#3449 Fleet Commander with SSSD: Having to specify a host or hostgroup to get profiles apply to an user
Closed: Fixed 4 years ago Opened 4 years ago by ogutierrez.

Right now, in Fleet Commander, we can create a profile and assign that profile to a single user. That profile should be assigned to that user whatever the host he logs in.

Right now, the way FreeIPA and SSSD works is that profile is not being applied unles you specify a valid host for the profile. We have worked that around creating a group with all hosts in it and an automember rule for adding all new hosts to that group. Then fleet commander handles it under the hood so the user does not have to specify any host/hostgroup to get that behavior.

After me and @aruiz were talking with @abbra and @fidencio they explained the way SSSD works is to not retrieve anything not related to the host it is running, and @abbra suggested some kind of ACL development to allow the behavior we exposed.

So this bug is mainly to discuss the options for getting that behavior and ask for the implementation.


Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0

4 years ago

There are several aspects here:

  • deskprofile plugin needs to add support for category 'ALL' like HBAC rules do
  • deskprofile plugin needs to create a special ACI to handle the case when category 'ALL' is added to give access to the profile's json data. A normal ACI only gives the access to the members of the profile rule, this one would need to be a public (authenticated users) one
  • SSSD needs to learn how to handle category ALL case

I've talked to @abbra on IRC and the SSSD part of this feature request is already implemented.

I'll keep this bug opened till the Fleet Commander patches get merged and till https://github.com/abbra/freeipa-desktop-profile/issues/3 is resolved.

Metadata Update from @fidencio:
- Issue assigned to fidencio

4 years ago

Metadata Update from @fidencio:
- Custom field patch adjusted to on

4 years ago

Sorry, if this is part of the PR under review, then we should move this to 1.15.4..

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.16.0)
- Issue tagged with: PR

4 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

4 years ago

@fidencio for now I'm moving the ticket to 1.16.1, but please let me know if that is the right milestone or if we should close the ticket or move it elsewhere

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.15.4)

4 years ago

This issue had been fixed by @abbra by updating the ACLs on freeipa-desktop-profiles (https://github.com/abbra/freeipa-desktop-profile/commit/194ca4410ffcdcafa3f870ff4513649e273649ea) and AFAIK @fidencio did the modifications needed in SSSD to work with that.

@ogutierrez, I did the fix, indeed. But I'd like to only close this bug when your changes on FleetCommander side are done and you get back to us saying that both mine and @abbra changes are working as expected.

I completely lost track of this. I tested the fix and it worked perfectly. In fact, I added the patch to FLeet Commander maybe one or two weeks after your modifications and I thing I reported back on IRC but not here.

It is already done and tested, and it is working like a charm.

Okay, so I'm closing the ticket as the fix was part of https://github.com/SSSD/sssd/pull/241

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.16.1)
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata Update from @fidencio:
- Issue status updated to: Open (was: Closed)

4 years ago

Seems that this issue was not actually fixed as Oliver just found out a crash happening when user category or host category is set.

Here's the PR: https://github.com/SSSD/sssd/pull/495

I've tested the fix built by Fabiano for this PR and now it worked perfectly.

Thanks for the work done on this.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1538643

4 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4476

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata