Re: [389-devel] Design review: Access control on entries specified in MODDN operation (ticket 47553)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/24/2014 11:35 PM, Rich Megginson wrote:
On 02/24/2014 02:47 PM, Noriko Hosoi wrote:
Rich Megginson wrote:
On 02/24/2014 09:00 AM, thierry bordaz wrote:
Hello,
IPA team filled this ticket https://fedorahosted.org/389/ticket/47553.

It requires an ACI improvement so that during a MODDN a given user is only allowed to move an entry from one specified part of the DIT to an other specified part of the DIT. This without the need to grant the ADD permission.

Here is the design of what could be implemented to support this need http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation

regards
thierry

Since this not related to any Red Hat internal or customer information, we should move this discussion to the 389-devel list.

Hi Thierry,

Your design looks good.  A minor question.  The doc does not mention about "deny".  For instance, in your example DIT, can I allow "moddn_to" and "moddn_from" on the top "dc=example,dc=com" and deny them on "cn=tests".  Then, I can move an entry between cn=accounts and staging, but not to/from cn=tests?  Or "deny" is not supposed to use there?

In which entry do you set these ACIs?

Do you set
aci: (target="ldap:///cn=staging,dc=example,dc=com")(version 3.0; acl "MODDN from"; allow (moddn_from))
 userdn="ldap:///uid=admin_accounts,dc=example,dc=com" ;)
in the cn=accounts,dc=example,dc=com entry?

Do you set
aci: (target="ldap:///cn=accounts,dc=example,dc=com")(version 3.0; acl "MODDN to"; allow (moddn_to))
 userdn="ldap:///uid=admin_accounts,dc=example,dc=com" ;)
in the cn=staging,dc=example,dc=com entry?


Hi Rich,

Yes that is correct, I forgot to mention where those aci are stored.

They can be defined  at upper level but with a target rule that restrict the scope to the desire subtree, or they can be set directly at the subtree level without target rule.

I updated the document to better describe that http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation#ACI_scope_and_targets

In that case we want to only allow a given user to move entries from staging to production (accounts). My preferred solution would be to add:
  • moddn_from at the entry cn=staging,dc=example,dc=com (without target rule)
  • moddn_to at the entry cn=accounts,dc=example,dc=com (without target rule).

regards
thierrry


Thanks,
--noriko




--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel



--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel

--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux