1952028 – [RFE] Add support for managing subuids and subgids in FreeIPA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1952028 - [RFE] Add support for managing subuids and subgids in FreeIPA

Summary: [RFE] Add support for managing subuids and subgids in FreeIPA

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	beta
Target Release:	9.0 Beta
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:	Alexandra Nikandrova
URL:
Whiteboard:
Duplicates (1):	1957737 (view as bug list)
Depends On:
Blocks:	1803943 1957737 1981322
TreeView+	depends on / blocked

Reported:	2021-04-21 11:23 UTC by Petr Čech
Modified:	2022-01-03 08:46 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.9.6-4.el9
Doc Type:	Enhancement
Doc Text:	.Support for managing subID ranges is available in IdM With this update, you can manage ID subranges for users in Identity Management. You can use the `ipa` CLI tool or IdM WebUI interface to assign automatically configured subID ranges to a user, which might be useful in a containerized environment.
Clone Of:
Clones:	1957737 1981322 (view as bug list)
Environment:
Last Closed:	2021-12-07 21:33:05 UTC
Type:	Enhancement
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	anikandr: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-6846	0	None	None	None	2021-09-16 05:26:13 UTC

Description Petr Čech 2021-04-21 11:23:03 UTC

For containerized environments it is helpful to enable centrally-managed allocation and distribution of ID sub-ranges for users/groups to use in podman and runc.

As discussed in https://github.com/shadow-maint/shadow/issues/154, https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68 adds a new interface, libsubid. This interface will be extended to allow pluggable backends.

The purpose of this ticket is to track two tasks:
- add support for storing per-user/group subid ranges in FreeIPA
- track retrieval and distribution of per-user/group subid ranges in SSSD

Comment 7 Christian Heimes 2021-06-02 07:47:19 UTC

*** Bug 1957737 has been marked as a duplicate of this bug. ***

Comment 10 Florence Blanc-Renaud 2021-07-13 13:54:32 UTC

Fixed upstream:
master:

    1c4ae37 Add basic support for subordinate user/group ids
    c78d134 Redesign subid feature
    51035d9 Use 389-DS' dnaInterval setting to assign intervals
    1e00748 Fix ipa-server-upgrade
    110940b Fix oid of ipaUserDefaultSubordinateId
    30eceb5 WebUI: Improve subordinate ids user workflow
    aae6c02 Test DNA plugin configuration

Comment 11 Florence Blanc-Renaud 2021-07-13 13:54:57 UTC

ipa-4-9:

    3540986 Add basic support for subordinate user/group ids
    5d4fe06 Redesign subid feature
    ef115b0 Use 389-DS' dnaInterval setting to assign intervals
    e6e3fb6 Fix ipa-server-upgrade
    44ccc0f Fix oid of ipaUserDefaultSubordinateId
    9f4b898 WebUI: Improve subordinate ids user workflow
    b53a52a Test DNA plugin configuration

Comment 12 Florence Blanc-Renaud 2021-07-16 08:16:39 UTC

An additional fix is needed, see upstream ticket https://pagure.io/freeipa/issue/8920

Comment 13 Florence Blanc-Renaud 2021-07-16 14:34:28 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/cb37f499db8c66bf77a4e716ef1cf2a6c321cb6a

Comment 14 Florence Blanc-Renaud 2021-07-17 14:21:15 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/b132956e42a88ab39bb8d6a854e7c5d28d544a11

Comment 15 Florence Blanc-Renaud 2021-07-17 14:24:28 UTC

Moving back to POST as one commit is missing in ipa-4.9.6-3.el9, see comment #14

Comment 18 Kaleem 2021-07-27 14:36:24 UTC

Test suite test_subids.py is executed and successful, based on this info marking it pre-verified

snip from automation log files :

(1) test-result.txt.gz

============================= test session starts ==============================
platform linux -- Python 3.9.6, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.6', 'Platform': 'Linux-5.14.0-0.rc2.23.el9.x86_64-x86_64-with-glibc2.33.9000', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'html': '3.1.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, html-3.1.1, multihost-3.0, sourceorder-0.5
collecting ... collected 7 items

test_integration/test_subids.py::TestSubordinateId::test_dna_config PASSED [ 14%]
test_integration/test_subids.py::TestSubordinateId::test_auto_generate_subid PASSED [ 28%]
test_integration/test_subids.py::TestSubordinateId::test_ipa_subid_script PASSED [ 42%]
test_integration/test_subids.py::TestSubordinateId::test_subid_selfservice PASSED [ 57%]
test_integration/test_subids.py::TestSubordinateId::test_subid_useradmin PASSED [ 71%]
test_integration/test_subids.py::TestSubordinateId::test_idrange_subid PASSED [ 85%]
test_integration/test_subids.py::TestSubordinateId::test_subid_stats PASSED [100%]


(2) runnner.log 

2021-07-27T13:12:47+0000 ok: [master.testrelm.test] => (item=ipa-server) =>
2021-07-27T13:12:47+0000   msg:
2021-07-27T13:12:47+0000   - arch: x86_64
2021-07-27T13:12:47+0000     epoch: null
2021-07-27T13:12:47+0000     name: ipa-server
2021-07-27T13:12:47+0000     release: 4.el9
2021-07-27T13:12:47+0000     source: rpm
2021-07-27T13:12:47+0000     version: 4.9.6

Comment 21 Kaleem 2021-07-29 07:54:05 UTC

Test suite test_subids.py is executed and successful in nightly, based on this info moving it to verified

snip from automation log files:

(1) test-result.txt.gz

============================= test session starts ==============================
platform linux -- Python 3.9.6, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
..
collecting ... collected 7 items

test_integration/test_subids.py::TestSubordinateId::test_dna_config PASSED [ 14%]
test_integration/test_subids.py::TestSubordinateId::test_auto_generate_subid PASSED [ 28%]
test_integration/test_subids.py::TestSubordinateId::test_ipa_subid_script PASSED [ 42%]
test_integration/test_subids.py::TestSubordinateId::test_subid_selfservice PASSED [ 57%]
test_integration/test_subids.py::TestSubordinateId::test_subid_useradmin PASSED [ 71%]
test_integration/test_subids.py::TestSubordinateId::test_idrange_subid PASSED [ 85%]
test_integration/test_subids.py::TestSubordinateId::test_subid_stats PASSED [100%]

(2) runner.log 

2021-07-29T07:01:35+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-07-29T07:01:35+0000   msg:
2021-07-29T07:01:35+0000   - arch: x86_64
2021-07-29T07:01:35+0000     epoch: null
2021-07-29T07:01:35+0000     name: ipa-server
2021-07-29T07:01:35+0000     release: 4.el9
2021-07-29T07:01:35+0000     source: rpm
2021-07-29T07:01:35+0000     version: 4.9.6

Note You need to log in before you can comment on or make changes to this bug.