[Freeipa-devel] Sudorule schema inconsistencies

Martin Kosek mkosek at redhat.com
Mon May 12 11:26:43 UTC 2014 

On 05/12/2014 11:56 AM, Tomas Babej wrote:
> Hi fellow developers,
> 
> while working on https://fedorahosted.org/freeipa/ticket/4263 I found
> some inconsistencies in the attribute naming:
> 
> There are the following attributes in the schema:
> 
> * ipasudorunas_user : RunAs Users
> * ipasudorunas_group : Groups of RunAs Users (and not groups you can
> RunAsGroup as)
> 
> This implies that ipasudorunas prefix implicitly talks about RunAsUser
> and not RunAsGroup. This hypothesis is confirmed by attribute:
> 
> * ipasudorunasgroup_group : Run with the gid of a specified POSIX group
> 
> since here the prefix is ipasudorunas*group*.
> 
> However,
> 
> * ipasudorunasextuser : RunAs External User (consistent)
> * ipasudorunasextgroup : RunAs External Group (*inconsistent*, since
> ipasudorunas prefix means RunAsUser in other attributes. This attribute
> naming implies semantics of "External Groups of RunAs Users" and not
> "External group you can RunAsGroup as.").
> 
> The ticket https://fedorahosted.org/freeipa/ticket/4263 calls for
> implementation of precisely this "External Groups of RunAs Users". Since
> ipasudorunasextgroup attribute is taken, we have the following alternatives:
> 
> 1.) Create new attribute ipasudorunasgroup_extgroup and move semantics
> of ipasudorunasextgroup there. This frees ipasudorunasextgroup for the
> 4263's use case. (painful)

Painful indeed. I would really prefer to avoid this option, as it would involve
change upgrade plugin to migrate all sudo rules, requirement for users to
upgrade *all* FreeIPA servers to avoid older servers adding inconsistent SUDO
rules etc. etc.

> 2.) Create new attribute with incosistent name, such as
> ipasudorunasextgroupmembers or ipasudorunasextusergroup.
> 3.) Do not create new attributes, but use a workaround which adds failed
> groups as users with % prefix (patch attached).
> 
> What do you think?

3) seems to be unprecedented in our code and inconsistent as well. IMO it would
be also difficult to process later. '%' is a sudoers syntax specific prefix and
we try to make our native tree (cn=sudo) not that much dependent on the exact
sudoers syntax.

I personally think 2) would be the best choice, though I agree naming will be
difficult. ipasudorunasextusergroup is my favorite. But as we discussed in
person, in the same patch we will need to make sure all the labeling and doc
strings clarifies all this mess.



Martin

More information about the Freeipa-devel mailing list