[Freeipa-users] [Freeipa-devel] Proposal: drop DENY rules from HBAC

[Simo Sorce]

On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote:

> By removing the deny rules, do we break compatibility with anything else 
> than the IPA tech preview in RHEL and upstream FreeIPA 2.0?


Ok we've had a somewhat heated discussion internally about how to deal
with the transition phase for those admins that decided to use HBAC DENY
rules. Hopefully very few did and so very few people will actually be
impacted, but we need to handle those cases the best we can to avoid
security issues for those users.

Here is a rough plan I'd like to get both developers *AND* users
feedback on if you care about it.

The premise to the following plan is that very few administrators,
unfortunately, carefully read release notes before upgrading, so simply
dropping and ignoring DENY rules is felt as something we can't do.

We split the solution in 2 parts, one on the SSSD side (the only client
currently able to understand IPA HBAC rules), and one on the server
side.

SSSD:
Inconveniencing clients is probably the easiest way to cause the least
disruption and attracting the administrators attention.
The idea here is to treat any DENY rule as actually a DENY-ALL rule.
Basically causing any login attempt for any service to fail as soon as
the new sssd package will be installed.
Even though admins normally do not read release notes, they still do a
few test upgrades before upgrading the whole set of clients they
administer.
By having SSSD deny logins if any DENY rule is found (and spamming the
log with pointers at the same time) we hope to give admins a good enough
"wake up something changed" call.

This change will be prominently advertised in SSSD release notes.
Also to ease the pain for those places where the Server and client
admins are different groups, we plan to add a transitional configuration
option. This option will allow admins to ignore DENY rules entirely. The
option will default to the DENYALL behavior described above, but admins
will be able to toggle it to ignore so they can keep testing the client,
while they make sure to warn the Server admins that DENY rules support
is going to be dropped.

FreeIPA:
On the server side instead we will add 2 visual cues to the WebUI and
probably something to the CLI commands used to manage HBAC rules.

In the WebUI, pending UXD and UI developers approval/feedback we will
have a prominent error message in the main page only for administrators
that are allowed to manage HBAC rules. This warning will be shown if any
DENY rule exist on the server.
In the HBAC pages, deny rules will be highlighted and text explaining
they are not supported anymore and need to be removed will be shown.

These warnings will be dropped down the road after 1 more point release.

Of course Release notes will prominently highlight this change so that
most admins will be prepared to handle this change.


Hopefully people will have enough cues to properly handle the situation.


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York