#2395 The config manipulation interface should use a system message bus helper and does not belong in infopipe
Closed: Invalid None Opened 5 years ago by simo.

While working on the ticket to make sssd run as non root (#2370), it turned out interfaces to let openlmi write sssd.conf have been added to infopipe daemon.

This is the wrong place to put such interfaces, and they should be moved to a helper that is started on demand by the system message bus and is unrelated to the infopipe. A helper is fine as reconfigurations are rare and the overhead of running a helper is minimal.

This will allow to avoid needing root access from the infopipe to change the sssd.conf file (or changing the sssd.conf file ownerhip to let non-root sssd modify it), making non-root sssd better as it will not be able to change configurations diorectly (the helper will run as root).


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.1

Fields changed

rhbz: => 0

Mass-moving all tickets that didn't make 1.12.1 into 1.12.2

milestone: SSSD 1.12.1 => SSSD 1.12.2

We need to do a release as requested by downstream. Moving tickets that are not fixed already or very close to acking to 1.12.3

milestone: SSSD 1.12.2 => SSSD 1.12.3

Fields changed

mark: => 0
priority: critical => major

Fields changed

owner: somebody => pbrezina

We need to finish some rootless sssd tasks first, then Pavel will do an assesment of this ticket.

Fields changed

milestone: SSSD 1.12.3 => SSSD 1.12.4

The sbus-related patches are landing on the list, but we realized during review that they're too big for 1.12, at least for the time being. We're going to commit them to master only for now and backport on request to avoid breaking 1.12.

milestone: SSSD 1.12.4 => Tools Deferred

Sorry, wrong milestone.

milestone: Tools Deferred => SSSD 1.13 alpha

Fields changed

summary: The openlmi interface should use a system message bus helper and does not belong in infopipe => The config manipulation interface should use a system message bus helper and does not belong in infopipe

Fields changed

milestone: SSSD 1.13 alpha => SSSD 1.13 backlog
sensitive: => 0

We should just rip out the config management API from SSSD completely..

milestone: SSSD 1.13 backlog => SSSD 1.14 alpha

Replying to [comment:13 jhrozek]:

We should just rip out the config management API from SSSD completely..

Can you please elaborate?

Replying to [comment:14 dpal]:

Replying to [comment:13 jhrozek]:

We should just rip out the config management API from SSSD completely..

Can you please elaborate?

We have a config API exposed on D-Bus. Because sssd.conf is currently writable as root only, this limits the IFP API to run as root as well. Now we have two options:
1. leave the D-Bus configuration API around, but move it to another D-Bus service started on demand. This is what simo was proposing earlier
2. Remove this D-Bus config API from SSSD completely.

Because AFAIK this API is only used by OpenLMI which is more or less dead, I was leaning towards 2. But whatever we do, I would really like the IFP responder to not run as root in 1.14. Implementing 1. would just be a bit more work and I'm not sure there would be any users.

I think we would still need the configuration API. Moving it to a service but not completing the work on that service until we need this API is fine but just ripping it out is IMO the wrong approach as this is how SSSD should be configured via tools like ansible and cockpit. I also suspect we will use it in future to manage SSSD configuration remotely via cockpit.

This needs a fair amount of work which is not in the scope of 1.14 unfortunately.

milestone: SSSD 1.14 alpha => SSSD 1.15 beta

We actually removed the config manipulation completely.

resolution: => wontfix
status: new => closed

Metadata Update from @simo:
- Issue assigned to pbrezina
- Issue marked as blocked by: #2370
- Issue set to the milestone: SSSD Future releases (no date set yet)

2 years ago

Login to comment on this ticket.

Metadata