#3979 [RFE] ID Views: add ability to centrally override specific user/group attributes
Closed: Fixed None Opened 5 years ago by simo.

In some cases it would be really beneficial to be able to create alternative views of the user/group database for specific users and for specific target clients.

A few use cases:

  • migration/consolidation of domains, where some clients cannot immediately switch to a unified set of names/uids/gids
  • migration/sync of AD domains where the source AD domain does not have posix names/uids/gids in the directory
  • AD trusts where the AD domains do not have posix attributes but the IDs were previously assigned to specific mapping algorithms (manually, samba various idmapping plugins, alternative LDAP servers, etc..) and need to be retained.

In all these cases it is very useful to have a special set of maps to override the values found by the sources.

For the AD sync/migration case there is a single map that operates as an override used by the plugin that generates the compat tree/trust tree.

The same map structure can also be used to generate specific "view maps" in alternate subtrees, that smart clients (SSSD) can use to locally override IDs. These maps are only stored in LDAP but not necessarily used by the server. They have a specific name that the smart client is configured to use directly or indirectly (for example by creating a host group and associating the "view map" to the host group).

These maps should use new objectclasses that mimics posixAccount and posixGroup classes but have all attributes set to MAY, so that only specific attributes are overridden, not necessarily all of them.

Example classes To Be Discussed:

objectclass: ( $OID
               NAME 'ipaOverrideAnchor'
               DESC 'Anchors and override view to an object'
               SUP top STRUCTURAL
               MUST ( cn $ ipaAnchorUUID )
             )

objectclass: ( $OID
               NAME 'ipaUserView'
               DESC 'Overrides for User Attributes'
               SUP ipaOverrideAnchor STRUCTURAL
               MAY ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory $
                     loginShell $ gecos $ description )
             )

objectclass: ( $OID
               NAME 'ipaGroupView'
               DESC 'Overrides for Group Attributes'
               SUP ipaOverrideAnchor STRUCTURAL
               MAY ( cn $ gidNumber $ description )
             )

I haven't added overrides for group members as that may be a tad dangerous, hower it should be discussed.

These amps are associated to the object via a UUID attribute (is this always ok ? Is it too hard when mapping AD objects ?).

A new subtree called views under cn=accounts is created within which named subtrees are created. the 'default' subtree is used by the compat plugin to source overrides, any other tree is used by the smart clients directly.

Example:

 cn=default,cn=views,cn=accounts,$SUFFIX
 |_ cn=users
    |_ anchorUUID=123456...
 |_ cn=groups

BTW can we re-use some machinery from http://tools.ietf.org/html/draft-bannister-dbis-mapping-03 ? (I didn't looked into design, I'm just throwing ideas aroud :-))

Based on the discussions at the Summit this is really the next big thing people are looking for for us to implement around trusts. That would provide not only migration from NIS but also from LDAP based solutions that already manage POSIX attributes centrally. It would also allow migration from 3rd party solutions that people do not like but have to live with. If done with the views it will allow zoning in the similar way to some of the popular 3rd party solutions.

As we will be addressing these use cases in #3318 (4.2) I am moving the ticket there.

Prototype of similar activity using off the shelf tools described at:

http://www.freeipa.org/page/V4/Use_Case_for_Views:_Collaboration

The use case is a view which provides a "merged domain" of FreeIPA and upstream identities, where sensitive attributes which must not collide are managed centrally (i.e., by FreeIPA)

Requirements, implementation description, and evaluation included.

Framework part finished:

master:

  • 16f3786 idviews: Add necessary schema for the ID views
  • 6b14030 idviews: Create container for ID views under cn=accounts
  • be36525 idviews: Add ipaAssignedIDVIew reference to the host object
  • 3e2e5a4 ipalib: Remove redundant and star imports from host plugin
  • f48a7bb ipalib: PEP8 fixes for host plugin
  • b65b748 idviews: Create basic idview plugin structure
  • 377ab0c idvies: Add managed permissions for idview and idoverride objects
  • 936eaad hostgroup: Add helper that returns all members of a hostgroup
  • ce42bf2 hostgroup: Remove redundant and star imports
  • 6e94d23 hostgroup: Selected PEP8 fixes for the hostgroup plugin
  • f3576bd idviews: Add ipa idview-apply and idview-unapply commands
  • 186c161 idviews: Extend idview-show command to display assigned idoverrides and hosts
  • 6a798f1 trusts: Add conversion from SID to object name
  • d03b09b idviews: Support specifying object names instead of raw anchors only
  • b4a13ae idviews: Split the idoverride object into iduseroverride and idgroupoverride
  • cbf1ad8 idviews: Split the idoverride commands into iduseroverride and idgroupoverride
  • c6d50c4 idviews: Alter idoverride methods to work with splitted objects
  • 961790e idviews: Change format of IPA anchor to include domain
  • c1f51cf idviews: Raise NotFound errors if object to override could not be found
  • 3ff410d idviews: Resolve anchors to object names in idview-show
  • 8fb0e3a ipatests: Add xmlrpc tests for idviews plugin
  • 277b762 idviews: Add ipaOriginalUid
  • bba3769 idviews: Update the referential plugin config to watch for ipaAssignedIDView
  • 1d6f591 idviews: Fix casing of ID Views to be consistent
  • 2131187 idviews: Make description optional for the ID View object
  • b942575 idviews: Add Default Trust View as part of adtrustinstall
  • 13089ea idviews: Handle Default Trust View properly in the framework
  • dbf8d97 idviews: Make sure the dict.get method is not abused for MUST attributes
  • 4726857 idviews: Catch errors on unsuccessful AD object lookup when resolving object name to anchor
  • 902655d idviews: Display the list of hosts when using --all
  • 5181693 idviews: Make sure only regular IPA objects are allowed to be overriden
  • 2a230b6 idviews: Create Default Trust View for upgraded servers

ipa-4-1:

  • 5b49a37 idviews: Add necessary schema for the ID views
  • 036ea78 idviews: Create container for ID views under cn=accounts
  • 6d6da4b idviews: Add ipaAssignedIDVIew reference to the host object
  • debfb01 ipalib: Remove redundant and star imports from host plugin
  • 81e3b1a ipalib: PEP8 fixes for host plugin
  • 6f3e3eb idviews: Create basic idview plugin structure
  • be916cc idvies: Add managed permissions for idview and idoverride objects
  • 1625423 hostgroup: Add helper that returns all members of a hostgroup
  • 457aca1 hostgroup: Remove redundant and star imports
  • 3831c9d hostgroup: Selected PEP8 fixes for the hostgroup plugin
  • b275ba6 idviews: Add ipa idview-apply and idview-unapply commands
  • 505039c idviews: Extend idview-show command to display assigned idoverrides and hosts
  • 3d89dff trusts: Add conversion from SID to object name
  • b8e9dea idviews: Support specifying object names instead of raw anchors only
  • aa39f40 idviews: Split the idoverride object into iduseroverride and idgroupoverride
  • d6bc044 idviews: Split the idoverride commands into iduseroverride and idgroupoverride
  • 959a1e0 idviews: Alter idoverride methods to work with splitted objects
  • 49ef84c idviews: Change format of IPA anchor to include domain
  • 8b59dfa idviews: Raise NotFound errors if object to override could not be found
  • 731e7a5 idviews: Resolve anchors to object names in idview-show
  • 7c339a8 ipatests: Add xmlrpc tests for idviews plugin
  • 50fa40b idviews: Add ipaOriginalUid
  • b8bf444 idviews: Update the referential plugin config to watch for ipaAssignedIDView
  • bdfa7ea idviews: Fix casing of ID Views to be consistent
  • 473fbe8 idviews: Make description optional for the ID View object
  • 57a08ad idviews: Add Default Trust View as part of adtrustinstall
  • 860a50f idviews: Handle Default Trust View properly in the framework
  • 0a7c10b idviews: Make sure the dict.get method is not abused for MUST attributes
  • 1551ff1 idviews: Catch errors on unsuccessful AD object lookup when resolving object name to anchor
  • 60ea906 idviews: Display the list of hosts when using --all
  • ea1aac1 idviews: Make sure only regular IPA objects are allowed to be overriden
  • f0b6254 idviews: Create Default Trust View for upgraded servers

master:

  • 00457a9 idviews: Fix typo in upgrade handling of the Default Trust View

ipa-4-1:

  • 7ddebb6 idviews: Fix typo in upgrade handling of the Default Trust View

extdom enhancements:

master:

  • 0ee8fe1 extdom: add support for sss_nss_getorigbyname()
  • 43f8de0 extdom: remove unused dependency to libsss_idmap

ipa-4-1:

  • 85f229d extdom: add support for sss_nss_getorigbyname()
  • 99b10e5 extdom: remove unused dependency to libsss_idmap

extdom enhancements:

master:

  • 0ee8fe1 extdom: add support for sss_nss_getorigbyname()
  • 43f8de0 extdom: remove unused dependency to libsss_idmap

ipa-4-1:

  • 85f229d extdom: add support for sss_nss_getorigbyname()
  • 99b10e5 extdom: remove unused dependency to libsss_idmap

sssd Requires was bumped.

master:

  • b6b19e0 spec: Bump SSSD requires to 1.12.2

ipa-4-1:

  • d969f73 spec: Bump SSSD requires to 1.12.2

This commit concludes the feature. Thanks everyone!

Metadata Update from @simo:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.1

2 years ago

Login to comment on this ticket.

Metadata