URL: https://github.com/freeipa/freeipa/pull/4917 Author: rcritten Title: #4917: [Backport][ipa-4-8] replica: Ensure that ipaapi user is allowed to access ifp Action: opened
PR body: """ This PR was opened automatically because PR #4914 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4917/head:pr4917 git checkout pr4917
From f95b1d0ea76492174abfabab12d3c627a1196833 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier <[email protected]> Date: Fri, 10 Jul 2020 11:05:15 -0400 Subject: [PATCH 1/2] replica: Ensure the ipaapi user is allowed to access ifp on replicas ipa-server-install executes ipa-client-install with the --on-master flag set, which causes the ipaclient.install.client.sssd_enable_ifp() function to be called. This function configures sssd so that the ipaapi user is allowed to access ifp. Any FreeIPA replica should also have sssd configured like this, but in that case we cannot simply pass the --on-master flag to ipa-client-install because it has other side effects. The solution is to call the ipaclient.install.client.sssd_enable_ifp() function from inside the ipaserver.install.server.replicainstall.promote_sssd() function. https://pagure.io/freeipa/issue/8403 --- ipaserver/install/server/replicainstall.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index fa791c77d6..7d6c4108c0 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -22,7 +22,7 @@ from pkg_resources import parse_version import six -from ipaclient.install.client import check_ldap_conf +from ipaclient.install.client import check_ldap_conf, sssd_enable_ifp import ipaclient.install.timeconf from ipalib.install import certstore, sysrestore from ipalib.install.kinit import kinit_keytab @@ -462,6 +462,9 @@ def promote_sssd(host_name): domain.set_option('ipa_server', host_name) domain.set_option('ipa_server_mode', True) sssdconfig.save_domain(domain) + + sssd_enable_ifp(sssdconfig) + sssdconfig.write() sssd = services.service('sssd', api) From 66650a596fdad90d67e572a6843a3d78ad499b20 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier <[email protected]> Date: Mon, 13 Jul 2020 13:59:12 -0400 Subject: [PATCH 2/2] replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas https://pagure.io/freeipa/issue/8403 --- .../test_replica_promotion.py | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 88a49bd34b..5774b2ab6a 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -47,6 +47,21 @@ def test_kra_install_master(self): assert(found > 0), result2.stdout_text +def sssd_config_allows_ipaapi_access_to_ifp(host): + """Checks that the sssd configuration allows the ipaapi user to access + ifp + + :param host the machine on which to check that sssd allows ipaapi + access to ifp + """ + with tasks.remote_sssd_config(host) as sssd_conf: + ifp = sssd_conf.get_service('ifp') + uids = [ + uid.strip() for uid in ifp.get_option('allowed_uids').split(',') + ] + assert 'ipaapi' in uids + + class TestReplicaPromotionLevel1(ReplicaPromotionBase): """ TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan# @@ -100,6 +115,16 @@ def test_one_command_installation(self): result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) assert "PKINIT is enabled" in result.stdout_text + @replicas_cleanup + def test_sssd_config_allows_ipaapi_access_to_ifp(self): + """Verify that the sssd configuration allows the ipaapi user to + access ifp + + Test for ticket 8403. + """ + for replica in self.replicas: + sssd_config_allows_ipaapi_access_to_ifp(replica) + class TestUnprivilegedUserPermissions(IntegrationTest): """ @@ -171,6 +196,22 @@ def test_replica_promotion_after_adding_to_admin_group(self): '-r', self.master.domain.realm, '-U']) + def test_sssd_config_allows_ipaapi_access_to_ifp(self): + self.master.run_command(['ipa', 'group-add-member', 'admins', + '--users=%s' % self.username]) + + # Configure firewall first + Firewall(self.replicas[0]).enable_services(["freeipa-ldap", + "freeipa-ldaps"]) + self.replicas[0].run_command(['ipa-replica-install', + '-P', self.username, + '-p', self.new_password, + '-n', self.master.domain.name, + '-r', self.master.domain.realm, + '-U']) + + sssd_config_allows_ipaapi_access_to_ifp(self.replicas[0]) + class TestProhibitReplicaUninstallation(IntegrationTest): topology = 'line'
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
