New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
replica: Ensure that ipaapi user is allowed to access ifp #4914
Conversation
ipa-server-install executes ipa-client-install with the --on-master flag set, which causes the ipaclient.install.client.sssd_enable_ifp() function to be called. This function configures sssd so that the ipaapi user is allowed to access ifp. Any FreeIPA replica should also have sssd configured like this, but in that case we cannot simply pass the --on-master flag to ipa-client-install because it has other side effects. The solution is to call the ipaclient.install.client.sssd_enable_ifp() function from inside the ipaserver.install.server.replicainstall.promote_sssd() function. https://pagure.io/freeipa/issue/8403
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Rob, can you look into a test case for the issue?
I'm happy to try and create a test case if someone can get me pointed in the right direction. |
It would be one or more integration tests. They live in ipatests/test_integration. Considering we're talking about replica installations test_replica_promotion.py is a candidate for at least one test. I think that the TestReplicaPromotionLevel1 could add a new test function to fetch sssd.conf via:
and examine the results to ensure that the ifp settings were done. TestUnprivilegedUserPermissions could be used to do the same ifp check as this is a client -> server promotion. In fact, the ifp test could be some generic function that given a host fetch the file, load using SSSDConfig and verify the ifp settings. |
@@ -47,6 +48,32 @@ def test_kra_install_master(self): | |||
assert(found > 0), result2.stdout_text | |||
|
|||
|
|||
def test_sssd_config_allows_ipaapi_access_to_ifp(host): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you drop the test_ prefix? It makes it look like this is a test rather than a standalone function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is addressed in commit adc5e44.
# Verify that the allow_uids item's value contains ipaapi | ||
uids = [uid.strip() for uid in ifp_items_dict['allowed_uids'].split(',')] | ||
assert 'ipaapi' in uids | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only two blank lines are necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is addressed in commit adc5e44.
''' | ||
contents = host.get_file_contents(paths.SSSD_CONF, encoding='utf-8') | ||
# Parse the sssd config as a config file | ||
config = ConfigParser() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strictly speaking, yes, the config is an INI-style configuration file. There is also an SSSD python API and that may be a better long-term solution. Maybe something approaching:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
ifp = sssdconfig.get_service('ifp')
uids = ifp.get_option('allowed_uids').split(',')
assert 'ipaapi' in uids
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is addressed in commit adc5e44.
The PR looks outstanding, thanks for the contribution. Triggering full CI. I don't see any other issues. Kudos on finding remote_sssd_config(), I had forgotten about that. |
Thanks @rcritten. I couldn't figure out how to use |
Thanks again for all your help @rcritten! |
ipa-server-install
executesipa-client-install
with the--on-master
flag set, which causes theipaclient.install.client.sssd_enable_ifp()
function to be called. This function configuressssd
so that theipaapi
user is allowed to accessifp
. Any FreeIPA replica should also havesssd
configured like this, but in that case we cannot simply pass the--on-master
flag toipa-client-install
because it has other side effects. The solution is to call theipaclient.install.client.sssd_enable_ifp()
function from inside theipaserver.install.server.replicainstall.promote_sssd()
function.https://pagure.io/freeipa/issue/8403