Re: [Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Fri, 03 Oct 2014 08:05:10 -0700 

On 3.10.2014 16:46, Simo Sorce wrote:


I did not do any ACI work in the patch yet. I assume that we would like
to add the attr into  'System: Read Host|Service' permission. But I
think that write right should have it's own permission.


I have added 2 new permissions. Simo, are they OK?

for services:
'System: Manage Service Keytab Permissions': {
      'ipapermright': {'read', 'search', 'compare', 'write'},
      'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
      'default_privileges': {'Service Administrators', 'Host
Administrators'},
},

for hosts:
'System: Manage Host Keytab Permissions': {
      'ipapermright': {'read', 'search', 'compare', 'write'},
      'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
      'default_privileges': {'Host Administrators'},
},

I'm not sure about the write right for 'objectclass' but it's required
in order to add 'ipaallowedoperations' oc.


As long as it allows only to add/remove the specific value it should be fine.

Can you please send the raw ACIs ?
I still find it difficult to reason on the security of the result withouth
looking at the lower level.



in cn=computers,cn=accounts,dc=example,dc=com:


(targetattr = "createtimestamp || entryusn || ipaallowedtoperform || 
modifytimestamp || objectclass")(targetfilter = 
"(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host 
Keytab Permissions";allow (compare,read,search,write) groupdn = 
"ldap:///cn=System: Manage Host Keytab 
Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)


in cn=services,cn=accounts,dc=idm,dc=example,dc=com:


(targetattr = "createtimestamp || entryusn || ipaallowedtoperform || 
modifytimestamp || objectclass")(targetfilter = 
"(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage 
Service Keytab Permissions";allow (compare,read,search,write) groupdn = 
"ldap:///cn=System: Manage Service Keytab 
Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)




Simo.


--
Petr Vobornik

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel























					Reply via email to