New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Group permission #585

Open
wants to merge 26 commits into
base: stretch-unstable
from

Conversation

Projects
None yet
4 participants
@Josue-T
Copy link
Contributor

Josue-T commented Nov 26, 2018

The problem

  • We can't have a group of user.
  • In the application we can't know which user is allowed to access to.
  • The metronome, sftp and mail server allow all user to access. There are no possibility to limite the user to access.

Solution

  • Implement a group management.
  • Implement a concept of permission which will give many new feature and flexibility.

PR Status

Note that this PR depends of :

It can be tested and reviewed. Theses following things will come nearly :

  • Check decoration for operation logger
  • More Test
  • Update documentation
  • Implement a migration for the actual instances
  • Unit Test

Optional (depends of my time) :

  • Implement 2 password for admin (one for the user and one for the LDAP authentication by the moulinette)
  • Use root id for LDAP authentication (see PR ...)
  • Create some helper to manage the permission (create, remove, manage permission URL)
  • Update SSOWAT to manage the new ssowat config (will be in a next project)
  • Add theses new features in the webadmin (will be in a next project)

How to test

Actually it's not possible to use theses new feature with the actual LDAP schema, so you need to do the postinstall to have clean LDAP schema with the new features.

With ynhdev :

  • for the yunohost repos checkout the branch "group_permission"
  • For the moulinette repos checkout the branch "LDAP_validate_uniqueness" and "sasl_authentication"
  • Do the postinstall
  • Play with the new features

What You can test

The group management

You should be able to create a group of a user by this command :

yunohost user group add YOUR_GROUP

After you should be able add a user in your group :

yunohost user group update YOUR_GROUP -a YOUR_USER

You can also list all of group in Yunohost by this command :

# yunohost user group list
groups:
  ALL:
    groupname: ALL
    members: 
      - YOUR_USER1
      - YOUR_USER2
  YOUR_USER1: 
    groupname: YOUR_USER1
    members: YOUR_USER1
  YOUR_USER2: 
    groupname: YOUR_USER2
    members: YOUR_USER2
  YOUR_GROUP: 
    groupname: YOUR_GROUP
    members: YOUR_USER

The permission management

By default you have 3 permission :

  • mail (main)
  • sftp (main)
  • metronome (main)

By default all user is permitted. If you want to specify the permission you can use the app access like concept :

# Allow YOUR_USER1 to access to the mail
yunohost user permission add mail -u YOUR_USER1
# Disallow all user of group YOUR_GROUP to access to the mail
yunohost user permission remove mail -g YOUR_GROUP
# Clear the permission -> Allow all user to access to the mail
yunohost user permission clear mail

Note that it's just some example.

Integration in application

To give the possiblitly to the application to know which user is allowed access to it you need to configure the LDAP connector with theses parameter :

Host:               ldap://localhost
Port:               389
Base DN:            dc=yunohost,dc=org
User DN:            ou=users,dc=yunohost,dc=org
fiter :             (&(objectClass=posixAccount)
                        (permission=cn=APP1.main,ou=permission,dc=yunohost,dc=org))
LDAP Username:      uid
LDAP Email Address: mail

Note that the main diffrence is a new filter.

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :
@dromer

This comment has been minimized.

Copy link

dromer commented Nov 27, 2018

Very cool that you're working on this @Josue-T

To know how to get SSOwat to read and display group-based apps of the user have a look at my Proof of Concept PR here: https://github.com/YunoHost/SSOwat/pull/62/files

@zamentur

This comment has been minimized.

Copy link
Contributor

zamentur commented Nov 30, 2018

Sounds great, I hope find time to test it during the week end :)

@Josue-T Josue-T force-pushed the group_permission branch from 5a3ff46 to cf5579e Dec 1, 2018

@arthurlogilab

This comment has been minimized.

Copy link

arthurlogilab commented Dec 4, 2018

🎉 Great news to see this patch arrive. Will try to find the time to review it and test it since it's something we needs.

@Josue-T Josue-T force-pushed the group_permission branch 2 times, most recently from c71f60f to 888aac8 Dec 12, 2018

@Josue-T Josue-T force-pushed the group_permission branch 2 times, most recently from 1d57cc2 to ee647d7 Dec 14, 2018

logger.info(m18n.n("migration_0009_done"))

@property
def disclaimer(self):

This comment has been minimized.

@zamentur

zamentur Dec 15, 2018

Contributor

This migration should be done automatically no ?

This comment has been minimized.

@Josue-T

Josue-T Dec 15, 2018

Contributor

Well,

We can run it automatically but, we need to know that in the migration we force the regen-conf for LDAP as explained here.

Anyway, it's a tricky thing which need to be debated at my point of view.

In any case I added a mecanisme which don't allow the user to do anything until the migration is done see #599

@Josue-T Josue-T removed the work needed label Dec 31, 2018

@Josue-T

This comment has been minimized.

Copy link
Contributor

Josue-T commented Dec 31, 2018

I think It should be ready for a first review.

I also updated the doc here : YunoHost/moulinette#189

@Josue-T Josue-T force-pushed the group_permission branch from e3e3782 to 58e73f5 Jan 10, 2019

Josue-T added some commits Nov 25, 2018

@Josue-T Josue-T force-pushed the group_permission branch from 693d644 to 6054e4e Jan 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment