Learn more about these different git repos.
Other Git URLs
The IPA server stores the sudo rules a little differently. We need to support the native sudo schema in 1.8.
This would require:
Fields changed
cc: => pbrezina
component: SSSD => SUDO Provider
I disagree on the plan here. We should not be storing the rules in the sysdb in a specialized format. The point of the sysdb is that it should provide a common interface for the responder. It can contain additional attributes that are provider-specific, but the responder MUST be able to read the sysdb in its expected format.
So the IPA provider MUST do the conversion before storing the data in the sysdb.
component: SUDO Responder => IPA Provider
Replying to [comment:3 sgallagh]:
I disagree on the plan here. We should not be storing the rules in the sysdb in a specialized format. The point of the sysdb is that it should provide a common interface for the responder. It can contain additional attributes that are provider-specific, but the responder MUST be able to read the sysdb in its expected format. So the IPA provider MUST do the conversion before storing the data in the sysdb.
I concur, the architecture is that the responder is as fast as possible and does as little computation as possible, while the providers digest the data in a format that is common to all providers implementations. You definitely do not want to have to manage different schemas in the responder. and translate over and over again.
blockedby: => blocking: => milestone: NEEDS_TRIAGE => SSSD 1.8 SUDO Support
rhbz: => 0
milestone: SSSD 1.8 SUDO Support => NEEDS_TRIAGE
milestone: NEEDS_TRIAGE => SSSD 1.9.0 NEEDS_TRIAGE
milestone: SSSD 1.9.0 NEEDS_TRIAGE => SSSD 1.9.0
As a part of this change, please separate SUDO from the ID provider part (for example the configuration doesn't have to be loaded when ID provider is loaded). See Jakub's autofs patch which does this very thing.
feature_milestone: =>
milestone: SSSD 1.9.0 => SSSD 1.10 beta
rhbz: 0 =>
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=789477
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477]
milestone: SSSD 1.10 beta => SSSD 1.11 beta
proposed_priority: => Optional
proposed_priority: Optional => Core
summary: SUDO: Support the IPA schema => [RFE] SUDO: Support the IPA schema
Moving all the features planned for 1.10 release into 1.10 beta.
milestone: SSSD 1.11 beta => SSSD 1.10 beta
priority: major => critical
owner: somebody => pbrezina status: new => assigned
design: => design_review: => 0 fedora_test_page: => selected: => Not need
Moving tickets that are not a priority for SSSD 1.10 into the next release.
Michal is working on this feature as part of his BC thesis.
changelog: => owner: pbrezina => mmsrubar review: => 0 status: assigned => new
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1036628 (RHEL RFE)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477] => [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477], [https://bugzilla.redhat.com/show_bug.cgi?id=1036628 1036628]
Unlinking RHEL RFE. It is only requiring the existence of IPA sudo provider, not that it needs to use native tree.
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477], [https://bugzilla.redhat.com/show_bug.cgi?id=1036628 1036628] => [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477]
mark: => 0
patch: 0 => 1
The original intent was to implement this ticket to get rid of the compat tree. Since then, the compat tree is again used for legacy clients, so using the new sudo schema wouldn't gain us much.
milestone: SSSD 1.13 beta => SSSD 1.13 backlog priority: critical => minor review: 0 => 1
Mass-moving tickets not planned for the next two releases.
Please reply with a comment if you disagree about the move..
milestone: SSSD 1.13 backlog => SSSD 1.15 beta
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1256849 (Fedora)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477] => [https://bugzilla.redhat.com/show_bug.cgi?id=789477 789477], [https://bugzilla.redhat.com/show_bug.cgi?id=1256849 1256849]
Moving to 1.13 and bumping priority, see the linked Fedora bug for reason why.
milestone: SSSD 1.15 beta => SSSD 1.14 beta priority: minor => blocker sensitive: => 0
This was requested by a downstream for inclusion sooner. The patches are on the list and should be reviewed.
milestone: SSSD 1.14 beta => SSSD 1.13.3
owner: mmsrubar => pbrezina status: new => assigned
Since the implementation is being changed, I'm re-setting the 'patch submitted' flag.
patch: 1 => 0
Patches are under development and won't make the 1.13.3 release, moving to 1.13.4
milestone: SSSD 1.13.3 => SSSD 1.13.4
Related patches:
master:
sssd-1-13:
These patches actually implement the RFE:
resolution: => fixed status: assigned => closed
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/SUDOIPASchema
Metadata Update from @jhrozek: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.13.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2150
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.