[Freeipa-devel] [PATCHES] 0568-0570 Convert User default permissions to managed

Petr Viktorin pviktori at redhat.com
Mon Jun 9 12:20:27 UTC 2014 

On 06/06/2014 11:38 AM, Martin Kosek wrote:
> On 06/04/2014 06:43 PM, Petr Viktorin wrote:
>> Hello,
>> I try to think about any kind of data the user might have in LDAP, but in the
>> spirit of YAGNI, I'll deal with the various corner cases in IPA's historic
>> default permissions as I go along.
>>
>> Patch 0568 adds support for the case where the default permissions changed in
>> something else than attribute lists. Needed for the 'Change User password'
>> permission.
>>
>> Patch 0569 converts user permissions to managed.
>>
>> Patch 0570 fixes https://fedorahosted.org/freeipa/ticket/3697
>
>
> 1) Add aci has targetfilter part - is that intentional?

Yes.
 From the permission plugin''s point of view, it's part of the 
definition of --type user (i.e. "this applies to users").

Regardless I think it should be there.


> # ipa permission-show 'System: Add Users' --all --raw
> ...
>    aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
> "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add
> Users,cn=permissions,cn=pbac,dc=mkosek-fedora20,dc=test";)
>
> This part IS effective though, so it may not be a bad thing at all, to keep it
> in the ACI:
>
> # ldapadd -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: fbar at MKOSEK-FEDORA20.TEST
> SASL SSF: 56
> SASL data security layer installed.
> dn: cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
> objectclass: top
> objectclass: nscontainer
> cn: foo
>
> adding new entry "cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test"
> ldap_add: Insufficient access (50)
> 	additional info: Insufficient 'add' privilege to add the entry
> 'cn=foo,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test'.
>
> # ipa user-add --first=Foo --last Bar fbar2
> ------------------
> Added user "fbar2"
> ------------------
>    User login: fbar2
>    First name: Foo
> ...
>
> 2) System: Add User to default group
>
> I was wondering whether we should keep the AluCI in cn=groups container or
> directly with the group, but I think the group itself is a good idea. (Unless
> someone deletes and recreates it).

Hm, this is a good point. If the ipausers group is deleted, there'll be 
an permission with a missing ACI that can't be created. That could be 
quite annoying.
I put the ACI it in the container.

> 3) System: Change User password
>
> I hit some nasty DS error which prevented authorized user to update password.
> ACI log attached. Ludwig, does that ring any bell?
>
> The ACI itself looks OK though as after I restarted DS, it started to work.
> Maybe DS did not cache the ACIs properly after upgrade?

Which DS version are you using?

> 4) When running user unit tests, I found couple issues:
>
> a) Some attributes we may still miss in the permissions:
> - krbPrincipalExpiration
> - userclass
> - ipaUserAuthType
> - preferredLanguage
>
> I am thinking we could base Modify Users permission on the read one and add
> regular attributes there

I put in userclass and preferredLanguage.
I'm not sure about the other two; should regular user admins be able to 
change these?

> b) Read membership ACIs for users and groups miss "member" attribute and thus
> indirect/direct processing goes wrong.

Added.

-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0568.3-managed-perm-updater-Handle-case-where-we-changed-de.patch
Type: text/x-patch
Size: 3385 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140609/eb1e415b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0569.3-Convert-User-default-permissions-to-managed.patch
Type: text/x-patch
Size: 14960 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140609/eb1e415b/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0570.3-Add-missing-attributes-to-User-managed-permissions.patch
Type: text/x-patch
Size: 2758 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140609/eb1e415b/attachment-0002.bin>

More information about the Freeipa-devel mailing list