#2491 Simple Access Provider - fail on non-existing objects in deny lists
Closed: wontfix 4 years ago by pbrezina. Opened 9 years ago by preichl.

As result of discussion on sssd-devel in thread - "simple access provider - don't fail on non-existing objects" we should deny access if any object on deny list can't be resolved when SSSD is started.

This should protect administrator from providing unintended access by accidental typos in deny list.


1.13 for now. Chances are, downstream will request this fix, but let's move the ticket up when they do.

milestone: NEEDS_TRIAGE => SSSD 1.13 beta

Fields changed

rhbz: => todo

Probably just needs re-testing and a better error message. The functionality should be there already.

milestone: SSSD 1.13 beta => SSSD 1.13 backlog

Mass-moving tickets not planned for the 1.13 release to 1.14

milestone: SSSD 1.13 backlog => SSSD 1.14 beta

Pavel, I thought we already do this. Can you re-test and close if that's the case? If we just need to add a better error message, please add one..

If this turns out to be more work than a couple of hours, please defer to a later milestone.

sensitive: => 0

Replying to [comment:5 jhrozek]:

Pavel, I thought we already do this. Can you re-test and close if that's the case? If we just need to add a better error message, please add one..

If this turns out to be more work than a couple of hours, please defer to a later milestone.

Jakub, we definitely don't do that now.

Users in deny list are not necessary in sysdb, so we might have to contact LDAP and if list is long it could take a while. So I assume we should not expect to have the knowledge at start up.

I think this won't be an easy task. I think a design document should be written.

Triage - 1.15? I'm willing to work on this earlier but I'm not sure about its priority.

milestone: SSSD 1.14 beta => NEEDS_TRIAGE

Replying to [comment:6 preichl]:

Replying to [comment:5 jhrozek]:

Pavel, I thought we already do this. Can you re-test and close if that's the case? If we just need to add a better error message, please add one..

If this turns out to be more work than a couple of hours, please defer to a later milestone.

Jakub, we definitely don't do that now.

Hmm, I thought that 82a958e does that?

Users in deny list are not necessary in sysdb, so we might have to contact LDAP and if list is long it could take a while. So I assume we should not expect to have the knowledge at start up.

I think this won't be an easy task. I think a design document should be written.

Triage - 1.15? I'm willing to work on this earlier but I'm not sure about its priority.

I don't think this is urgent, so 1.15 is OK with me.

Replying to [comment:7 jhrozek]:

Replying to [comment:6 preichl]:

Replying to [comment:5 jhrozek]:

Pavel, I thought we already do this. Can you re-test and close if that's the case? If we just need to add a better error message, please add one..

If this turns out to be more work than a couple of hours, please defer to a later milestone.

Jakub, we definitely don't do that now.

Hmm, I thought that 82a958e does that?

No, I think that patch you refer to just changes Simple AC to not deny access if some of users groups failed to be resolved but deny list for groups is empty.

This ticket should be about trying to look up all objects on deny lists to be sure that no typo is happening (unless the typo would result in name of an existing object...).

Users in deny list are not necessary in sysdb, so we might have to contact LDAP and if list is long it could take a while. So I assume we should not expect to have the knowledge at start up.

I think this won't be an easy task. I think a design document should be written.

Triage - 1.15? I'm willing to work on this earlier but I'm not sure about its priority.

I don't think this is urgent, so 1.15 is OK with me.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15 beta

deny lists are frowned upon, I would defer

review: 0 => 1
selected: => May

Fields changed

milestone: SSSD Future releases (no date set yet) => SSSD Patches welcome

Metadata Update from @preichl:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3533

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata