replica: Ensure that ipaapi user is allowed to access ifp #4914
Conversation
ipa-server-install executes ipa-client-install with the --on-master flag set, which causes the ipaclient.install.client.sssd_enable_ifp() function to be called. This function configures sssd so that the ipaapi user is allowed to access ifp. Any FreeIPA replica should also have sssd configured like this, but in that case we cannot simply pass the --on-master flag to ipa-client-install because it has other side effects. The solution is to call the ipaclient.install.client.sssd_enable_ifp() function from inside the ipaserver.install.server.replicainstall.promote_sssd() function. https://pagure.io/freeipa/issue/8403
tiran
added
ipa-4-8
|
I'm happy to try and create a test case if someone can get me pointed in the right direction. |
|
It would be one or more integration tests. They live in ipatests/test_integration. Considering we're talking about replica installations test_replica_promotion.py is a candidate for at least one test. I think that the TestReplicaPromotionLevel1 could add a new test function to fetch sssd.conf via: and examine the results to ensure that the ifp settings were done. TestUnprivilegedUserPermissions could be used to do the same ifp check as this is a client -> server promotion. In fact, the ifp test could be some generic function that given a host fetch the file, load using SSSDConfig and verify the ifp settings. |
| @@ -47,6 +48,32 @@ def test_kra_install_master(self): | |||
| assert(found > 0), result2.stdout_text | |||
|
|
|||
|
|
|||
| def test_sssd_config_allows_ipaapi_access_to_ifp(host): | |||
There was a problem hiding this comment.
Can you drop the test_ prefix? It makes it look like this is a test rather than a standalone function.
There was a problem hiding this comment.
I believe this is addressed in commit adc5e44.
| # Verify that the allow_uids item's value contains ipaapi | ||
| uids = [uid.strip() for uid in ifp_items_dict['allowed_uids'].split(',')] | ||
| assert 'ipaapi' in uids | ||
|
|
There was a problem hiding this comment.
Only two blank lines are necessary.
There was a problem hiding this comment.
I believe this is addressed in commit adc5e44.
| ''' | ||
| contents = host.get_file_contents(paths.SSSD_CONF, encoding='utf-8') | ||
| # Parse the sssd config as a config file | ||
| config = ConfigParser() |
There was a problem hiding this comment.
Strictly speaking, yes, the config is an INI-style configuration file. There is also an SSSD python API and that may be a better long-term solution. Maybe something approaching:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
ifp = sssdconfig.get_service('ifp')
uids = ifp.get_option('allowed_uids').split(',')
assert 'ipaapi' in uids
There was a problem hiding this comment.
I believe this is addressed in commit adc5e44.
|
The PR looks outstanding, thanks for the contribution. Triggering full CI. I don't see any other issues. Kudos on finding remote_sssd_config(), I had forgotten about that. |
Thanks @rcritten. I couldn't figure out how to use |
rcritten
added
ack
|
Thanks again for all your help @rcritten! |
ipa-server-installexecutesipa-client-installwith the--on-masterflag set, which causes theipaclient.install.client.sssd_enable_ifp()function to be called. This function configuressssdso that theipaapiuser is allowed to accessifp. Any FreeIPA replica should also havesssdconfigured like this, but in that case we cannot simply pass the--on-masterflag toipa-client-installbecause it has other side effects. The solution is to call theipaclient.install.client.sssd_enable_ifp()function from inside theipaserver.install.server.replicainstall.promote_sssd()function.https://pagure.io/freeipa/issue/8403