On ti, 27 kesä 2017, Jakub Hrozek wrote:
On Tue, Jun 27, 2017 at 11:40:37AM +0100, Howard Johnson wrote:
In Ipsilon, we recently (OK, about a year ago) added an authorisation stack.
This allows us to control, Ipsilon-side, which users are permitted to log
into which service providers. Our authorisation plugin functions are
currently fairly limited, basically using user group membership to control
which service providers a user has access to. One of the things we'd like
to support is using FreeIPA's HBAC rules rather than user attributes
directly. In my opinion, this makes it much more obvious what's going on
and fits in better with FreeIPA's architecture.
There're a few options that have come up in discussions around this on
#ipsilon and #sssd:
1) Treat each service provider as a new service in FreeIPA. The most basic
HBAC rule would then be "<user> can log into <ipsilon server> via service
<service provider>". Ipsilon can easily do a PAM_ACCT_MGMT PAM call (either
using a PAM library, or by talking to SSSD directly using the PAM socket)
with the appropriate service name. SSSD will then permit or deny the check
based on the HBAC rules. This is nice and simple, but the permitted length
/ characters of service names could have a potential limit on what service
providers can be authorised this way.
2) Ipsilon fetches HBAC rules from FreeIPA and processes them itself. This
requires duplication of the HBAC processing logic in Ipsilon (although I
believe the python bindings for libipa_hbac deal with most of the heavy
lifting there)
correct. I think this would be the second-quickest path forward.
, and LDAP connectivity to the FreeIPA server(s), along with
the appropriate login credentials. Ipsilon would need to have any
appropriate retry / failover logic. With this method, we can create service
providers as hosts in FreeIPA, and HBAC rules would be "<user> can log into
<service provider> via service saml2" (or openidc, etc).
3) Ipsilon uses the FreeIPA JSON-RPC API to call the hbactest API. This
moves the HBAC check to the FreeIPA server, where the logic already exists.
This requires Ipsilon to have access to the FreeIPA API and the appropriate
login credentials. Moving the HBAC checks into FreeIPA itself has load
implications for the IPA servers. Again, this would permit HBAC rules of
the style "<user> can log into <service provider> via saml2".
I think this is the quickest path forward.
4) Add support to SSSD for performing HBAC checks for arbitrary FreeIPA
hosts. This lets SSSD deal with connections to FreeIPA, including
authentication and failover, which it's already doing. Some mechanism would
be needed for Ipsilon to pass the "destination host" to SSSD for use in the
HBAC check rather than the local IPA hostname.
All of these options assume that there's an HBAC rule to permit the user to
log in to the Ipsilon server itself via the "ipsilon" service, which we
require now.
Considering I'm writing this mail, it'll come as no surprise that I'm most
interested in option 4.
I see two problems with option 4:
1) what interface to use, which is discussed below
2) sssd_be currently authenticates using the host keytab. In order
to learn what host groups apply to a certain host, IIRC the hosts's
memberof attribute is read. I'm not sure if a host can read another
host's groups and if it currently does, whether it would continue
working. But maybe this is something that could be solved by tuning
the permissions on the server side?
I think we currently have no limitation on memberof attribute access for
authorized users. E.g. host/.. principal bind to LDAP gives you access
to memberof attribute without any limitation.
We are going to introduce a special type of groups where membership
reading would be limited to some conditions but this would not be
relevant to HBAC, at least from my current understanding of the
situation. This is to support organizational groups, not host-based
access rights.
So I think option 4 is OK from the server perspective. Note also that
option 3 needs an authenticated access too and might just use either
ipsilon's principal (HTTP/ipsilon.hostname) or some specialized one, or
host/ principal as well. This is not going to be much different to
option 4 with regards to authentication details.
SSSD only fetches HBAC rules from FreeIPA that
affect the local host (unless the legacy src host option is enabled), so
there'd need to be an option to enable fetching all rules instead. I'm not
clear if there's a PAM attribute that could be used to pass the remote host
name to SSSD for the check, so my thought was to add HBAC functionality to
the infopipe (Ipsilon can already use the Infopipe for fetching user
attributes). My first thought is something like an
org.freedesktop.sssd.infopipe.HBAC DBus interface with an Evaluate method
that takes hostname, username, and service name, and returns a boolean.
There were requests to implement authentication over the D-bus interface
in the past and we were quite reluctant to them, but IIRC that was
because PAM handles prompting for the secrets, passing auth tokens and
it's just well battle-tested.
But I don't see the same issues with an authorization call.
I would prefer another interface than infopipe (authzpipe?), but in
general, as long as the interface is restricted to authorization and not
authentication, I don't see an inherent issue.
Yep. I guess the whole story is about extending SSSD cache handling to
support storing multiple hosts' HBAC rules details.
--
/ Alexander Bokovoy
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
