=virtual operations,cn=etc,SUFFIX

Could we use a special objectClass rather than nsContainer for these?

>>    - cn=masters,cn=ipa,cn=etc,SUFFIX

This is the one I'd exclude with the target rule.

>>    - cn=Managed Entries,cn=etc,SUFFIX

Why exclude this one? Aren't the containers the same in all IPA installs?

>> dn: cn=sysaccounts,cn=etc,SUFFIX
>> - ADD aci allowing reading all attributes but password attributes (people may
>> add unstructured accounts following different objectclasses)

I'd rather list the attributes and let people add custom attributes 
themselves.

>> dn: cn=ipa,cn=etc,SUFFIX
>> - no ACI needed
>>
>> dn: cn=masters,cn=ipa,cn=etc,SUFFIX
>> - ADD aci allowing reading hosts (to have it separate from global cn=etc one so
>> that we can once assign it only to ipamasters hostgroup for example)
>>
>> dn: cn=replicas,cn=ipa,cn=etc,SUFFIX
>> - ADD aci allowing reading replicas for authenticated users (masters)
>>
>> dn: cn=dna,cn=ipa,cn=etc,SUFFIX
>> - ADD aci allowing reading dnaSharedConfig objects for authenticated
>>
>> dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,SUFFIX
>> - no ACI needed
>>
>> dn: cn=ca_renewal,cn=ipa,cn=etc,SUFFIX
>> - ADD aci allowing reading for authenticated users (hosts' certmonger)
>>
>> dn: cn=s4u2proxy,cn=etc,SUFFIX
>> - no ACI needed at this point, KDC access it with DM privileges AFAIK
>>
>> dn: cn=ipaConfig,cn=etc,SUFFIX
>> - ADD aci allowing reading ipaConfigObject attributes for authenticated users.
>> We already plan aci allowing writing them
>>
>> dn: cn=ranges,cn=etc,SUFFIX
>> - ADD aci allowing reading ipaIDrange for authenticated users
>>
>> dn: cn=virtual operations,cn=etc,SUFFIX
>> - ADD aci allowing reading/updating virtual operations, assign to RBAC privileges
>>
>> dn: cn=retrieve certificate,cn=virtual operations,cn=etc,SUFFIX
>> dn: cn=request certificate,cn=virtual operations,cn=etc,SUFFIX
>> dn: cn=request certificate different host,cn=virtual operations,SUFFIX
>> dn: cn=certificate status,cn=virtual operations,cn=etc,SUFFIX
>> dn: cn=revoke certificate,cn=virtual operations,cn=etc,SUFFIX
>> dn: cn=certificate remove hold,cn=virtual operations,cn=etc,SUFFIX
>> - no ACI needed
>>
>> dn: cn=Managed Entries,cn=etc,SUFFIX
>> - no ACI needed, not managed by IPA users
>>
>> dn: cn=automember,cn=etc,SUFFIX
>> - ADD standard automembers ACIs (read, write, delete, ...)
>>
>> dn: cn=CAcert,cn=ipa,cn=etc,SUFFIX
>> - ADD aci allowing reading cACertificate for anonymous
>>
>> dn: cn=anonymous-limits,cn=etc,SUFFIX
>> - no ACI needed, not managed by IPA users
>>
>> dn: cn=replication,cn=etc,SUFFIX
>> - ADD aci allowing reading for authenticated users (used in ipa-replica-install)
>>
>> dn: cn=Realm Domains,cn=ipa,cn=etc,SUFFIX
>> - no ACI needed, we already added read aci
>>
>> dn: cn=ad,cn=etc,SUFFIX
>> - ADD aci allowing reading ipaNTDomainAttrs for authenticated users (trust
>> settings)
>>
>> ==========================================================================
>>
>> That should be pretty much all. I know that devil hides in details, but I did
>> not see any blocker to skip the chance to add proper ACIs also for cn=etc as
>> well and thus remove the all allowing ACI at all (I am afraid that we would be
>> stuck with cn=etc all-allowing ACI for years otherwise).
>>
>> Comments welcome.
>
> Agree with the general plan, let's start with this and add permissions
> as needed.
>
> Simo.
>
>
>


-- 
Petr³

More information about the Freeipa-devel mailing list