Bug 963767 - realm deny does not works with --realm parameter
realm deny does not works with --realm parameter
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: realmd (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stef Walter
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-16 09:58 EDT by Patrik Kis
Modified: 2013-05-27 05:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-27 05:42:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2013-05-16 09:58:19 EDT
Description of problem:
The only form how realm deny works is:
realm deny --all
however, according to man page --realm parameter is allowed too, and actually makes sense.

Version-Release number of selected component (if applicable):
realmd-0.14.1-1.fc19

[root@pkis ~]# realm list
ad.baseos.qe
  type: kerberos
  realm-name: AD.BASEOS.QE
  domain-name: ad.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@ad.baseos.qe
  login-policy: allow-realm-logins
[root@pkis ~]# 
[root@pkis ~]# realm deny --realm ad.baseos.qe
realm: Use --all to deny all logins
[root@pkis ~]# realm deny 
realm: Use --all to deny all logins
[root@pkis ~]# realm deny --all
[root@pkis ~]# realm list
ad.baseos.qe
  type: kerberos
  realm-name: AD.BASEOS.QE
  domain-name: ad.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@ad.baseos.qe
  login-policy: deny-any-login

The command "realm deny --realm ad.baseos.qe" should simply work according the man page.


###
Apart of this I have a note; a kind of usability, that is a bit related to the topic of this bug report:
When joining to a domain or permit --all, realm login policy says: "login-policy: allow-realm-logins"
[root@pkis ~]# realm list
ad.baseos.qe
  type: kerberos
  realm-name: AD.BASEOS.QE
  domain-name: ad.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@ad.baseos.qe
  login-policy: allow-realm-logins

It is not exactly clear at the first glance what does it exactly means. After playing a bit with permit/deny I realized that this means that all remote/realmd users all allowed to log in without extra permissions. I think we could be more descriptive here just by adding the word "all" there. Like:
  login-policy: allow-all-logins
or maybe this is more exact
  login-policy: allow-all-realm-logins

Sorry, I know this is probably the least important thing, but if you will once wander in the code somewhere around maybe it is worth to consider to change this. I believe it will be more descriptive.
Comment 1 Patrik Kis 2013-05-16 10:23:31 EDT
I just went through the man page once again and found out that --all is a mandatory parameter, so what was reported is not really valid.
Also, I still thought that deny only configures deny in sssd.conf, but I just realized that it can now be used also in the same way as permit --wirhdraw, what is great.
However, this should be also is man page. It should look like something like:

       realm permit [-ax] [-R realm] {user...}

       realm deny [-a] [-R realm] {user...}

realm --help and the error messages should be updated accordingly.

[root@pkis ~]# realm --help
 realm discover -v [realm-name]
   Discover available realm

 realm join -v [-U user] realm-name
   Enroll this machine in a realm

 realm leave -v [-U user] [realm-name]
   Unenroll this machine from a realm

 realm list
   List known realms

 realm permit [-ax] [-R realm] user ...
   Permit user logins

 realm deny --all [-R realm]
   Deny user logins

[root@pkis ~]# realm -v deny 
realm: Use --all to deny all logins
Comment 2 Stef Walter 2013-05-27 05:42:50 EDT
(In reply to Patrik Kis from comment #0)
> The command "realm deny --realm ad.baseos.qe" should simply work according
> the man page.

As you note below, confirming that '--all' argument is required. 

realmd does not have the ability to deny specific users while allowing all others. Domain HBAC should be used for this fine grained access control.

> It is not exactly clear at the first glance what does it exactly means.
> After playing a bit with permit/deny I realized that this means that all
> remote/realmd users all allowed to log in without extra permissions. I think
> we could be more descriptive here just by adding the word "all" there. Like:
>   login-policy: allow-all-logins
> or maybe this is more exact
>   login-policy: allow-all-realm-logins

That's because it's not necessarily 'all' logins. In this case we're respecting the realm's login policy. In this case it's HBAC of who can log into which machine.

> Sorry, I know this is probably the least important thing, but if you will
> once wander in the code somewhere around maybe it is worth to consider to
> change this. I believe it will be more descriptive.

Thank you for pointing it out. Unfortunately in this case it is not more descriptive of what's actually going on.

Do you have specific changes which could be made to documentation or manual pages that would help explain the concept better?

(In reply to Patrik Kis from comment #1)
> I just went through the man page once again and found out that --all is a
> mandatory parameter, so what was reported is not really valid.
> Also, I still thought that deny only configures deny in sssd.conf, but I
> just realized that it can now be used also in the same way as permit
> --wirhdraw, what is great.
> However, this should be also is man page. It should look like something like:

This is only the case for backwards compatibility and old scripts. It should not be used by new users.

realmd does not actually have the ability to deny specific users the ability to log in, while allowing all others access. It was incorrect to include "remove this user from the permit list" under the 'deny' command, and this has been rectified in recent realmd releases. 

All while at the same time preserving the old behavior and printing a warning alerting to the change.

So closing this as NOTABUG, but please reopen if I've missed something or misunderstood.

Note You need to log in before you can comment on or make changes to this bug.