There are some differences with the current SUDO CLI implementation.
The UI needs a rule status with values active & inactive. The CLI doesn't have this attribute. HBAC has ipaenabledflag attribute which can be managed using hbac-enable/disable operations.
The UI needs a user category for the "Who" section. The CLI doesn't have this attribute. HBAC has usercategory attribute which can be managed using hbac-add/mod operations.
The UI needs a host category for the "Access this host" section. The CLI doesn't have this attribute. HBAC has hostcategory attribute which can be managed using hbac-add/mod operations.
The UI needs separate allow-command and deny-command categories for the "Run Command(s)" section. The CLI only has a single cmdcategory.
The UI needs separate run-as-user and run-as-group categories for the "As Whom" section. The UI also needs a way to manage the list of users/groups for the run-as-user, and the list of groups for the run-as-group. The CLI doesn't have these attributes or operations.
According to ticket #534, the UI needs to support adding external user, groups, and host. The current CLI doesn't seem to accept external values.
This blocks https://fedorahosted.org/freeipa/ticket/534.
In order to address #4 we will need to expand the schema to account for allowcmdcategory and denycmdgategory:
The cli can be coded to anticipate this change, but cannot fully take advantage of it until the schema is available.
Replying to [comment:2 jraquino]:
In order to address #4 we will need to expand the schema to account for allowcmdcategory and denycmdgategory: The UI needs separate allow-command and deny-command categories for the "Run Command(s)" section. The CLI only has a single cmdcategory. The cli can be coded to anticipate this change, but cannot fully take advantage of it until the schema is available.
Item 4 is correctly addressed in its current cli implementation. the command category attribute is implied as a permit when specifying cmdcategory=all, and is implied as a deny all if no data is present.
From Dmitri Pal: Schema is correct. I do not know about CLI - do not have time to check myself before tomorrow. But CLI should follow the logic I pasted in the email. The UI should follow the same logic I pasted below and this is what now is reflected in the UI design.
If no memberAllowCmd, memberDenyCmd or cmdCategory attribute is specified - no command is allowed If cmdCategory is specified (only value is "all") all other attributes are ignored and all commands are allowed If cmdCategory is not specified If memberAllowCmd is specified it defines commands or groups of the commands that are allowed If memberDenyCmd is specified it defines commands or groups of the commands that are not allowed
Sudo support for external users and hosts freeipa-jraquino-0009-SUDO-plugin-support-for-external-hosts-and-users.patch
Attached is the patch to provide cli support for external hosts and users.
This is accomplished similarly to the netgroup plugin.
If the plugin is input with a hostname/user that does not exist in the directory, the plugin will then assume that the User had intended for these objects to be inserted as 'external' entities. It accomplishes this in a post_callback.
Just like the netgroup plugin, this introduces a possible caveat where someone could mistype a user/host and have it inserted as an external entry, but the CLI attempts to reflect this in its output clearly stating that an External User or External Host has been added.
Please review.
Here is a sample sudorule containing external entries: Contained herein are, externaluser, externalhost, as well as sudorunas and sudorunasgroup
dn: ipaUniqueID=8a9103b8-06cc-11e0-b481-8a3d259cb0b9,cn=sudorules,dc=example,dc=com objectClass: ipaassociation objectClass: ipasudorule ipaEnabledFlag: TRUE cn: tester ipaUniqueID: 8a9103b8-06cc-11e0-b481-8a3d259cb0b9 ipaSudoRunAs: uid=admin,cn=users,cn=accounts,dc=example,dc=com ipaSudoRunAsGroup: cn=admins,cn=groups,cn=accounts,dc=example,dc=com externalUser: testuser externalHost: host1.example.com
Here is the final patch for sudorule external host and user support. This patch also adds support for adding/removing IpaSudoOpt values. (We some how missed this till the last hour)
This addresses item #6 in ticket 570: (https://fedorahosted.org/freeipa/ticket/570) (This ticket is remarked as critical and has a note: This blocks https://fedorahosted.org/freeipa/ticket/534.)
I have included modifications to the sudoplugin.py xmlrpc test to simplify review.
Please review and push.
Final patch for Item #6 freeipa-jraquino-0009-2-SUDO-plugin-support-for-external-hosts-and-users.patch
Patch ack'ed and pushed to master. Ticket marked as closed. Commit # fc8f7f9
There is a problem with item #5.
Currently we have the following attributes:
What's missing is:
Also, the following command only takes a --users parameter.
They should also take a --groups parameter for the ipasudorunas_group.
A minor issue: to be consistent with the run-as groups, it might be better to use ipasudorunasuser_ instead of just ipasudorunas_.
There is a problem with item #6.
Currently we have the corresponding external attributes for the following attributes: - memberuser_user -> externaluser - memberhost_host -> externalhost
What's missing is the corresponding external attributes for the following attributes: - memberuser_group - memberhost_hostgroup
The latest spec doesn't seem to require external attributes for the following attributes: - ipasudorunas_user - ipasudorunas_group - ipasudorunasgroup_group
Please disregard my last comment about item #6. There's a problem with the spec, the current implementation is correct, there's only externaluser and externalhost.
The issue with item #5 is still valid.
Fix for #5 and externalrunas users, groups, compat, and corrisponding tests freeipa-jraquino-0013-fix-sudorule-runas-user-groups.patch
Patch has been ack and pushed to master. #5 has now been addressed.
commit 1ea31a0 Author: Jr Aquino jr.aquino@citrix.com Date: Fri Jan 7 15:29:00 2011 -0800
And
commit fc8f7f9 Author: Jr Aquino jr.aquino@citrix.com Date: Fri Dec 17 08:29:33 2010 -0800
commit ced639e Author: Jr Aquino jr.aquino@citrix.com Date: Mon Dec 13 10:00:59 2010 -0800
commit b23b391 Author: Jr Aquino jr.aquino@citrix.com Date: Mon Dec 13 07:38:09 2010 -0800
Metadata Update from @dpal: - Issue assigned to jraquino - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.