#3566 [RFE] Control access of user roles to server functions
Closed: Fixed None Opened 10 years ago by mkosek.

FreeIPA has a global ACI which grants read access to all (anonymous by default) users of the server:

aci: (target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
 baNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaN
 TTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anony
 mous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

This ACI allows access to all entries and its attributes when not blacklisted in the ACI. This approach is not flexible at the first point when more attributes or entries need to be added. Some users may also want to limit access of users and groups only to the section such users need to read or write.

For example admin may want DNS admin to be able to access only DNS zones, but not HBAC, SELinux or SUDO rules, etc. There should be a simple UI that would be able to grant read/write access of the whole FreeIPA functions (like SUDO, HBAC, users, groups) to chosen FreeIPA users and groups. Same with particular attributes in these functions. We already have write access covered via permissions, we just need to also cover the read access.

Preliminary design:
1. Remove global ACI granting read access for everyone
2. Add read permissions for all our functions, e.g. Read HBAC rule, Red HBAC service, etc. We need to make sure that users with these permissions also have access to the container entry itself (cn=hbacservices,cn=hbac,$SUFFIX) and not just the actual HBAC rules.
3. Add these read permissions to respective privileges we already have
4. Add new privileges granting read-only access to the respective functions (e.g. User consumers, HBAC consumers) which admins could use to assign access to chosen functions only. By default we may want to have all users (i.e. ipausers) to have these read permissions assigned.
5. Update UI to avoid displaying pages and sections that the authenticated user does not have access to. We will probably need to update metadata that UI grabs so that it knows which functions can user control and which not.
6. Optionally also check if CLI can be enhanced this way
7. Optionally add API to grant read/write access also to system accounts (like sudo daemon): #2801.

This RFE is a follow-up for freeipa-users thread.


Put into June for now and then we will re-triage when we do the planning

Updating preliminary design to make it more clear. Bumping priority as we hit the global ACI issue more often (as with new OTP feature).

Note that with this fix we should be able to drop following deny rules configured in default-aci.ldif:

dn: $SUFFIX
aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous       access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)

dn: cn=hbac,$SUFFIX
aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare)       userdn != "ldap:///all";)

dn: cn=sudo,$SUFFIX
aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare)       userdn != "ldap:///all";)

Moving to Pilsner bucket, this won't fit in 3.3 release.

3.4 development was shifted by one month, moving tickets to reflect reality better.

Preparatory refactorings:

master:[[BR]]
dbf10b8 Improve permission plugin test cleanup[[BR]]
2c433cd Use new ipaldap entry API in aci and permission plugin[[BR]]
dadf7cd Help plugin: don't fail if a topic's module is not found[[BR]]
15618be Fix invalid assumption NSS initialization check in SSLTransport[[BR]]
62890ca Fix indentation in permission plugin tests[[BR]]
7051f51 Update Permission and ACI plugins to decorator registration API[[BR]]

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

I've split out the preparations for the comprehensive solution to https://fedorahosted.org/freeipa/ticket/4034, https://fedorahosted.org/freeipa/ticket/4032 and https://fedorahosted.org/freeipa/ticket/4033.

This ticket can now be used to track an effort to do this in a simpler way (ACI only, not user-manageable) so we can feel the impact of reduced permissions earlier in the dev cycle.

Added metadata & update plugin for default permissions:

  • 1df9b58 Allow modifying permissions with ":" in the name
  • f4de4a2 Add Object metadata and update plugin for managed permissions
  • c5e61c8 permission plugin: Add 'top' to the list of object classes
  • 0e65998 Allow anonymous read access to containers

Patches are continuously landing, switching the on review flag.

This ticket is not complete yet, moving to next month milestone.

  • 39327db Add managed read permissions to HBAC objects

  • fb2f0ae Document the managed permission updater operation

  • c58d6b2 Allow overriding all attributes of default permissions
  • 7786ff6 Add managed read permissions to Sudo objects
  • 49e45f2 Add managed read permissions to group
  • 13f3ba5 Add managed read permission to hostgroup
  • 4160777 Add mechanism for adding default permissions to privileges
  • a185d45 Add managed read permissions to RBAC objects
  • c97e1d9 Add managed read permissions to realmdomains
  • 3db9ce3 Add managed read permission for SELinux user map
  • c08f8d2 Add managed read permissions to host
  • f10ec17 Add managed read permissions to pwpolicy and cosentry
  • 75eaf0b Add managed read permission to config
  • b53f2d2 Add managed read permissions to krbtpolicy
  • 5c8548a Allow anonymous read access to Kerberos containers
  • bb4e47d Add managed read permission to idrange
  • adde918 Add managed read permission to automount
  • 1e46c0a Add managed read permissions to automember
  • 81b0e74 Do not ask for memberindirect when updating managed permissions
  • baa72b6 Add a new ipaVirtualOperation objectClass to virtual operations
  • 1389567 Extend anonymous read ACI for containers
  • b9f69d4 Add managed read permission to service
  • af3a4ad Add support for non-plugin default permissions
  • d893b77 Add several managed read permissions under cn=etc
  • 7eb12f1 Add managed read permissions to trust
  • 791ec1e Add managed read permissions to user
  • 993c1c8 update_managed_permissions: Pass around anonymous ACI rather than its blacklist
  • 63becae Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x

master:

  • 193ced0 Remove the global anonymous read ACI

The backend work for read permissions, and UI for managing them, is done. Remaining work:

  • testing, fixing regressions.
  • UI (don't show items user has no access to)
    • Optionally also check if CLI can be enhanced this way
    • Optionally add API to grant read/write access also to system accounts (like sudo daemon): #2801
  • documentation & release notes
  • 4346 - also migrate write permissions

Issues found in Web UI testing with normal user with an empty role attached:

  1. Internal error on user-add

{{{ {"method":"user_add","params":[[],{"givenname":"afg","sn":"asf"}]} }}}

[Tue May 27 15:25:05.656018 2014] [:error] [pid 26225] ipa: DEBUG: user_add(u'aasf', givenname=u'afg', sn=u'asf', cn=u'afg asf', displayname=u'afg asf', initials=u'aa', gecos=u'afg asf', krbprincipalname=u'aasf@IDM.LAB.ENG.BRQ.REDHAT.COM', random=False, noprivate=False, all=False, raw=False, no_members=False)
[Tue May 27 15:25:05.692293 2014] [:error] [pid 26225] ipa: ERROR: non-public: IndexError: list index out of range
[Tue May 27 15:25:05.692314 2014] [:error] [pid 26225] Traceback (most recent call last):
[Tue May 27 15:25:05.692318 2014] [:error] [pid 26225]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 343, in wsgi_execute
[Tue May 27 15:25:05.692322 2014] [:error] [pid 26225]     result = self.Command[name](*args, **options)
[Tue May 27 15:25:05.692325 2014] [:error] [pid 26225]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
[Tue May 27 15:25:05.692328 2014] [:error] [pid 26225]     ret = self.run(*args, **options)
[Tue May 27 15:25:05.692332 2014] [:error] [pid 26225]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
[Tue May 27 15:25:05.692335 2014] [:error] [pid 26225]     result = self.execute(*args, **options)
[Tue May 27 15:25:05.692338 2014] [:error] [pid 26225]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1085, in execute
[Tue May 27 15:25:05.692341 2014] [:error] [pid 26225]     *keys, **options)
[Tue May 27 15:25:05.692344 2014] [:error] [pid 26225]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/user.py", line 644, in pre_callback
[Tue May 27 15:25:05.692347 2014] [:error] [pid 26225]     if not options.get('noprivate', False) and ldap.has_upg():
[Tue May 27 15:25:05.692350 2014] [:error] [pid 26225]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 308, in has_upg
[Tue May 27 15:25:05.692353 2014] [:error] [pid 26225]     attrlist=['*'])[0]
[Tue May 27 15:25:05.692356 2014] [:error] [pid 26225] IndexError: list index out of range
  1. No such virtual command on cert-show, (cert-find behaves correctly)

{{{ {"method":"cert_show","params":[["3"],{}]} }}}

    "error": {
        "code": 2100,
        "message": "Insufficient access: No such virtual command",
        "name": "ACIError"
    },
    "id": null,
    "principal": "fbar@IDM.LAB.ENG.BRQ.REDHAT.COM",
    "result": null,
    "version": "3.3.90GITab2d81b"
  1. Self-service permission add and delegation add Internal errors:

    [Tue May 27 15:35:17.576194 2014] [:error] [pid 26226] ipa: DEBUG: aci_add(u'a', permissions=(u'write',), attrs=(u'audio', u'businesscategory'), selfaci=True, aciprefix=u'selfservice', test=False, all=False, raw=False, version=u'2.87')
    [Tue May 27 15:35:17.605424 2014] [:error] [pid 26226] ipa: ERROR: non-public: KeyError: u'aci'
    [Tue May 27 15:35:17.613269 2014] [:error] [pid 26226] Traceback (most recent call last):
    [Tue May 27 15:35:17.613277 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 343, in wsgi_execute
    [Tue May 27 15:35:17.613281 2014] [:error] [pid 26226] result = self.Commandname
    [Tue May 27 15:35:17.613284 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in call
    [Tue May 27 15:35:17.613288 2014] [:error] [pid 26226] ret = self.run(args, options)
    [Tue May 27 15:35:17.613290 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
    [Tue May 27 15:35:17.613294 2014] [:error] [pid 26226] result = self.execute(*args,
    options)
    [Tue May 27 15:35:17.613297 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py", line 133, in execute
    [Tue May 27 15:35:17.613300 2014] [:error] [pid 26226] result = api.Command'aci_add'['result']
    [Tue May 27 15:35:17.613303 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in call
    [Tue May 27 15:35:17.613306 2014] [:error] [pid 26226] ret = self.run(
    args, options)
    [Tue May 27 15:35:17.613309 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 752, in run
    [Tue May 27 15:35:17.613312 2014] [:error] [pid 26226] result = self.execute(*args,
    options)
    [Tue May 27 15:35:17.613315 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py", line 549, in execute
    [Tue May 27 15:35:17.613318 2014] [:error] [pid 26226] entry['aci'].append(newaci_str)
    [Tue May 27 15:35:17.613321 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 925, in getitem
    [Tue May 27 15:35:17.613324 2014] [:error] [pid 26226] return self._get_nice(name)
    [Tue May 27 15:35:17.613327 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 888, in _get_nice
    [Tue May 27 15:35:17.613330 2014] [:error] [pid 26226] name = self._get_attr_name(name)
    [Tue May 27 15:35:17.613333 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 884, in _get_attr_name
    [Tue May 27 15:35:17.613336 2014] [:error] [pid 26226] name = self._names[name]
    [Tue May 27 15:35:17.613339 2014] [:error] [pid 26226] File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 473, in getitem
    [Tue May 27 15:35:17.613342 2014] [:error] [pid 26226] return super(CIDict, self).getitem(key.lower())
    [Tue May 27 15:35:17.613345 2014] [:error] [pid 26226] KeyError: u'aci'

Fixes for users and the ACIs are now in master:

  • 647fa1d aci plugin: Fix internal error when ACIs are not readable
  • 32efe5a Add managed read permission for the UPG Definition
  • 4f89dec ldap2.has_upg: Raise an error if the UPG definition is not found

Fixes for cert-show and krbtpolicy are being investigated/worked on.

More fixes in master:

  • 63a2147 krbtpolicy plugin: Fix internal error when global policy is not readable
  • 93ad239 Add read permissions for automember tasks

Adding ACI.txt (and another ACI fix):

  • 52a4b54 permission plugin: Sort rights when writing the ACI
  • 13bcd03 Add method to enumerate managed permission templates
  • 6acaf73 Add ACI.txt
  • 2f3cdba Make 'permission' the default bind type for managed permissions
  • b6258d0 Make sure member* attrs are always granted together in read permissions

master:

  • b243da4 Allow read access to masters, but not their services, to auth'd users
  • 18744d1 Fix: Allow read access to masters, but not their services, to auth'd users

master:

  • 013bf3d Test and docstring fixes
  • 02b5074 permission plugin: Join --type objectclass filters with OR
  • ac8539b Add posixgroup to groups' permission object filter

master:

  • 61eeea9 netgroup: Add objectclass attribute to read permissions

Marking as done. Any regressions should be tracked in separate tickets.

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

7 years ago

Login to comment on this ticket.

Metadata