V4/Anonymous and All permissions
Overview
Allow IPA permissions to apply to Anonymous and All authenticated users.
Use Cases
Note: This is not very practical for write, but until the global read ACI is removed, examples need to use write permissions to be effective.
- Allow all authenticated users to edit other users' login shell
ipa permission-add 'Shell editable by all' --type=user --attrs=loginshell --bindtype=all --permissions=write
- Allow all users (even anonymous ones via LDAP) to edit other users' login shell
ipa permission-add 'Shell editable by anonymous' --type=user --attrs=loginshell --bindtype=anonymous --permissions=write
Design
The permission_{add,mod,find} commands will get a new --bindtype option (attribute name: ipapermbindruletype) with these values:
- "permission" (default) - Permission behaves as before -- grants access through privileges+roles
- "all" - Permission applies to all authenticated users (ldap:///all)
- "anonymous" - Permission applies to all users, even unauthenticated ones (ldap:///anyone)
Note: As IPA API always requires authentication, unauthenticated users would need to use LDAP directly.
The permission_{add,mod,find,show} commands will output the ipapermbindruletype.
Permissions with ipapermbindruletype other than "permission" may not be added to privileges, and ipapermbindruletype other than "permission" may not be set on permissions that are already members of a privilege. (This will not be enforced on older servers. Adding such a permission to a privilege will not have any effect.)
Implementation
No additional requirements or changes discovered during the implementation phase.
Feature Management
UI
The UI will need a new field for the bind type.
Adding permissions with non-default bindtype set to privileges, and setting non-default bindtype on permissions in privileges, should be disabled in the UI.
CLI
See Design.
Major configuration options and enablement
N/A
Replication
ACIs are replicated.
Updates and Upgrades
Permissions with non-default bindtype can only be created on new servers, so thety will be V2 permissions. This means old servers will not read or modify their ACIs.
Old servers will be able to add all permissions to privileges, but privilege membership will not have any effect unless bindtype=permission. Removing any permission from privileges will be possible on any server.
Dependencies
None
External Impact
Will need tests and documentation
Backup and Restore
ACIs are part of the DIT and so they are backed up.
Test Plan
Test permission bindtype
Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_bindtype
Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.
Test case: Create anonymous u'testperm'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_add testperm --permissions=write --bindtype=anonymous --type=user |
Expected results The command succeeds with this output: --------------------------- Added permission "testperm" --------------------------- Permission name: testperm Permissions: write Bind rule type: anonymous Subtree: cn=users,cn=accounts,$SUFFIX ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX Type: user |
Test case: Verify ACI of testperm
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX |
Expected results The following ACI is found: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///anyone";) |
Test case: Create u'testpriv1'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa privilege_add testpriv1 --desc='privilege desc. 1' |
Expected results The command succeeds with this output: --------------------------- Added privilege "testpriv1" --------------------------- Privilege name: testpriv1 Description: privilege desc. 1 |
Test case: Try to add u'testperm' to u'testpriv1'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa privilege_add_permission testpriv1 --permissions=testperm |
Expected results The command fails with this error: invalid 'permission': cannot add permission "testperm" with bindtype "anonymous" to a privilege |
Test case: Change binddn of u'testperm' to all
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_mod testperm --bindtype=all --type=user |
Expected results The command succeeds with this output: ------------------------------ Modified permission "testperm" ------------------------------ Permission name: testperm Permissions: write Bind rule type: all Subtree: cn=users,cn=accounts,$SUFFIX ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX Type: user |
Test case: Verify ACI of testperm
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX |
Expected results The following ACI is found: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///all";) |
Test case: Try to add u'testperm' to u'testpriv1'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa privilege_add_permission testpriv1 --permissions=testperm |
Expected results The command fails with this error: invalid 'permission': cannot add permission "testperm" with bindtype "all" to a privilege |
Test case: Search for u'testperm' using --bindtype
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_find --bindtype=all |
Expected results The command succeeds with this output: -------------------- 1 permission matched -------------------- Permission name: testperm Permissions: write Bind rule type: all Subtree: cn=users,cn=accounts,$SUFFIX ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX Type: user ---------------------------- Number of entries returned 1 ---------------------------- |
Test case: Rename u'testperm' to permission u'testperm1_rn'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_mod testperm --rename=testperm1_rn |
Expected results The command succeeds with this output: ------------------------------ Modified permission "testperm" ------------------------------ Permission name: testperm1_rn Permissions: write Bind rule type: all Subtree: cn=users,cn=accounts,$SUFFIX ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX Type: user |
Test case: Verify ACI of testperm1_rn
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Search for ACI named permission:testperm1_rn in cn=users,cn=accounts,$SUFFIX |
Expected results The following ACI is found: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm1_rn";allow (write) userdn = "ldap:///all";) |
Test case: Reset binddn of u'testperm1_rn' to permission
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_mod testperm1_rn --bindtype=permission --type=user |
Expected results The command succeeds with this output: ---------------------------------- Modified permission "testperm1_rn" ---------------------------------- Permission name: testperm1_rn Permissions: write Bind rule type: permission Subtree: cn=users,cn=accounts,$SUFFIX ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX Type: user |
Test case: Verify ACI of testperm1_rn
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Search for ACI named permission:testperm1_rn in cn=users,cn=accounts,$SUFFIX |
Expected results The following ACI is found: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm1_rn";allow (write) groupdn = "ldap:///cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX";) |
Test case: Rename u'testperm1_rn' back to u'testperm'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_mod testperm1_rn --rename=testperm |
Expected results The command succeeds with this output: ---------------------------------- Modified permission "testperm1_rn" ---------------------------------- Permission name: testperm Permissions: write Bind rule type: permission Subtree: cn=users,cn=accounts,$SUFFIX ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX Type: user |
Test case: Verify ACI of testperm
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX |
Expected results The following ACI is found: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";) |
Test case: Add u'testperm' to u'testpriv1'
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa privilege_add_permission testpriv1 --permissions=testperm |
Expected results The command succeeds with this output: Privilege name: testpriv1 Description: privilege desc. 1 Permissions: testperm ----------------------------- Number of permissions added 1 ----------------------------- |
Test case: Try to change binddn of u'testperm' to anonymous
Autotest {{{autotest}}} | |
Setup See beginning of the Tests section | |
Actions Run the following command: ipa permission_mod testperm --bindtype=anonymous --type=user |
Expected results The command fails with this error: invalid 'ipapermbindruletype': cannot set bindtype for a permission that is assigned to a privilege |
Cleanup
ipa permission_del testperm --force ipa permission_del testperm1_rn --force ipa privilege_del testpriv1