On Tue, Jun 27, 2017 at 11:40:37AM +0100, Howard Johnson wrote:
> In Ipsilon, we recently (OK, about a year ago) added an authorisation stack.
> This allows us to control, Ipsilon-side, which users are permitted to log
> into which service providers. Our authorisation plugin functions are
> currently fairly limited, basically using user group membership to control
> which service providers a user has access to. One of the things we'd like
> to support is using FreeIPA's HBAC rules rather than user attributes
> directly. In my opinion, this makes it much more obvious what's going on
> and fits in better with FreeIPA's architecture.
>
> There're a few options that have come up in discussions around this on
> #ipsilon and #sssd:
>
> 1) Treat each service provider as a new service in FreeIPA. The most basic
> HBAC rule would then be "<user> can log into <ipsilon server> via service
> <service provider>". Ipsilon can easily do a PAM_ACCT_MGMT PAM call (either
> using a PAM library, or by talking to SSSD directly using the PAM socket)
> with the appropriate service name. SSSD will then permit or deny the check
> based on the HBAC rules. This is nice and simple, but the permitted length
> / characters of service names could have a potential limit on what service
> providers can be authorised this way.
>
> 2) Ipsilon fetches HBAC rules from FreeIPA and processes them itself. This
> requires duplication of the HBAC processing logic in Ipsilon (although I
> believe the python bindings for libipa_hbac deal with most of the heavy
> lifting there)
correct. I think this would be the second-quickest path forward.
> , and LDAP connectivity to the FreeIPA server(s), along with
> the appropriate login credentials. Ipsilon would need to have any
> appropriate retry / failover logic. With this method, we can create service
> providers as hosts in FreeIPA, and HBAC rules would be "<user> can log into
> <service provider> via service saml2" (or openidc, etc).
>
> 3) Ipsilon uses the FreeIPA JSON-RPC API to call the hbactest API. This
> moves the HBAC check to the FreeIPA server, where the logic already exists.
> This requires Ipsilon to have access to the FreeIPA API and the appropriate
> login credentials. Moving the HBAC checks into FreeIPA itself has load
> implications for the IPA servers. Again, this would permit HBAC rules of
> the style "<user> can log into <service provider> via saml2".
I think this is the quickest path forward.
>
> 4) Add support to SSSD for performing HBAC checks for arbitrary FreeIPA
> hosts. This lets SSSD deal with connections to FreeIPA, including
> authentication and failover, which it's already doing. Some mechanism would
> be needed for Ipsilon to pass the "destination host" to SSSD for use in the
> HBAC check rather than the local IPA hostname.
>
> All of these options assume that there's an HBAC rule to permit the user to
> log in to the Ipsilon server itself via the "ipsilon" service, which we
> require now.
>
> Considering I'm writing this mail, it'll come as no surprise that I'm most
> interested in option 4.
I see two problems with option 4:
1) what interface to use, which is discussed below
2) sssd_be currently authenticates using the host keytab. In order
to learn what host groups apply to a certain host, IIRC the hosts's
memberof attribute is read. I'm not sure if a host can read another
host's groups and if it currently does, whether it would continue
working. But maybe this is something that could be solved by tuning
the permissions on the server side?
> SSSD only fetches HBAC rules from FreeIPA that
> affect the local host (unless the legacy src host option is enabled), so
> there'd need to be an option to enable fetching all rules instead. I'm not
> clear if there's a PAM attribute that could be used to pass the remote host
> name to SSSD for the check, so my thought was to add HBAC functionality to
> the infopipe (Ipsilon can already use the Infopipe for fetching user
> attributes). My first thought is something like an
> org.freedesktop.sssd.infopipe.HBAC DBus interface with an Evaluate method
> that takes hostname, username, and service name, and returns a boolean.
There were requests to implement authentication over the D-bus interface
in the past and we were quite reluctant to them, but IIRC that was
because PAM handles prompting for the secrets, passing auth tokens and
it's just well battle-tested.
But I don't see the same issues with an authorization call.
I would prefer another interface than infopipe (authzpipe?), but in
general, as long as the interface is restricted to authorization and not
authentication, I don't see an inherent issue.
>
> So, basically, if I were to work up patches to implement this option, would
> they have a chance of being accepted into SSSD? In the meantime we'll
> probably look at implementing one of option 2 or 3, but the SSSD option is
> appealing to me in the longer term.
>
> Cheers.
>
> --
> HJ
> _______________________________________________
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
