[Freeipa-devel] [PATCHES] 0578-0579 Convert Host default permissions to managed

Martin Kosek mkosek at redhat.com
Wed Jun 18 15:46:37 UTC 2014 

On 06/11/2014 06:39 PM, Petr Viktorin wrote:
> Patch 0578 does the conversion
> 
> Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides
> permissions needed for automatic enrollment (from
> http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)

1) Inconsistent casing in permission names:

System: Add Hosts
System: Add krbPrincipalName to a host
System: Enroll a host
System: Manage Host SSH Public Keys
System: Manage host keytab
System: Modify Hosts
System: Remove Hosts


2) This ACI does not look right, missing enrolledby:

+        'System: Enroll a host': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'objectclass'},

When I fixed 2) via permission-mod, client enrollment with user with "Host
Administrators" privilege worked fine.


3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
No such virtual command" error triggered by "cert-show" command.

We will need to add the permission "System: Read Virtual Operations" that Honza
is creating also to "Host Administrators" to fix that part.


4) I ran unit tests and few missing attributes:
- update hosts ACI should get "macaddress" attribute


5) I hit one nasty issue when running the unit tests (when my master stopped
working as host account was deleted) - host_is_master function in baseldap no
longer works as we hid cn=masters from regular users:

def host_is_master(ldap, fqdn):
    """
    Check to see if this host is a master.

    Raises an exception if a master, otherwise returns nothing.
    """
    master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn',
'etc'), api. env.basedn)
    try:
        ldap.get_entry(master_dn, ['objectclass'])
        raise errors.ValidationError(name='hostname', error=_('An IPA master
host      cannot be deleted or disabled'))
    except errors.NotFound:
        # Good, not a master
        return

This means, that host-del on a master machine or service-del on master service
happily passes.

We need to make sure this functionality is still working after the permission
refactoring. Should we reconsider the cn=masters tree and allow authenticated
users see the list of IPA servers (without digging into any other detail like
services) then?

Martin

More information about the Freeipa-devel mailing list