Design document: A tool to print access control report for IPA clients
by Jakub Hrozek
Hi,
below is a short design page about a new sssctl command that prints the
IPA HBAC rules cached on an IPA client. If there are no comments, I'll
open a PR against the docs repository.
Generate an access control report for IPA domains
=================================================
Related ticket(s):
------------------
https://pagure.io/SSSD/sssd/issue/2840
Problem statement
-----------------
Some environments require, for auditing reasons, to generate an access
control report on the IPA client itself. While it can be argued that
generating these reports on the IPA servers instead would provide a nicer
experience, the audits requirement sometimes need a tool to be run on the
host.
Use cases
---------
As an owner of an IPA client I need to know which users have access to
this client. I want to run a tool on the host and get a report who can
access it.
The reports must contain information about HBAC rules. In future, SUDO
rules would be nice to have as well.
Overview of the solution
------------------------
A new ``sssctl`` command called ``access-report``. will be added. This
command will only be implemented for IPA domains for now, other domain
types will just return an error.
The functionality of the command will first trigger PAM access control
call to force refresh of the rules and subsequently print all HBAC rule
objects from the cache.
Configuration changes
---------------------
None, only the new tool will be implemented.
Implementation details
----------------------
In order to trigger the refresh of rules by ``sssd_be`` process, the tool
will call ``pam_acct_mgmt(3)``. The ``user`` and ``service`` that are used in
that call will have sensible defaults (e.g. ``admin`` and ``system-auth``)
but the tool will also offer command-line switches to override both.
In addition, the tool will have a switch to operate purely from cache.
For printing the rules, the tool will simply call ``ldb_search``,
retrieve all objects of objectclass ``ipaHbacRule`` and then print the RDN
value of ``memberUser`` (for users and user groups), ``memberService``
(for services and service groups) and ``category``. By default, groups
will not be unrolled, because the ``getgrnam`` interface limits the group
nesting by default, therefore it is better to just print the group name,
not all the group members.
The tool must also print the output in both human-readable and
machine-readable formats. For machine readable output, JSON is the best
choice, since the KCM responder already depends on ``libjansson.``
How To Test
-----------
Run ``sssctl access-report`` on an IPA client with different HBAC rules
stored in the cache. Make sure all options produce the desired results.
How To Debug
------------
Debug messages will be added to the tool itself. To compare the output
with the cache contents, the ``ldbsearch`` tool can be used. The ``ipa``
administration tool can be used to display the server-side HBAC rules.
Authors
-------
* Jakub Hrozek
6 years, 4 months
[sssd PR#379][opened] CI: Enable pep8 check
by fidencio
URL: https://github.com/SSSD/sssd/pull/379
Author: fidencio
Title: #379: CI: Enable pep8 check
Action: opened
PR body:
"""
As said by the commit log, this PR enables pep8 check in our CI.
I really would appreciate to hear @lslebodn's feedback on the patch itself, so I can revisit the commit dropped by @jhrozek that fixes all pep8 warnings and have it added to this series.
Anyways, the feedback I'm looking for is basically: Is this patch desired? Is this the right approach? If not, what would you suggest?
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/379/head:pr379
git checkout pr379
6 years, 4 months
[sssd PR#453][opened] Speed up by-ID lookups with the help of the Global Catalog
by jhrozek
URL: https://github.com/SSSD/sssd/pull/453
Author: jhrozek
Title: #453: Speed up by-ID lookups with the help of the Global Catalog
Action: opened
PR body:
"""
These patches implement the RFE requested in
https://pagure.io/SSSD/sssd/issue/3468
The design page was sent to sssd-devel for review as:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahoste...
but so far was not merged.
Please see the design page for explanation of the general flow, but also
feel free to point out if more comments should be added to the code
so that developers don't have to go back to design pages.
There are still some things I'm working on, but I think at least the
cache_req part should be ready for review.
Here's what I think is not finished yet:
- I don't think the locate domain request works for MPG domains
- unit tests should be added for the negcache API additions as well
as the DP interface to not decrease the code coverage
- I still haven't made up my mind if we should support also the
object-by-ID request. I think it would be nice for completeness
but I also think it's not strictly required
- I only ran several downstream tests, not all, so I don't know
if there are some regressions or not
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/453/head:pr453
git checkout pr453
6 years, 4 months
[sssd PR#458][opened] overrides: fixes for sysdb_invalidate_overrides()
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/458
Author: sumit-bose
Title: #458: overrides: fixes for sysdb_invalidate_overrides()
Action: opened
PR body:
"""
There were two issues in sysdb_invalidate_overrides().
First, SYSDB_CACHE_EXPIRE was only reset for the entry in the data cache
but not in the timestamp cache.
Second, if one of the steps in the combined replace and delete operation
failed no change was committed to the cache. If, for whatever reasons, a
user or group object didn't had SYSDB_OVERRIDE_DN set the delete failed and
hence SYSDB_CACHE_EXPIRE wasn't reset as well. To make sure the cache is in
a consistent state after a view change the replace and the delete
operations are don in two steps.
Related to https://pagure.io/SSSD/sssd/issue/3579
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/458/head:pr458
git checkout pr458
6 years, 4 months
[sssd PR#461][opened] responder: Fix talloc hierarchy in sized_output_name
by lslebodn
URL: https://github.com/SSSD/sssd/pull/461
Author: lslebodn
Title: #461: responder: Fix talloc hierarchy in sized_output_name
Action: opened
PR body:
"""
responder: Fix talloc hierarchy in sized_output_name
sized_output_name was a called with NULL context in
memcache_delete_entry but returned data from sized_output_name
didn't have proper talloc hierarchy and we could not release all
all returned data.
==00:01:01:29.871 10088== 934,414 bytes in 8,731 blocks are definitely lost in loss record 121 of 121
==00:01:01:29.871 10088== at 0x4C29BE3: malloc (vg_replace_malloc.c:299)
==00:01:01:29.871 10088== by 0x8FF4EAB: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.9)
==00:01:01:29.871 10088== by 0x52933B9: sss_output_name (usertools.c:808)
==00:01:01:29.871 10088== by 0x5293550: sss_output_fqname (usertools.c:863)
==00:01:01:29.871 10088== by 0x1211F9: sized_output_name (responder_common.c:1708)
==00:01:01:29.871 10088== by 0x1137E6: memcache_delete_entry (nss_get_object.c:112)
==00:01:01:29.871 10088== by 0x113BB6: nss_get_object_done (nss_get_object.c:245)
==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x1276CE: cache_req_done (cache_req.c:1047)
==00:01:01:29.871 10088== by 0x8DE5291: _tevent_req_error (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x126AF6: cache_req_search_domains_done (cache_req.c:607)
==00:01:01:29.871 10088== by 0x8DE4AB9: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE9C9C: ??? (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE82A6: ??? (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE40CC: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE42FA: tevent_common_loop_wait (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x8DE8246: ??? (in /usr/lib64/libtevent.so.0.9.31)
==00:01:01:29.871 10088== by 0x5291B32: server_loop (server.c:718)
==00:01:01:29.871 10088== by 0x11004C: main (nsssrv.c:560)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/461/head:pr461
git checkout pr461
6 years, 4 months
[sssd PR#459][opened] krb5: show error message for krb5_init_context() failures
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/459
Author: sumit-bose
Title: #459: krb5: show error message for krb5_init_context() failures
Action: opened
PR body:
"""
If there are typos in /etc/krb5.conf (or one of the included config
snippets) krb5_init_context(), the initial call always needed to do any
other operation with libkrb5, fails because /etc/krb5.conf cannot be
parsed.
Currently the related debug/syslog messages might be misleading, e.g.
failed to read keytab. This is because SSSD does not use a global krb5
context but creates a fresh one for every new request or operation (to
always use the latest settings from /etc/krb5.conf) and typically there
is an error message indicating that the related operation failed but not
giving more details.
Since krb5_init_context() is fundamental for Kerberos support this patch
tries to add as much details as libkrb5 provides in the logs if the call
fails.
Resolves https://pagure.io/SSSD/sssd/issue/3586
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/459/head:pr459
git checkout pr459
6 years, 4 months
[sssd PR#460][opened] sysdb-test: Fix warning may be used uninitialized
by lslebodn
URL: https://github.com/SSSD/sssd/pull/460
Author: lslebodn
Title: #460: sysdb-test: Fix warning may be used uninitialized
Action: opened
PR body:
"""
It cannot be uninitialized because we will have some messages.
2243
2244 fail_unless(data->msgs_count == 10,
2245 "wrong number of results, found [%d] expected [10]",
2246 data->msgs_count);
and it cannot be NULL
2257 for (j = 0; j < data->msgs_count; j++) {
2258 uid_str = talloc_asprintf(data, "%d", 27010 + j);
2259 fail_unless(uid_str != NULL, "talloc_asprintf failed.");
src/tests/sysdb-tests.c: In function ‘test_sysdb_search_all_users’:
src/tests/sysdb-tests.c:2266:9: error: ‘uid_str’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
fail_unless(strncmp(uid_str,
^~~~~~~~~~~
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/460/head:pr460
git checkout pr460
6 years, 4 months