[Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)

Martin Kosek mkosek at redhat.com
Thu Jun 19 12:49:20 UTC 2014


On 06/19/2014 02:43 PM, Simo Sorce wrote:
> On Thu, 2014-06-19 at 12:52 +0200, Petr Viktorin wrote:
>> I'll address the other issues separately.
>>
>> On 06/18/2014 05:46 PM, Martin Kosek wrote:
>>> 3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
>>> No such virtual command" error triggered by "cert-show" command.
>>>
>>> We will need to add the permission "System: Read Virtual Operations" that Honza
>>> is creating also to "Host Administrators" to fix that part.
>>
>> I'm not familiar with Honza's effort, but that seems right.
>> I'm curious, why don't we just allow reading virtual operations by 
>> anybody? It seems to me they're the same in every IPA installation, 
>> what's there to hide?
>>
>> Anyway, I poked around in how it works now: for cert-show you need write 
>> access to the objectClass of the "retrieve certificate" virt op entry. 
>> So that right you can actually remove the "ipaVirtualOperation" objectClass.
>> Aand the new "Anonymous read access to containers" ACI has a 
>> (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for 
>> a virt op can allow everyone see that virt op).
>> Shouldn't we base the check on some other attribute instead?
>>
>> And curiously, for cert-find there is no virt op based access check.
> 
> I wonder if we can replace some of these with the ipaProtectedOperation
> machinery, it works better for protecting itself from manipulation.
> 
> Simo.

Yup, as I said in other part of this thread, we should invent something better
eventually for Virtual Operations. For 4.0, I would just keep previous behavior
and dump ipaVirtualOperation objectclass.

Martin




More information about the Freeipa-devel mailing list