[Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)

[Rob Crittenden]

Petr Viktorin wrote:
> I'll address the other issues separately.
> 
> On 06/18/2014 05:46 PM, Martin Kosek wrote:
>> 3) I hit one issue when I open the Web UI host tab, I get
>> "Insufficient access:
>> No such virtual command" error triggered by "cert-show" command.
>>
>> We will need to add the permission "System: Read Virtual Operations"
>> that Honza
>> is creating also to "Host Administrators" to fix that part.
> 
> I'm not familiar with Honza's effort, but that seems right.
> I'm curious, why don't we just allow reading virtual operations by
> anybody? It seems to me they're the same in every IPA installation,
> what's there to hide?
> 
> Anyway, I poked around in how it works now: for cert-show you need write
> access to the objectClass of the "retrieve certificate" virt op entry.
> So that right you can actually remove the "ipaVirtualOperation"
> objectClass.
> Aand the new "Anonymous read access to containers" ACI has a
> (!(objectclass=ipaVirtualOperation)) filter, so any user privileged for
> a virt op can allow everyone see that virt op).
> Shouldn't we base the check on some other attribute instead?

Jumping back in the thread a bit, I agree with Martin's and Simo's
sentiment that a new model is needed. Backwards compatibility is going
to be a challenge.

Ideally I'd have done this using a read aci but the global read anything
aci prevented this, so I went with write, accepting the
less-than-perfect solution. The expectation was that not too much damage
could be done just allowing write to objectclass and it would be fairly
obvious if someone did it.

> 
> And curiously, for cert-find there is no virt op based access check.

This is because it is executed against the public dogtag API. Given the
new read-based aci system is probably prudent to add one, defaulting to
letting everyone read it (for compatibility).

rob