The power of a hierarchical database lies in its access controls. FreeIPA gives you a set of tools that you can use in order to delegate authority using those access controls.
Here’s an example. Let say you are running a web site where people can create projects. In order to create a project, you send in a ticket to request the project creation. Once that project has been created, people ask you to join their projects. Once the project is created, as the project lead, you can add and remove people from the project, but they have to be in the system.
Yes, I know, very theoretical, where would we ever see an organization like that?
A user named admiyo requests a project for people interested in Beowulf projects. The IPA Admin creates it. In addition, the admin has to create a Role, a Privilege, and a Permission that will allow the user to manage that group, assign the Permission to the Privilege and the Privilege to the Role. Finally, the Admin has to assign that role to the user admiyo.
[root@f16server ~]# ipa group-add beowulf --desc "Imagine a Beowulf Cluster...." --------------------- Added group "beowulf" --------------------- Group name: beowulf Description: Imagine a Beowulf Cluster.... GID: 500400007 [root@f16server ~]# ipa role-add Role name: beowulf-managers Description: Manage the Assets of the Beowulf project ----------------------------- Added role "beowulf-managers" ----------------------------- Role name: beowulf-managers Description: Manage the Assets of the Beowulf project [root@f16server ~]# ipa privilege-add Privilege name: beowulf-manage Description: Manage the Assets of the Beowulf project -------------------------------- Added privilege "beowulf-manage" -------------------------------- Privilege name: beowulf-manage Description: Manage the Assets of the Beowulf project
For user groups, the simplest way to create the permission is to user the targetgroup keyword.
[root@f16server ~]# ipa permission-add 'beowulf-manage-group' --targetgroup=beowulf --permissions=write --attrs=member --------------------------------------- Added permission "beowulf-manage-group" --------------------------------------- Permission name: beowulf-manage-group Permissions: write Attributes: member Target group: beowulf
Now the assignments:
[root@f16server ~]# ipa role-add-privilege Role name: beowulf-managers [privilege]: beowulf-manage Role name: beowulf-managers Description: Manage the Assets of the Beowulf project Privileges: beowulf-manage ---------------------------- Number of privileges added 1 ---------------------------- [root@f16server ~]# ipa privilege-add-permission Privilege name: beowulf-manage [permission]: beowulf-manage-group Privilege name: beowulf-manage Description: Manage the Assets of the Beowulf project Permissions: beowulf-manage, beowulf-manage-group Granting privilege to roles: beowulf-managers ----------------------------- Number of permissions added 1 ----------------------------- [root@f16server ~]# ipa role-add-member Role name: beowulf-managers [member user]: admiyo [member group]: [member host]: [member host group]: Role name: beowulf-managers Description: Manage the Assets of the Beowulf project Member users: admiyo Privileges: beowulf-manage ------------------------- Number of members added 1 -------------------------
I’d like to point out that I had very little idea what the CLI was going to ask for on these. I just trusted it to walk me through, and it did. The one exception was the creation of the permission, as it doesn’t prompt for the –attrs field
Now to test it out.
[root@f16server ~]# kinit admiyo Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM: [root@f16server ~]# ipa group-add-member Group name: beowulf [member user]: kfrog [member group]: Group name: beowulf Description: Imagine a Beowulf Cluster.... GID: 500400007 Member users: kfrog ------------------------- Number of members added 1 -------------------------
This same technique can be used with the other entities in FreeIPA. In the future, I’ll show how to do delegation for Host Groups and Netgroups. In theory, delegation of a DNS domain can be done the same way, but I haven’t worked through that yet.
This process can and should be streamlined (I’ve already submitted a ticket for that)Â but could be fairly easily scripted, too.