Bug 1258965
| Summary: | ipa vault: set owner of vault container | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ksiddiqu, mkosek, ovasik, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-11.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:06:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Vobornik
2015-09-01 15:35:17 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2964b019d93b33b9703e6e26c8ca6fc28509ba64 https://fedorahosted.org/freeipa/changeset/d396913e9c0578fa68847b84e44a4f0dd916fbfd https://fedorahosted.org/freeipa/changeset/5cf46b89364111b54172682283a6362bb82db9a6 https://fedorahosted.org/freeipa/changeset/d3503043c47a1adc139688776341dc86b7085448 https://fedorahosted.org/freeipa/changeset/0dfcf1d9db4b297791e3784588bf23cc0ac8d2ee https://fedorahosted.org/freeipa/changeset/5137478fb8bba16d9cbecba53983c893dc0884d5 ipa-4-2: https://fedorahosted.org/freeipa/changeset/b3932055c6ad0c4032790530c4776a5c7262cd8c https://fedorahosted.org/freeipa/changeset/ad7325d08c432d77b048910d37be2bd8e13cb162 https://fedorahosted.org/freeipa/changeset/78f890620b8cae286a03b26e28a0bee4ea49b8f1 https://fedorahosted.org/freeipa/changeset/b9615c89cd07a6bd2907686c03b2ea11e40c76bf https://fedorahosted.org/freeipa/changeset/500e0d152cf1611db47c775f3fbc5b72e1522da0 https://fedorahosted.org/freeipa/changeset/b1587bf2d8072d76df52ea0c7480f146cbb8c933 Vault container ownership can be managed by new commands:
vaultcontainer-show [--service <service>|--user <user>|--shared ]
vaultcontainer-del [--service <service>|--user <user>|--shared ]
vaultcontainer-add-owner
[--service <service>|--user <user>|--shared ]
[--users <users>] [--groups <groups>] [--services <services>]
vaultcontainer-remove-owner
[--service <service>|--user <user>|--shared ]
[--users <users>] [--groups <groups>] [--services <services>]
Permissions works in a way as follows:
* Add new "Vault administrators" privilege. Vault administrators will have unrestricted access to vaults and vault containers, including the power to add/remove owners of vaults and vault containers.
* Remove the ability of vault owners to add/remove other vault owners. If vault owner needs to be changed, vault administrator has to do it. Note that vault owners will still have the ability to add/remove vault members.
* When adding new vault container, set owner to the current user. If vault container owner needs to be changed, vault administrator has to do it.
* Allow adding vaults and vault containers only if the owner is set to the current user.
Verified.
Version ::
ipa-server-4.2.0-11.el7.x86_64
Results ::
[root@rhel7-1 ~]# ipa privilege-find "Vault Administrators"
-------------------
1 privilege matched
-------------------
Privilege name: Vault Administrators
Description: Vault Administrators
Permissions: System: Add Vaults, System: Delete Vaults, System: Manage Vault Membership, System:
Manage Vault Ownership, System: Modify Vaults, System: Read Vaults, System: Add Vault
Containers, System: Delete Vault Containers, System: Manage Vault Container Ownership,
System: Modify Vault Containers, System: Read Vault Containers
----------------------------
Number of entries returned 1
----------------------------
[root@rhel7-1 ~]# ipa vault-add v_vuser1 --user=vuser1
New password:
Verify password:
----------------------
Added vault "v_vuser1"
----------------------
Vault name: v_vuser1
Type: symmetric
Salt: JUU+Jazgn0xgxHEy262lxA==
Owner users: admin
Vault user: vuser1
[root@rhel7-1 ~]# ipa vaultcontainer-show --user=vuser1
Owner users: admin
Vault user: vuser1
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=vuser1
Owner users: admin, vuser1
Vault user: vuser1
------------------------
Number of owners added 1
------------------------
[root@rhel7-1 ~]# ipa vaultcontainer-remove-owner --user=vuser1 --users=admin
Owner users: vuser1
Vault user: vuser1
--------------------------
Number of owners removed 1
--------------------------
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=vuser2
Owner users: vuser1, vuser2
Vault user: vuser1
------------------------
Number of owners added 1
------------------------
################ Service Vault
[root@rhel7-1 ~]# ipa vault-add v_vservice1 --service=vservice1/$(hostname)
New password:
Verify password:
-------------------------
Added vault "v_vservice1"
-------------------------
Vault name: v_vservice1
Type: symmetric
Salt: TseRq+LWs8f3MxNlZoaivA==
Owner users: admin
Vault service: vservice1/rhel7-1.example.com
[root@rhel7-1 ~]# ipa vaultcontainer-show --service=vservice1/$(hostname)
Owner users: admin
Vault service: vservice1/rhel7-1.example.com
[root@rhel7-1 ~]# ipa vaultcontainer-remove-owner --service=vservice1/$(hostname) --users=admin
Vault service: vservice1/rhel7-1.example.com
--------------------------
Number of owners removed 1
--------------------------
[root@rhel7-1 ~]# ipa vaultcontainer-show --service=vservice1/$(hostname)
Vault service: vservice1/rhel7-1.example.com
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=vservice1/$(hostname) --users=vuser2
Owner users: vuser2
Vault service: vservice1/rhel7-1.example.com
------------------------
Number of owners added 1
------------------------
[root@rhel7-1 ~]# ipa role-add vadmin
-------------------
Added role "vadmin"
-------------------
Role name: vadmin
[root@rhel7-1 ~]# ipa role-add-privilege vadmin --privileges="Vault Administrators"
Role name: vadmin
Privileges: Vault Administrators
----------------------------
Number of privileges added 1
----------------------------
[root@rhel7-1 ~]# ipa role-add-member vadmin --users=vuser2
Role name: vadmin
Member users: vuser2
Privileges: Vault Administrators
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# kdestroy -A
[root@rhel7-1 ~]# kinit admin
Password for admin:
[root@rhel7-1 ~]# ipa vaultcontainer-remove-owner --user=vuser1 --users=vuser2
Owner users: vuser1
Vault user: vuser1
--------------------------
Number of owners removed 1
--------------------------
[root@rhel7-1 ~]# ipa vaultcontainer-show --user=vuser1
Owner users: vuser1
Vault user: vuser1
[root@rhel7-1 ~]# kdestroy -A
[root@rhel7-1 ~]# kinit vuser1
Password for vuser1:
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=admin
Owner users: vuser1
Vault user: vuser1
Failed owners:
owner user: admin: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=vuser1,cn=users,cn=vaults,cn=kra,dc=example,dc=com'.
owner group:
owner service:
------------------------
Number of owners added 0
------------------------
[root@rhel7-1 ~]# kdestroy -A
[root@rhel7-1 ~]# kinit vuser2
Password for vuser2:
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=admin
Owner users: vuser1, admin
Vault user: vuser1
------------------------
Number of owners added 1
------------------------
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=vservice1/$(hostname) --users=vuser1
Owner users: vuser2, vuser1
Vault service: vservice1/rhel7-1.example.com
------------------------
Number of owners added 1
------------------------
[root@rhel7-1 ~]# ipa vaultcontainer-show --shared
Shared vault: True
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |