FreeIPA has a global ACI which grants read access to all (anonymous by default) users of the server:
aci: (target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam baNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaN TTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anony mous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
This ACI allows access to all entries and its attributes when not blacklisted in the ACI. This approach is not flexible at the first point when more attributes or entries need to be added. Some users may also want to limit access of users and groups only to the section such users need to read or write.
For example admin may want DNS admin to be able to access only DNS zones, but not HBAC, SELinux or SUDO rules, etc. There should be a simple UI that would be able to grant read/write access of the whole FreeIPA functions (like SUDO, HBAC, users, groups) to chosen FreeIPA users and groups. Same with particular attributes in these functions. We already have write access covered via permissions, we just need to also cover the read access.
Preliminary design: 1. Remove global ACI granting read access for everyone 2. Add read permissions for all our functions, e.g. Read HBAC rule, Red HBAC service, etc. We need to make sure that users with these permissions also have access to the container entry itself (cn=hbacservices,cn=hbac,$SUFFIX) and not just the actual HBAC rules. 3. Add these read permissions to respective privileges we already have 4. Add new privileges granting read-only access to the respective functions (e.g. User consumers, HBAC consumers) which admins could use to assign access to chosen functions only. By default we may want to have all users (i.e. ipausers) to have these read permissions assigned. 5. Update UI to avoid displaying pages and sections that the authenticated user does not have access to. We will probably need to update metadata that UI grabs so that it knows which functions can user control and which not. 6. Optionally also check if CLI can be enhanced this way 7. Optionally add API to grant read/write access also to system accounts (like sudo daemon): #2801.
cn=hbacservices,cn=hbac,$SUFFIX
This RFE is a follow-up for freeipa-users thread.
Put into June for now and then we will re-triage when we do the planning
Updating preliminary design to make it more clear. Bumping priority as we hit the global ACI issue more often (as with new OTP feature).
Note that with this fix we should be able to drop following deny rules configured in default-aci.ldif:
default-aci.ldif
dn: $SUFFIX aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) dn: cn=hbac,$SUFFIX aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";) dn: cn=sudo,$SUFFIX aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
Moving to Pilsner bucket, this won't fit in 3.3 release.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=976382 (RHEL RFE)
3.4 development was shifted by one month, moving tickets to reflect reality better.
Preparatory refactorings:
master:[[BR]] dbf10b8 Improve permission plugin test cleanup[[BR]] 2c433cd Use new ipaldap entry API in aci and permission plugin[[BR]] dadf7cd Help plugin: don't fail if a topic's module is not found[[BR]] 15618be Fix invalid assumption NSS initialization check in SSLTransport[[BR]] 62890ca Fix indentation in permission plugin tests[[BR]] 7051f51 Update Permission and ACI plugins to decorator registration API[[BR]]
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
I've split out the preparations for the comprehensive solution to https://fedorahosted.org/freeipa/ticket/4034, https://fedorahosted.org/freeipa/ticket/4032 and https://fedorahosted.org/freeipa/ticket/4033.
This ticket can now be used to track an effort to do this in a simpler way (ACI only, not user-manageable) so we can feel the impact of reduced permissions earlier in the dev cycle.
Added metadata & update plugin for default permissions:
Patches are continuously landing, switching the on review flag.
This ticket is not complete yet, moving to next month milestone.
39327db Add managed read permissions to HBAC objects
fb2f0ae Document the managed permission updater operation
master:
The backend work for read permissions, and UI for managing them, is done. Remaining work:
Issues found in Web UI testing with normal user with an empty role attached:
{{{ {"method":"user_add","params":[[],{"givenname":"afg","sn":"asf"}]} }}}
[Tue May 27 15:25:05.656018 2014] [:error] [pid 26225] ipa: DEBUG: user_add(u'aasf', givenname=u'afg', sn=u'asf', cn=u'afg asf', displayname=u'afg asf', initials=u'aa', gecos=u'afg asf', krbprincipalname=u'aasf@IDM.LAB.ENG.BRQ.REDHAT.COM', random=False, noprivate=False, all=False, raw=False, no_members=False) [Tue May 27 15:25:05.692293 2014] [:error] [pid 26225] ipa: ERROR: non-public: IndexError: list index out of range [Tue May 27 15:25:05.692314 2014] [:error] [pid 26225] Traceback (most recent call last): [Tue May 27 15:25:05.692318 2014] [:error] [pid 26225] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 343, in wsgi_execute [Tue May 27 15:25:05.692322 2014] [:error] [pid 26225] result = self.Command[name](*args, **options) [Tue May 27 15:25:05.692325 2014] [:error] [pid 26225] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ [Tue May 27 15:25:05.692328 2014] [:error] [pid 26225] ret = self.run(*args, **options) [Tue May 27 15:25:05.692332 2014] [:error] [pid 26225] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run [Tue May 27 15:25:05.692335 2014] [:error] [pid 26225] result = self.execute(*args, **options) [Tue May 27 15:25:05.692338 2014] [:error] [pid 26225] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1085, in execute [Tue May 27 15:25:05.692341 2014] [:error] [pid 26225] *keys, **options) [Tue May 27 15:25:05.692344 2014] [:error] [pid 26225] File "/usr/lib/python2.7/site-packages/ipalib/plugins/user.py", line 644, in pre_callback [Tue May 27 15:25:05.692347 2014] [:error] [pid 26225] if not options.get('noprivate', False) and ldap.has_upg(): [Tue May 27 15:25:05.692350 2014] [:error] [pid 26225] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 308, in has_upg [Tue May 27 15:25:05.692353 2014] [:error] [pid 26225] attrlist=['*'])[0] [Tue May 27 15:25:05.692356 2014] [:error] [pid 26225] IndexError: list index out of range
{{{ {"method":"cert_show","params":[["3"],{}]} }}}
"error": { "code": 2100, "message": "Insufficient access: No such virtual command", "name": "ACIError" }, "id": null, "principal": "fbar@IDM.LAB.ENG.BRQ.REDHAT.COM", "result": null, "version": "3.3.90GITab2d81b"
Self-service permission add and delegation add Internal errors:
[Tue May 27 15:35:17.576194 2014] [:error] [pid 26226] ipa: DEBUG: aci_add(u'a', permissions=(u'write',), attrs=(u'audio', u'businesscategory'), selfaci=True, aciprefix=u'selfservice', test=False, all=False, raw=False, version=u'2.87') [Tue May 27 15:35:17.605424 2014] [:error] [pid 26226] ipa: ERROR: non-public: KeyError: u'aci' [Tue May 27 15:35:17.613269 2014] [:error] [pid 26226] Traceback (most recent call last): [Tue May 27 15:35:17.613277 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 343, in wsgi_execute [Tue May 27 15:35:17.613281 2014] [:error] [pid 26226] result = self.Commandname [Tue May 27 15:35:17.613284 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in call [Tue May 27 15:35:17.613288 2014] [:error] [pid 26226] ret = self.run(args, options) [Tue May 27 15:35:17.613290 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run [Tue May 27 15:35:17.613294 2014] [:error] [pid 26226] result = self.execute(*args, options) [Tue May 27 15:35:17.613297 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py", line 133, in execute [Tue May 27 15:35:17.613300 2014] [:error] [pid 26226] result = api.Command'aci_add'['result'] [Tue May 27 15:35:17.613303 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in call [Tue May 27 15:35:17.613306 2014] [:error] [pid 26226] ret = self.run(args, options) [Tue May 27 15:35:17.613309 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run [Tue May 27 15:35:17.613312 2014] [:error] [pid 26226] result = self.execute(*args, options) [Tue May 27 15:35:17.613315 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py", line 549, in execute [Tue May 27 15:35:17.613318 2014] [:error] [pid 26226] entry['aci'].append(newaci_str) [Tue May 27 15:35:17.613321 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 925, in getitem [Tue May 27 15:35:17.613324 2014] [:error] [pid 26226] return self._get_nice(name) [Tue May 27 15:35:17.613327 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 888, in _get_nice [Tue May 27 15:35:17.613330 2014] [:error] [pid 26226] name = self._get_attr_name(name) [Tue May 27 15:35:17.613333 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 884, in _get_attr_name [Tue May 27 15:35:17.613336 2014] [:error] [pid 26226] name = self._names[name] [Tue May 27 15:35:17.613339 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 473, in getitem [Tue May 27 15:35:17.613342 2014] [:error] [pid 26226] return super(CIDict, self).getitem(key.lower()) [Tue May 27 15:35:17.613345 2014] [:error] [pid 26226] KeyError: u'aci'
Fixes for users and the ACIs are now in master:
Fixes for cert-show and krbtpolicy are being investigated/worked on.
cert-show
krbtpolicy
More fixes in master:
Adding ACI.txt (and another ACI fix):
Marking as done. Any regressions should be tracked in separate tickets.
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 - 2014/06
Log in to comment on this ticket.