ca-add: fix permission issue #837
Conversation
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
6c54e99
to
fcd9cb1
Compare
|
Is there a bug filed on the GER issue? |
|
Ok cool. I shouldn't have been so terse in my previous comment, what I should have added was "does it make sense to include a pointer to the bug as a hint so workaround can be removed some time in the future?" This PR is sort of a brute-force solution but given the infrequency it will be executed it seems perfectly reasonable. |
|
On Thu, Jun 01, 2017 at 06:55:59AM -0700, Rob Crittenden wrote:
Ok cool. I shouldn't have been so terse in my previous comment, what I should have added was "does it make sense to include a pointer to the bug as a hint so workaround can be removed some time in the future?"
This PR is sort of a brute-force solution but given the infrequency it will be executed it seems perfectly reasonable.
Good idea; I'll add a link to the bug in the patch itself.
|
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
fcd9cb1
to
3e13670
Compare
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
3e13670
to
a521c7a
Compare
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
a521c7a
to
8a369d2
Compare
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
8a369d2
to
908c93f
Compare
|
Reading this again it makes me wonder. Which is worse?
The first would purposely combine the Add, Delete and Write ACI's into one which could confuse users who really want atomic rights. |
|
@rcritten neither is desirable; this is just a workaround until the issue gets fixed in DS, |
|
Elsewhere in the framework we just let the add fail rather than using GER to check in advance. What is the benefit of using GER in this case rather than just letting the add fail? |
|
@rcritten the benefit of GER (if it worked the way we want) is that it would allow us to:
instead of the procedure implemented in this commit:
The latter procedure (which this commit implements) is messier and requires the |
|
I guess what I don't understand are the possible reasons creating the LWCA in dogtag would fail. |
|
There aren't too many - database error, direct database manipulation, or direct action against dogtag to e.g. delete or disable the issuing CA would be the main reasons. But ignoring deletion, there is still the need to modify the IPA entry to add the authority ID, as part of the normal procedure when creation is successful. |
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
908c93f
to
bde856a
Compare
|
@frasertweedale We had some issues with Travis CI recently. Please rebase on master to fix Travis tests. |
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
bde856a
to
03e5869
Compare
The ca-add command pre_callback uses ldap.can_add() to check whether the user has permission to add CAs. Alas, the GetEffectiveRights control used by ldap.can_add() doesn't correctly interpret ACIs with 'targetfilter' constraints, and returns a false-negative for non-admin users, even when they have the 'System: Add CA' permission. To work around this, add the CA object to FreeIPA before attempting to create the CA in Dogtag. If the CA creation in Dogtag succeds, the user then updates the FreeIPA object with the Authority ID and other authoritative data returned by Dogtag. If the CA creation in Dogtag fails, the user cleans up by deleting the newly-created CA object from FreeIPA. This modified procedure ensures that the user certainly has the 'System: Add CA' permission before the CA creation in Dogtag is attempted. But it also means that the user must have 'write' and 'delete' permission on 'ipaca' objects in FreeIPA, so that it can complete the object after CA creation in Dogtag, or clean up if that step fails. Therefore, update the 'System: Add CA' permission to confer 'write' and 'delete' access on 'ipaca' objects, as well as 'add' access. The GetEffectiveRights problem is being tracked upstream as https://pagure.io/389-ds-base/issue/49278. When that ticket has been fixed, this workaround can and should be reverted. Fixes: https://pagure.io/freeipa/issue/6609
frasertweedale
force-pushed
the
fix/6609-ca-add-permissions
branch
from
03e5869
to
2867c38
Compare
|
The 389ds fix seems to have landed. I'll test it; this patch may be needed no longer. |
frasertweedale
added
postponed
and removed
needs review
|
Seems that there are still issue in 389. Hopefully they will be fixed soon... |
|
The 389ds fix does work, I just wasn't using it right :) Closing this PR and I'll have a new one soon with changes to make |
The ca-add command pre_callback uses ldap.can_add() to check whether
the user has permission to add CAs. Alas, the GetEffectiveRights
control used by ldap.can_add() doesn't correctly interpret ACIs with
'targetfilter' constraints, and returns a false-negative for
non-admin users, even when they have the 'System: Add CA'
permission.
To work around this, add the CA object to FreeIPA before attempting
to create the CA in Dogtag. If the CA creation in Dogtag succeds,
the user then updates the FreeIPA object with the Authority ID and
other authoritative data returned by Dogtag. If the CA creation in
Dogtag fails, the user cleans up by deleting the newly-created CA
object from FreeIPA.
This modified procedure ensures that the user certainly has the
'System: Add CA' permission before the CA creation in Dogtag is
attempted. But it also means that the user must have 'write' and
'delete' permission on 'ipaca' objects in FreeIPA, so that it can
complete the object after CA creation in Dogtag, or clean up if that
step fails. Therefore, update the 'System: Add CA' permission to
confer 'write' and 'delete' access on 'ipaca' objects, as well as
'add' access.
Fixes: https://pagure.io/freeipa/issue/6609