Group Managers in FreeIPA

The power of a hierarchical database lies in its access controls. FreeIPA gives you a set of tools that you can use in order to delegate authority using those access controls.

Here’s an example.  Let say you are running a web site where people can create projects.  In order to create a project,  you send in a ticket to  request the project creation.  Once that project has been created,  people ask you to join their projects.  Once the project is created,  as the project lead,  you can add and remove people from the project,  but they have to be in the system.

Yes,  I know,  very theoretical,  where would we ever see an organization like that?

A user named admiyo requests a project for people interested in Beowulf projects.  The IPA Admin creates it. In addition,  the admin has to create a Role, a Privilege, and a Permission  that will allow the user to manage that group,  assign the Permission to the Privilege and the Privilege to the Role.  Finally,  the Admin has to assign that role to the user admiyo.

[root@f16server ~]# ipa group-add beowulf --desc "Imagine a Beowulf Cluster...."
---------------------
Added group "beowulf"
---------------------
  Group name: beowulf
  Description: Imagine a Beowulf Cluster....
  GID: 500400007
[root@f16server ~]# ipa role-add
Role name: beowulf-managers
Description: Manage the Assets of the Beowulf project
-----------------------------
Added role "beowulf-managers"
-----------------------------
  Role name: beowulf-managers
  Description: Manage the Assets of the Beowulf project
[root@f16server ~]# ipa privilege-add
Privilege name: beowulf-manage
Description: Manage the Assets of the Beowulf project
--------------------------------
Added privilege "beowulf-manage"
--------------------------------
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project

For user groups, the simplest way to create the permission is to user the targetgroup keyword.

[root@f16server ~]# ipa permission-add 'beowulf-manage-group' --targetgroup=beowulf --permissions=write --attrs=member
---------------------------------------
Added permission "beowulf-manage-group"
---------------------------------------
  Permission name: beowulf-manage-group
  Permissions: write
  Attributes: member
  Target group: beowulf

Now the assignments:

[root@f16server ~]# ipa role-add-privilege Role name: beowulf-managers
[privilege]: beowulf-manage
  Role name: beowulf-managers
  Description: Manage the Assets of the Beowulf project
  Privileges: beowulf-manage
----------------------------
Number of privileges added 1
----------------------------
[root@f16server ~]# ipa privilege-add-permission Privilege name: beowulf-manage
[permission]: beowulf-manage-group
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------
[root@f16server ~]# ipa role-add-member
Role name: beowulf-managers
[member user]: admiyo
[member group]:
[member host]:
[member host group]:
  Role name: beowulf-managers
  Description: Manage the Assets of the Beowulf project
  Member users: admiyo
  Privileges: beowulf-manage
-------------------------
Number of members added 1
-------------------------

I’d like to point out that I had very little idea what the CLI was going to ask for on these. I just trusted it to walk me through, and it did. The one exception was the creation of the permission,  as it doesn’t prompt for the –attrs field

Now to test it out.

[root@f16server ~]# kinit admiyo
Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM:
[root@f16server ~]# ipa group-add-member
Group name: beowulf
[member user]: kfrog
[member group]:
  Group name: beowulf
  Description: Imagine a Beowulf Cluster....
  GID: 500400007
  Member users: kfrog
-------------------------
Number of members added 1
-------------------------

This same technique can be used with the other entities in FreeIPA. In the future, I’ll show how to do delegation for Host Groups and Netgroups. In theory, delegation of a DNS domain can be done the same way, but I haven’t worked through that yet.

This process can and should be streamlined (I’ve already submitted a ticket for that)  but could be fairly easily scripted, too.

Leave a Reply

Your email address will not be published. Required fields are marked *