Jump to: navigation, search

V4/Anonymous and All permissions

Name: V4/Anonymous and All permissions
Target version: 4.0.0
Incomplete.png Pending review
Last updated: 2016-04-25 by Alich

Overview

Allow IPA permissions to apply to Anonymous and All authenticated users.

Use Cases

Note: This is not very practical for write, but until the global read ACI is removed, examples need to use write permissions to be effective.

  • Allow all authenticated users to edit other users' login shell
ipa permission-add 'Shell editable by all' --type=user --attrs=loginshell --bindtype=all --permissions=write
  • Allow all users (even anonymous ones via LDAP) to edit other users' login shell
ipa permission-add 'Shell editable by anonymous' --type=user --attrs=loginshell --bindtype=anonymous --permissions=write

Design

The permission_{add,mod,find} commands will get a new --bindtype option (attribute name: ipapermbindruletype) with these values:

  • "permission" (default) - Permission behaves as before -- grants access through privileges+roles
  • "all" - Permission applies to all authenticated users (ldap:///all)
  • "anonymous" - Permission applies to all users, even unauthenticated ones (ldap:///anyone)

Note: As IPA API always requires authentication, unauthenticated users would need to use LDAP directly.

The permission_{add,mod,find,show} commands will output the ipapermbindruletype.

Permissions with ipapermbindruletype other than "permission" may not be added to privileges, and ipapermbindruletype other than "permission" may not be set on permissions that are already members of a privilege. (This will not be enforced on older servers. Adding such a permission to a privilege will not have any effect.)

Implementation

No additional requirements or changes discovered during the implementation phase.

Feature Management

UI

The UI will need a new field for the bind type.

Adding permissions with non-default bindtype set to privileges, and setting non-default bindtype on permissions in privileges, should be disabled in the UI.

CLI

See Design.

Major configuration options and enablement

N/A

Replication

ACIs are replicated.

Updates and Upgrades

Permissions with non-default bindtype can only be created on new servers, so thety will be V2 permissions. This means old servers will not read or modify their ACIs.

Old servers will be able to add all permissions to privileges, but privilege membership will not have any effect unless bindtype=permission. Removing any permission from privileges will be possible on any server.

Dependencies

None

External Impact

Will need tests and documentation

Backup and Restore

ACIs are part of the DIT and so they are backed up.

Test Plan

Test permission bindtype

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_bindtype

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Test case: Create anonymous u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --bindtype=anonymous --type=user

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Bind rule type: anonymous
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///anyone";)



Test case: Create u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_add testpriv1 --desc='privilege desc. 1'

Expected results

The command succeeds with this output:

---------------------------
Added privilege "testpriv1"
---------------------------
  Privilege name: testpriv1
  Description: privilege desc. 1


Test case: Try to add u'testperm' to u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_add_permission testpriv1 --permissions=testperm

Expected results

The command fails with this error:

invalid 'permission': cannot add permission "testperm" with bindtype "anonymous" to a privilege


Test case: Change binddn of u'testperm' to all

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --bindtype=all --type=user

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///all";)



Test case: Try to add u'testperm' to u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_add_permission testpriv1 --permissions=testperm

Expected results

The command fails with this error:

invalid 'permission': cannot add permission "testperm" with bindtype "all" to a privilege


Test case: Search for u'testperm' using --bindtype

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --bindtype=all

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: testperm
  Permissions: write
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
----------------------------
Number of entries returned 1
----------------------------


Test case: Rename u'testperm' to permission u'testperm1_rn'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --rename=testperm1_rn

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm1_rn
  Permissions: write
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm1_rn

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm1_rn in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm1_rn";allow (write) userdn = "ldap:///all";)



Test case: Reset binddn of u'testperm1_rn' to permission

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm1_rn --bindtype=permission --type=user

Expected results

The command succeeds with this output:

----------------------------------
Modified permission "testperm1_rn"
----------------------------------
  Permission name: testperm1_rn
  Permissions: write
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm1_rn

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm1_rn in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm1_rn";allow (write) groupdn = "ldap:///cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX";)



Test case: Rename u'testperm1_rn' back to u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm1_rn --rename=testperm

Expected results

The command succeeds with this output:

----------------------------------
Modified permission "testperm1_rn"
----------------------------------
  Permission name: testperm
  Permissions: write
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)



Test case: Add u'testperm' to u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_add_permission testpriv1 --permissions=testperm

Expected results

The command succeeds with this output:

  Privilege name: testpriv1
  Description: privilege desc. 1
  Permissions: testperm
-----------------------------
Number of permissions added 1
-----------------------------


Test case: Try to change binddn of u'testperm' to anonymous

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --bindtype=anonymous --type=user

Expected results

The command fails with this error:

invalid 'ipapermbindruletype': cannot set bindtype for a permission that is assigned to a privilege

Cleanup

ipa permission_del testperm --force
ipa permission_del testperm1_rn --force
ipa privilege_del testpriv1

RFE Author

Petr Viktorin