[katello-devel] ldap integration expected behavior with a 1:2 User:Group scenario.

Eric Sammons esammons at redhat.com
Wed Sep 5 17:54:06 UTC 2012 

----- Original Message -----
> On 09/05/2012 01:31 PM, Eric Sammons wrote:
> > I have a scenario where i have a user, lets call him user1, and
> > user1 is a member of two LDAP groups; groupReadOnly and
> > groupAdmin.  Yes this is odd but it could happen.  In Katello, I
> > have setup ldap groups as follow:  groupReadOnly is a member of
> > role Read Everything and groupAdmin is a member of the
> > Administrator role.  In this setup, it appears that when user1
> > logs in they will get the permissions of Administrator, if I did
> > my ABCs correctly.
> >
> > Are there any plans to address this scenario, it may be that I want
> > user1 to have Read Everything permissions and with the current
> > behavior this would not be possible
> Why would you put user1 in the groupAdmin ldap group and associate
> with
> the Administer role if you did not want to give user1 all permissions
> associated with that role?
> 
> Roles in katello are additive.  So in the above scenario I would
> fully
> expect the user to be able to do everything that either the "Read
> Everything" role and the "Administer" role can do together.
> 

While not the best example, it is the most extreme example.  The point of the exercise was to demonstrate that in the current code, alphabetical order (first group returned matching a role) wins.

> 
> > as roles applied are based on the first ldap group returned that
> > matches a role (ABCs).   This may be a matter of simply
> > documenting the behavior so that users are aware they may need to
> > establish specific LDAP groups to satisfy internal security
> > compliance.  With that, there are at least 3 options...
> >
> > Solution 1: The LDAP admin would need to create a unique group,
> > perhaps KatelloAdmin and KatelloReadEverything and then assign the
> > appropriate users to that group. (Document)
> >
> > Solution 2: Katello could pull back all results and then apply
> > policy (role) with least permission.
> >
> > Solution 3: Katello could pull back all results and then apply
> > policy (role) with greatest permission.
> Katello doesn't really have a way to determine which role has the
> "Greatest permission" or "Least Permission".  I'm not sure that there
> is
> a concrete way to do this.  You could have a role A with read on FOO
> and
> write on BAR and role B with write on FOO and Read on BAR.  How would
> we
> know which was 'greatest'?

This is pretty much what I was thinking, hence solution 1.  I believe this is a behavior we may need to cover in documentation that users belonging to multiple groups may need to be placed into a more specific group and then that group added to a Katello role.  This is the cleanest and most secure way to address the issue here.

Thanks!

> 
> >
> > Also, as a side note, in my testing it looks like user1 is placed
> > into both roles as a user based on the application of the group
> > role.  i.e. user1 is now a user member in Read Everything and
> > Administrator.  So my question is, do we need to clutter up the
> > user role membership if the ldap group membership already has the
> > information?  This may be desired behavior but wanted to put this
> > out there
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
>

More information about the katello-devel mailing list