Support subid resources in ipa provider #5197
Comments
|
just adding here that his is of interest for deploying containers at CERN. We have successfully tested the state-file based approach which works well, but to deploy this at scale a dynamic solution is needed |
|
Seconding @lukasheinrich's interest, but from the Paul Scherrer Institute also in Switzerland. |
|
Diamond Light Source also interested in this. Our current solution of building a subuid/subgid list through a cron job querying LDAP is less than ideal! |
Just to makes things clear: this ^^ (support of pluggable backends) wasn't implemented in shadow-utils so far. Moreover, that's not the only thing that should be done there. Without this SSSD changes doesn't make sense. Another thing, I don't think it is really realistic to make |
Are there already LDAP (especially Active Directory) attributes assigned for this info? |
|
No, I haven't had time to work on this yet. So no LDAP attributes designed and allocated. I guess we can start with a prototype and then settle down with a registered set of attributes that suit best. |
|
Hi, This is purely untested and just meant to start a conversation and show what I think shadow's needs are, but I started a shadow branch here: https://github.com/hallyn/shadow/tree/2020-12-30/sssd latest commit so far being hallyn/shadow@20501b8 . If you don't expect to have time in the next few weeks to write the sssd side of it, I could give it a shot. I'd of course try to keep it in the style of the rest of sssd, but testing setup would be an initial stumbling block. |
Hi, first of all, thanks a lot for pushing this forward. Yes, I hope I'll be able to give this a try. I will take a deeper look in your prototype this week, but from a first glance I have a following question: why do we need any SSSD specific code (i.e. My understanding is that shadow should read name(-s) of the plugin from Btw, I think it's better to follow |
|
Yeah I was following the sudo example, I agree shadow doesn't care whether it's sssd or something else. Actually exporting a libsubid_files.so feels odd, but I'll go ahead and do that. I'll post here when I've updated the branch per your suggestions. I'm sorry, due to some off-time coming up I'm not sure when I'll be able to. It shouldn't take too long though so when I find a slow afternoon... |
Well, from my point of view that's fine, but if you feel it's too weird to export The main point is to have this transparent for users (i.e. configuration means should be the same - |
|
Hi @hallyn, shadow-maint/shadow#154 (comment) :
Is this https://github.com/hallyn/shadow/commits/2021-01-31/newnss.1 or something different? |
|
Based on that, but that is a bit out of date. |
|
Ok I force pushed my current branch to https://github.com/hallyn/shadow/commits/2021-01-31/newnss.1 . I'm sure it needs some cleanup, but it works - passes the little tests I wrote, and I manually tested with a custom libsubid_zzz.so which provides subuid 200000 to my user while /etc/subuid provides 100000. I was able to get and not get the correct ranges based on /etc/nsswitch.conf subid: files versus subid: zzz. Hoping to proofread and clean it up tonight. In the meantime, comments very welcome in that PR. |
|
Thanks. |
Limitations: - only IPA provider - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid) Known TODOs: - delete cached subid ranges in case "not found" on a server - distinguish "user not found" vs "user doesn't have ranges defined" Resolves: SSSD#5197
Limitations: - only IPA provider - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid) Known TODOs: - delete cached subid ranges in case "not found" on a server - distinguish "user not found" vs "user doesn't have ranges defined" Resolves: SSSD#5197
Limitations: - only IPA provider - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid) Resolves: SSSD#5197
Limitations: - only IPA provider - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid) Resolves: SSSD#5197
:feature: Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were introduced.
Limitations:
- single subid interval pair (subuid+subgid) per user
- idviews aren't supported
- only forward lookup (user -> subid ranges)
Take a note, this is MVP of experimental feature. Significant changes
might be required later, after initial feedback.
Corresponding support in shadow-utils was merged upstream, but since there
is no upstream release available yet, SSSD feature isn't built by default.
Build can be enabled with `--with-subid` configure option.
Plugin's install path can be configured with `--with-subid-lib-path=`
("${libdir}" by default)
:config: New IPA provider's option `ipa_subid_ranges_search_base` allows
configuration of search base for user's subid ranges.
Default: `cn=subids,%basedn`
Resolves: SSSD#5197
:feature: Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were introduced.
Limitations:
- single subid interval pair (subuid+subgid) per user
- idviews aren't supported
- only forward lookup (user -> subid ranges)
Take a note, this is MVP of experimental feature. Significant changes
might be required later, after initial feedback.
Corresponding support in shadow-utils was merged upstream, but since there
is no upstream release available yet, SSSD feature isn't built by default.
Build can be enabled with `--with-subid` configure option.
Plugin's install path can be configured with `--with-subid-lib-path=`
("${libdir}" by default)
For additional details about support in shadow-utils please see discussion
in shadow-maint/shadow#154 and in related PRs.
:config: New IPA provider's option `ipa_subid_ranges_search_base` allows
configuration of search base for user's subid ranges.
Default: `cn=subids,%basedn`
Resolves: SSSD#5197
issue: #5197 bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803943 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
issue: SSSD#5197 bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803943 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
For containerized environments it is helpful to enable centrally-managed allocation and distribution of ID sub-ranges for users/groups to use in podman and runc.
As discussed in shadow-maint/shadow#154, shadow-maint/shadow@0a7888b adds a new interface, libsubid. This interface will be extended to allow pluggable backends.
The purpose of this ticket is to track any work related to libsubid integration.
Corresponding FreeIPA ticket is https://pagure.io/freeipa/issue/8361
The text was updated successfully, but these errors were encountered: