[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Simo Sorce
ssorce at redhat.com
Wed Apr 16 13:01:15 UTC 2014
On Wed, 2014-04-16 at 14:55 +0200, Petr Viktorin wrote:
> Similarly to automount, a single permission is added for reading all
> the
> trust objects.
> Read access is given to all authenticated users.
NACK!!
See inline
> From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001
> From: Petr Viktorin <pviktori at redhat.com>
> Date: Wed, 26 Mar 2014 17:11:23 +0100
> Subject: [PATCH] Add managed read permissions to trust
>
> A single permission is added to cover trust, trustconfig, and
> trustdomain.
>
> Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
> ---
> ipalib/plugins/trust.py | 23 +++++++++++++++++++++++
> 1 file changed, 23 insertions(+)
>
> diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
> index
> f57cf7d891928903fdbee67697b96db4ad2679b7..df69bb82d9c545839f2962d6a1a961f89e6691d3 100644
> --- a/ipalib/plugins/trust.py
> +++ b/ipalib/plugins/trust.py
> @@ -312,6 +312,29 @@ class trust(LDAPObject):
> search_display_attributes = ['cn', 'ipantflatname',
> 'ipanttrusteddomainsid',
> 'ipanttrusttype',
> 'ipantsidblacklistincoming',
> 'ipantsidblacklistoutgoing' ]
> + managed_permissions = {
> + 'System: Read Trusts': {
> + # Single read permission for all trust-related entries
> + 'non_object': True,
> + 'ipapermlocation': DN(container_dn, api.env.basedn),
> + 'replaces_global_anonymous_aci': True,
> + 'ipapermbindruletype': 'all',
> + 'ipapermright': {'read', 'search', 'compare'},
> + 'ipapermdefaultattr': {
> + 'cn', 'objectclass',
> + # ipaNTTrustedDomain:
> + 'ipanttrusttype', 'ipanttrustattributes',
> + 'ipanttrustdirection', 'ipanttrustpartner',
> 'ipantflatname',
> + 'ipanttrustauthoutgoing', 'ipanttrustauthincoming',
These 2 attributes here ^^^^
They contain trust credentials, certainly must not be readbale by any
authenticated user except the trust agents.
> + 'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
> + 'ipanttrustposixoffset',
> 'ipantsupportedencryptiontypes',
> + 'ipantsidblacklistincoming',
> 'ipantsidblacklistoutgoing',
> + # ipaNTDomainAttrs:
> + 'ipantsecurityidentifier', 'ipantflatname',
> 'ipantdomainguid',
> + 'ipantfallbackprimarygroup',
> + },
> + },
> + }
>
> label = _('Trusts')
> label_singular = _('Trust')
In general I am not sure all authenticated users need access to all this
info. Alexander ?
Simo.
More information about the Freeipa-devel
mailing list