[Freeipa-users] User Roles and access in GUI

Tue Apr 16 15:16:27 UTC 2013

On 04/16/2013 04:25 PM, Dmitri Pal wrote:
> On 04/16/2013 03:38 AM, Martin Kosek wrote:
>> On 04/16/2013 03:16 AM, Dmitri Pal wrote:
>>> On 04/15/2013 07:42 PM, Chandan Kumar wrote:
>>>> I agree it won't be a security feature nor you are doing wrong by not adding
>>>> it. However, it might come as nice to have feature. Let me explain you my
>>>> condition.
>>>>
>>>> We host web application where lot of DNS entries (Public and Internal) are
>>>> created for different kind of requests and features. Now we already have a
>>>> separate DNS server, Separate Manual Linux User/Access Control management by
>>>> puppet. Linux users   ACL have no relationship with the web application user
>>>> (which is internal to the web app). 
>>>>
>>>> So FreeIPA can help me to centralize the Linux user-management as well as
>>>> (Public and Internal) DNS. However, the problem is : traditionally the access
>>>> levels were different for DNS users (support guys) and user management
>>>> (sysadmins). Now bring both system together even the Host based access
>>>> control, sudoers rule everything becomes visible to non-sysadmin group.
>>>>
>>>> You are right that every user could query all entries from command line and
>>>> hence it won't help  to secure the system, but not having it on GUI may help
>>>> to avoid "obvious" visibility of the whole directory.
>>>>
>>>> I believe similar GUI "views" could be applied for discussion 
>>>>
>>>> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html
>>>>
>>>> where geographically separate Organization units may share the same directory
>>>> with limited visibility on other branches.
>>>>
>>>>
>>>> Having said that, I am not sure how feasible/logical my view is owing to my
>>>> limited knowledge in 389 directory server and IPA.
>>> I think you are talking about this: https://fedorahosted.org/freeipa/ticket/217
>>> and somewhat about this https://fedorahosted.org/freeipa/ticket/1313
>>>
>>> Would you mind adding the details of your use case to one of those two tickets?
>>>
>>> Alternatively we can start another ticket.
>>> However I think we should have some kind of a complete solution that covers
>>> LDAP, UI and CLI consistently.
>>> Doing it right would be a huge task IMO.
>>> For LDAP we would probably have to implement some kind of "smart" proxy that
>>> would reply only to the requests that user are entitled to. Same with CLI and
>>> UI. But the point is that one configuration should be respected by all three at
>>> the same time. For example if you are not allowed to manage sudo the sudo
>>> commands should not return any data as well as LDAP searches and there should
>>> be no panel in the UI.
>>>
>>> I am really reluctant to fix just UI because we would end up different
>>> components of the system behaving differently and it would be hard to evolve
>>> them and maintain.
>>>
>>> Thanks
>>> Dmitri
>>>
>> I think there were some related discussions about this. I agree that this a
>> bigger effort, but I do think that a proxy is needed. We should be able to
>> achieve that goal by being able to disable global ACI allowing read access to
>> all entries and attributes unless those explicitly blacklisted.
>>
>> I think we are talking about this ticket:
>> https://fedorahosted.org/freeipa/ticket/2786
> 
> 
> Actually no. I see it on a much broader scale than in this ticket.
> I am thinking about blacklisting components like: sudo, hbac, selinux,
> DNS, hosts, users, services etc.
> Have a way to completely hide those areas from the user.
> It would get pretty complex right away as the dependencies are hierarchical.

This is what I meant. We could offer disabling the global ACI granting read
access to everyone and let admins assign read privileges only to functions
(HBAC, SUDO, SELinux, ...) they want. I tried to sum all these thoughts to this
upstream ticket:

https://fedorahosted.org/freeipa/ticket/3566

Comments and suggestions from FreeIPA users welcome!

Thanks,
Martin