Learn more about these different git repos.
Other Git URLs
While working on the ticket to make sssd run as non root (#2370), it turned out interfaces to let openlmi write sssd.conf have been added to infopipe daemon.
This is the wrong place to put such interfaces, and they should be moved to a helper that is started on demand by the system message bus and is unrelated to the infopipe. A helper is fine as reconfigurations are rare and the overhead of running a helper is minimal.
This will allow to avoid needing root access from the infopipe to change the sssd.conf file (or changing the sssd.conf file ownerhip to let non-root sssd modify it), making non-root sssd better as it will not be able to change configurations diorectly (the helper will run as root).
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.12.1
rhbz: => 0
Mass-moving all tickets that didn't make 1.12.1 into 1.12.2
milestone: SSSD 1.12.1 => SSSD 1.12.2
We need to do a release as requested by downstream. Moving tickets that are not fixed already or very close to acking to 1.12.3
milestone: SSSD 1.12.2 => SSSD 1.12.3
mark: => 0 priority: critical => major
owner: somebody => pbrezina
We need to finish some rootless sssd tasks first, then Pavel will do an assesment of this ticket.
milestone: SSSD 1.12.3 => SSSD 1.12.4
The sbus-related patches are landing on the list, but we realized during review that they're too big for 1.12, at least for the time being. We're going to commit them to master only for now and backport on request to avoid breaking 1.12.
milestone: SSSD 1.12.4 => Tools Deferred
Sorry, wrong milestone.
milestone: Tools Deferred => SSSD 1.13 alpha
summary: The openlmi interface should use a system message bus helper and does not belong in infopipe => The config manipulation interface should use a system message bus helper and does not belong in infopipe
milestone: SSSD 1.13 alpha => SSSD 1.13 backlog sensitive: => 0
We should just rip out the config management API from SSSD completely..
milestone: SSSD 1.13 backlog => SSSD 1.14 alpha
Replying to [comment:13 jhrozek]:
Can you please elaborate?
Replying to [comment:14 dpal]:
Replying to [comment:13 jhrozek]: We should just rip out the config management API from SSSD completely.. Can you please elaborate?
We have a config API exposed on D-Bus. Because sssd.conf is currently writable as root only, this limits the IFP API to run as root as well. Now we have two options: 1. leave the D-Bus configuration API around, but move it to another D-Bus service started on demand. This is what simo was proposing earlier 2. Remove this D-Bus config API from SSSD completely.
Because AFAIK this API is only used by OpenLMI which is more or less dead, I was leaning towards 2. But whatever we do, I would really like the IFP responder to not run as root in 1.14. Implementing 1. would just be a bit more work and I'm not sure there would be any users.
I think we would still need the configuration API. Moving it to a service but not completing the work on that service until we need this API is fine but just ripping it out is IMO the wrong approach as this is how SSSD should be configured via tools like ansible and cockpit. I also suspect we will use it in future to manage SSSD configuration remotely via cockpit.
This needs a fair amount of work which is not in the scope of 1.14 unfortunately.
milestone: SSSD 1.14 alpha => SSSD 1.15 beta
We actually removed the config manipulation completely.
resolution: => wontfix status: new => closed
Metadata Update from @simo: - Issue assigned to pbrezina - Issue marked as blocked by: #2370 - Issue set to the milestone: SSSD Future releases (no date set yet)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3437
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.