1374748 – Document consequences of adding machine to ipaservers group + review the sections on managing host groups

Bug 1374748 - Document consequences of adding machine to ipaservers group + review the sections on managing host groups

Summary: Document consequences of adding machine to ipaservers group + review the sect...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Linux_Domain_Identity_Management_Guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Aneta Šteflová Petrová
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-09 14:00 UTC by Petr Vobornik
Modified:	2019-03-06 01:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-24 11:17:39 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Petr Vobornik 2016-09-09 14:00:32 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6270

Since the ipaservers group controls the ability of the host to promote itself to IPA replica, it is important that admins don't just play with that group, adding machines there at random.

It'd be good to have a warning about the security implication of such group membership.

Comment 1 Aneta Šteflová Petrová 2016-09-09 14:37:38 UTC

Petr, just a thought: instead of adding a warning to the guide (which a lot of users might miss), how about implementing a message directly into IPA? For example, whenever the admin adds a machine to ipaservers, the CLI and web UI would ask for confirmation, explaining that there are security implications.

I can see this is what the upstream ticket proposed, and it seems like a good idea. But we can always add that warning to the docs too, of course.

Comment 2 Petr Vobornik 2016-09-26 11:14:46 UTC

In IPA ticket triage, it was mentioned that adding anything to any group can have security implications.  We could then add a lot of such warnings. Which in the end might just bother people. And that was a reason for changing it into doc-only.

Comment 3 Aneta Šteflová Petrová 2017-02-27 11:32:17 UTC

As part of this BZ, we should also review the sections on managing host groups. They could be merged with the sections on managing user groups (there are only minor differences).

All this will make it easier to document the ipaservers group consequences because the structure of user groups sections has a section on default groups. ipaservers would fit nicely into that section.

Comment 6 Aneta Šteflová Petrová 2017-04-19 10:37:41 UTC

As part of this BZ, I added this warning to 13.1.5. User and Host Groups Created by Default:
-----
Be careful when adding hosts to the ipaservers host group. All hosts in ipaservers have the ability to promote themselves to an IdM server. 
-----
This part was acked in comment#5.

I also merged the sections on managing user and host groups. This work did not include creating any new significant content, it was mostly just about merging and tweaking existing docs. The result is chapter chapter 13. Managing User and Host Groups. This part doesn't need SME review.

Comment 8 Aneta Šteflová Petrová 2017-04-24 11:17:39 UTC

The update is now available at the Customer Portal.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html

Note You need to log in before you can comment on or make changes to this bug.