#1108 [RFE] SUDO: Support the IPA schema
Closed: Fixed None by jhrozek. Opened 6 years ago by jhrozek.

The IPA server stores the sudo rules a little differently. We need to support the native sudo schema in 1.8.

This would require:

  • downloading and storing the rules in sysdb in a defined format (probably the same as on server)
  • when sending the data to sudo from the sudo responder, convert them to the format sudo understands

Fields changed

cc: => pbrezina

Fields changed

component: SSSD => SUDO Provider

I disagree on the plan here. We should not be storing the rules in the sysdb in a specialized format. The point of the sysdb is that it should provide a common interface for the responder. It can contain additional attributes that are provider-specific, but the responder MUST be able to read the sysdb in its expected format.

So the IPA provider MUST do the conversion before storing the data in the sysdb.

Fields changed

component: SUDO Responder => IPA Provider

Replying to [comment:3 sgallagh]:

I disagree on the plan here. We should not be storing the rules in the sysdb in a specialized format. The point of the sysdb is that it should provide a common interface for the responder. It can contain additional attributes that are provider-specific, but the responder MUST be able to read the sysdb in its expected format.

So the IPA provider MUST do the conversion before storing the data in the sysdb.

I concur, the architecture is that the responder is as fast as possible and does as little computation as possible, while the providers digest the data in a format that is common to all providers implementations. You definitely do not want to have to manage different schemas in the responder. and translate over and over again.

Fields changed

blockedby: =>
blocking: =>
milestone: NEEDS_TRIAGE => SSSD 1.8 SUDO Support

Fields changed

rhbz: => 0

Fields changed

milestone: SSSD 1.8 SUDO Support => NEEDS_TRIAGE

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 NEEDS_TRIAGE

Fields changed

milestone: SSSD 1.9.0 NEEDS_TRIAGE => SSSD 1.9.0

As a part of this change, please separate SUDO from the ID provider part (for example the configuration doesn't have to be loaded when ID provider is loaded). See Jakub's autofs patch which does this very thing.

feature_milestone: =>

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.10 beta

Fields changed

rhbz: 0 =>

Fields changed

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

proposed_priority: => Optional

Fields changed

proposed_priority: Optional => Core

Fields changed

summary: SUDO: Support the IPA schema => [RFE] SUDO: Support the IPA schema

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: SSSD 1.11 beta => SSSD 1.10 beta

Fields changed

priority: major => critical

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Michal is working on this feature as part of his BC thesis.

changelog: =>
owner: pbrezina => mmsrubar
review: => 0
status: assigned => new

Unlinking RHEL RFE. It is only requiring the existence of IPA sudo provider, not that it needs to use native tree.

rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477], [https://bugzilla.redhat.com/show_bug.cgi?id=1036628 1036628] => [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477]

Fields changed

mark: => 0

Fields changed

patch: 0 => 1

The original intent was to implement this ticket to get rid of the compat tree. Since then, the compat tree is again used for legacy clients, so using the new sudo schema wouldn't gain us much.

milestone: SSSD 1.13 beta => SSSD 1.13 backlog
priority: critical => minor
review: 0 => 1

Mass-moving tickets not planned for the next two releases.

Please reply with a comment if you disagree about the move..

milestone: SSSD 1.13 backlog => SSSD 1.15 beta

Moving to 1.13 and bumping priority, see the linked Fedora bug for reason why.

milestone: SSSD 1.15 beta => SSSD 1.14 beta
priority: minor => blocker
sensitive: => 0

This was requested by a downstream for inclusion sooner. The patches are on the list and should be reviewed.

milestone: SSSD 1.14 beta => SSSD 1.13.3

Fields changed

owner: mmsrubar => pbrezina
status: new => assigned

Since the implementation is being changed, I'm re-setting the 'patch submitted' flag.

patch: 1 => 0

Patches are under development and won't make the 1.13.3 release, moving to 1.13.4

milestone: SSSD 1.13.3 => SSSD 1.13.4

Fields changed

patch: 0 => 1

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.

Metadata