freeipa

Clone
Source Code
GIT

#2293 ipa permission-add does not fail if using invalid attribute
Closed: Fixed None Opened 12 years ago by dpal.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=783502 (Red Hat Enterprise Linux 6)

Description of problem:
When adding a permission, where attribute is not an allowed attr for the type
being used, there is no error. And permission is added successfully

# ipa permission-add ManageUser --permissions=write --type=user
--attr=ipaclientversion

-----------------------------

Added permission "ManageUser"

-----------------------------

  Permission name: ManageUser

  Permissions: write

  Attributes: ipaclientversion

  Type: user




Doc says:
The attributes (--attrs) must exist and be allowed attributes for the given
object type, or the permission operation fails with schema syntax errors.

Version-Release number of selected component (if applicable):
freeipa-server-2.1.4-4.fc16.x86_64

How reproducible:
always

Steps to Reproduce:
1. add a permission as indicated above


Actual results:
permission is added successfully

Expected results:
the command to fail with error - ipa: ERROR: attribute "ipaClientVersion" not
allowed

Additional info:

ldap2.py has a method, get_allowed_attributes(). You can use this if you can get the list of objectclasses for the object type. The trick is that some of these are determined dynamically from cn=ipaconfig (user and group).

rcritten: thanks for hints

patch is on the list

master: 1356988

ipa-2-2: a331f35

BZ re-opened, see that for details on regression.

problem is in the get_allowed_attributes function (in ipaserver/plugins/ldap2.py). It searches only the specified objectclasses, but the attributes, that Namita wanted to use, are defined in one of the superior objectclasses.

patch is on the list

master: a58cbb9[[BR]]
ipa-2-2: f000640

QE found another case where this isn't working as expected:

# ipa permission-mod "Change a user password"
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory
ipa: ERROR: attribute(s) "sambalmpassword,passwordhistory" not allowed

I would remove this check as is (I sent an email with reasoning to freeipa-devel list):

1) This check fails when the target type does not have all its possible
objectclasses defined in the LDAPObject, like when users or hosts miss
kerberos or samba auxiliary classes as they are just classes that the
object may potentially have:

# ipa permission-mod "Change a user password"
--attrs=userpassword,krbprincipalkey,sambalmpassword,passwordhistory
ipa: ERROR: attribute(s) "sambalmpassword,passwordhistory" not allowed

To fix this point, we would need to add all possible object classes to
our user, host, ... objectclasses.


2) It severely limits permission flexibility for custom user
objectclasses. They would need to extend our plugins to make them work.
Observe this inconsistency:

Setting custom OC+attribute works (replace "sudocmd" with some
meaningful object class"):

# ipa user-mod fbar --addattr=objectclass=ipasudocmd --setattr=sudocmd=fbar
--------------------
Modified user "fbar"
--------------------
  User login: fbar
  First name: Foo
  Last name: Bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  UID: 61400016
  GID: 61400016
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# ipa user-show --all fbar
  dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  User login: fbar
  First name: Foo
  Last name: Bar
...
  mepmanagedentry: cn=fbar,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
               krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys,
               mepOriginEntry, ipasudocmd
  sudocmd: fbar


But adding a custom permission to control this attribute fails:
# ipa permission-add "Can manage user sudocmd" --type=user --permissions=write --attrs=sudocmd
ipa: ERROR: attribute(s) "sudocmd" not allowed


Bottom line is that I would remove this check at all and just check that
the attribute is right - as we already do for permission without
"--type" specified:

# ipa permission-add "Can write barbar"
--filter="(objectclass=posixuser)" --permissions=write --attrs=barbar
ipa: ERROR: targetattr "barbar" does not exist in schema. Please add
attributeTypes "barbar" to schema if necessary. ACL Syntax
Error(-5):(targetattr = \22barbar\22)(targetfilter =
\22(objectclass=posixuser)\22)(version 3.0;acl \22permission:foo
\22;allow (write) groupdn =
\22ldap:///cn=foo,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com\22;): Invalid syntax.

For IPA 2.2 we are going to revert the check. For 3.0 we will re-add the check and make it non-fatal and instead return a warning to the user that some attributes may not apply to this object.

Reverted patches.

master:[[br]]
1a26406[[br]]
4416c18[[br]]

ipa-2-2:[[br]]
ee8ff3a[[br]]
fab98c7[[br]]

Metadata Update from @dpal:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 Beta 1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=783502
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.