Bug 1258965 - ipa vault: set owner of vault container
ipa vault: set owner of vault container
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-01 11:35 EDT by Petr Vobornik
Modified: 2015-11-19 07:06 EST (History)
5 users (show)

See Also:
Fixed In Version: ipa-4.2.0-11.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:06:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-09-01 11:35:17 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5250

make it possible to set/unset/change an owner of vault container. e.g. with a new command.

Reasons:
* vault container looses an owner when user/service is removed. Admin should be able to set it back after a user/service is re-added.
* make it possible to remove an owner and thus prevent the user from accessing his vaults, e.g. `vault-takeownership --user someuser --targetuser=""`
Comment 4 Petr Vobornik 2015-09-17 09:05:43 EDT
Vault container ownership can be managed by new commands:

 vaultcontainer-show [--service <service>|--user <user>|--shared ]
 vaultcontainer-del [--service <service>|--user <user>|--shared ]
 vaultcontainer-add-owner
         [--service <service>|--user <user>|--shared ]
         [--users <users>]  [--groups <groups>] [--services <services>]
 vaultcontainer-remove-owner
         [--service <service>|--user <user>|--shared ]
         [--users <users>]  [--groups <groups>] [--services <services>]

Permissions works in a way as follows:

 * Add new "Vault administrators" privilege. Vault administrators will have unrestricted access to vaults and vault containers, including the power to add/remove owners of vaults and vault containers.

  * Remove the ability of vault owners to add/remove other vault owners. If vault owner needs to be changed, vault administrator has to do it. Note that vault owners will still have the ability to add/remove vault members.

  * When adding new vault container, set owner to the current user. If vault container owner needs to be changed, vault administrator has to do it.

  * Allow adding vaults and vault containers only if the owner is set to the current user.
Comment 6 Scott Poore 2015-09-23 23:40:37 EDT
Verified.

Version ::

ipa-server-4.2.0-11.el7.x86_64

Results ::

[root@rhel7-1 ~]# ipa privilege-find "Vault Administrators"
-------------------
1 privilege matched
-------------------
  Privilege name: Vault Administrators
  Description: Vault Administrators
  Permissions: System: Add Vaults, System: Delete Vaults, System: Manage Vault Membership, System:
               Manage Vault Ownership, System: Modify Vaults, System: Read Vaults, System: Add Vault
               Containers, System: Delete Vault Containers, System: Manage Vault Container Ownership,
               System: Modify Vault Containers, System: Read Vault Containers
----------------------------
Number of entries returned 1
----------------------------


[root@rhel7-1 ~]# ipa vault-add v_vuser1 --user=vuser1
New password: 
Verify password: 
----------------------
Added vault "v_vuser1"
----------------------
  Vault name: v_vuser1
  Type: symmetric
  Salt: JUU+Jazgn0xgxHEy262lxA==
  Owner users: admin
  Vault user: vuser1

[root@rhel7-1 ~]# ipa vaultcontainer-show --user=vuser1
  Owner users: admin
  Vault user: vuser1

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=vuser1
  Owner users: admin, vuser1
  Vault user: vuser1
------------------------
Number of owners added 1
------------------------

[root@rhel7-1 ~]# ipa vaultcontainer-remove-owner --user=vuser1 --users=admin
  Owner users: vuser1
  Vault user: vuser1
--------------------------
Number of owners removed 1
--------------------------

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=vuser2
  Owner users: vuser1, vuser2
  Vault user: vuser1
------------------------
Number of owners added 1
------------------------

################ Service Vault

[root@rhel7-1 ~]# ipa vault-add v_vservice1 --service=vservice1/$(hostname)
New password: 
Verify password: 
-------------------------
Added vault "v_vservice1"
-------------------------
  Vault name: v_vservice1
  Type: symmetric
  Salt: TseRq+LWs8f3MxNlZoaivA==
  Owner users: admin
  Vault service: vservice1/rhel7-1.example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vaultcontainer-show --service=vservice1/$(hostname)
  Owner users: admin
  Vault service: vservice1/rhel7-1.example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vaultcontainer-remove-owner --service=vservice1/$(hostname) --users=admin
  Vault service: vservice1/rhel7-1.example.com@EXAMPLE.COM
--------------------------
Number of owners removed 1
--------------------------

[root@rhel7-1 ~]# ipa vaultcontainer-show --service=vservice1/$(hostname)
  Vault service: vservice1/rhel7-1.example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=vservice1/$(hostname) --users=vuser2
  Owner users: vuser2
  Vault service: vservice1/rhel7-1.example.com@EXAMPLE.COM
------------------------
Number of owners added 1
------------------------


[root@rhel7-1 ~]# ipa role-add vadmin
-------------------
Added role "vadmin"
-------------------
  Role name: vadmin

[root@rhel7-1 ~]# ipa role-add-privilege vadmin --privileges="Vault Administrators"
  Role name: vadmin
  Privileges: Vault Administrators
----------------------------
Number of privileges added 1
----------------------------

[root@rhel7-1 ~]# ipa role-add-member vadmin --users=vuser2
  Role name: vadmin
  Member users: vuser2
  Privileges: Vault Administrators
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-1 ~]# ipa vaultcontainer-remove-owner --user=vuser1 --users=vuser2
  Owner users: vuser1
  Vault user: vuser1
--------------------------
Number of owners removed 1
--------------------------

[root@rhel7-1 ~]# ipa vaultcontainer-show --user=vuser1
  Owner users: vuser1
  Vault user: vuser1

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit vuser1
Password for vuser1@EXAMPLE.COM: 

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=admin
  Owner users: vuser1
  Vault user: vuser1
  Failed owners: 
    owner user: admin: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=vuser1,cn=users,cn=vaults,cn=kra,dc=example,dc=com'.
    owner group: 
    owner service: 
------------------------
Number of owners added 0
------------------------

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit vuser2
Password for vuser2@EXAMPLE.COM: 

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --user=vuser1 --users=admin
  Owner users: vuser1, admin
  Vault user: vuser1
------------------------
Number of owners added 1
------------------------

[root@rhel7-1 ~]#  ipa vaultcontainer-add-owner --service=vservice1/$(hostname) --users=vuser1
  Owner users: vuser2, vuser1
  Vault service: vservice1/rhel7-1.example.com@EXAMPLE.COM
------------------------
Number of owners added 1
------------------------

[root@rhel7-1 ~]# ipa vaultcontainer-show --shared
  Shared vault: True
Comment 7 errata-xmlrpc 2015-11-19 07:06:14 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.