[Freeipa-devel] [PATCHES] 0552-0554 Upgrading write permissions

Petr Viktorin pviktori at redhat.com
Thu May 22 13:07:50 UTC 2014


Hello,
Here I start upgrading  the existing default permissions to the new 
Managed style.

https://fedorahosted.org/freeipa/ticket/4346

The patches rely on my patch 0551 
(https://fedorahosted.org/freeipa/ticket/4349)
You may run into what seems to be a 389 bug. If you get a "Midair 
Collision" (NO_SUCH_ATTRIBUTE) error, restart the DS and try running 
ipa-ldap-updater again. I'm working with Ludwig on this one.



The operation is now described at 
http://www.freeipa.org/page/V4/Managed_Read_permissions#Replacing_legacy_default_permissions

If there user has modified an old default permission, a warning is 
logged the replacement permission is not added/updated. The user needs 
to evaluate the situation: either update the old permission to match the 
original default, or remove the old permission, and then run 
ipa-ldap-updater will create the new one.
Is bailing out the right thing to do if the old entry was modified?
It could be possible to parse the permission, figure out the changes the 
user made, and apply them to the new one, but that seems like too much 
guesswork to me.
On the other hand, my approach has a downside as well: if the 
'memberallowcmd' attribute was removed from 'Modify Sudo rule', there's 
now no way to upgrade while allowing access but keeping that attribute 
off-limits, short of writing deny a ACI by hand. How big a problem is 
this? It might be worth it to create a special tool that upgrades a 
single permission and allows setting the excluded/included attributes 
explicitly.



There are some interesting scenarios to think about with respect to 
upgrades and user changes:

* Upgrade to old version, e.g.
   - have IPA 3.2 master, IPA 3.2 replica
   - upgrade master to 4.0 (old permissions are updated)
   - then upgrade replica to 3.3 (old permissions are added again!)

This is AFAIK not supported but it does happen.
We can't change old IPA versions, so any upgrade to a pre-4.0 IPA will 
always add the old permissions, but with this patch, a subsequent 
upgrade to 4.0+, or running a 4.0+ ipa-ldap-update, will remove the old 
permissions again.

Tied to that is another scenario:

* Re-create permissions with old names
   - have IPA 4.0 master
   - Create a permission named 'Modify Sudo rule'
   - Upgrade to IPA 4.1

Here we need to make sure the new permission is *not* removed, because a 
new 'Modify Sudo rule' permission is no longer special in any way. To 
ensure this the updater only removes old-style permissions.

One thing that can happen when 4.0 masters are still mixed with 3.x is 
that an old permission named 'Modify Sudo rule' is added on the old 
server. Any update to 4.0+ will remove that.
Old-style default permissions were sorta-kinda managed by IPA itself 
anyway, so users should expect this. We should still point it out in the 
docs though, since I expect some users to start messing with the 
permissions before upgrading all of the infrastructure to 4.0.


The second patch upgrades sudorule permissions, this server as an 
example of how the  will work.
The third patch fixes https://fedorahosted.org/freeipa/ticket/4344


-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0552-Add-mechanism-for-updating-permissions-to-managed.patch
Type: text/x-patch
Size: 5457 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/dbe267ac/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0553-Convert-Sudo-rule-default-permissions-to-managed.patch
Type: text/x-patch
Size: 6658 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/dbe267ac/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0554-Add-missing-attributes-to-Modify-Sudo-rule-permissio.patch
Type: text/x-patch
Size: 1711 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140522/dbe267ac/attachment-0002.bin>


More information about the Freeipa-devel mailing list