search

fedora-infra / freeipa-fas

IPA schema extensions for FAS
GNU General Public License v3.0
12 stars 16 forks source link

Add FAS user agreement plugin #105

Closed ryanlerch closed 4 years ago

ryanlerch commented 4 years ago

A very loose first attempt at adding agreement LDAP parts.

tiran commented 4 years ago

You also need an update to create the container:

dn: cn=agreements,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: agreements
tiran commented 4 years ago

Traditionally the module name should be the same as the LDAP object name. (agreement.py instead of agreements.py.

tiran commented 4 years ago 
# Agreement Administrators
dn: cn=Agreement Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Agreement Administrators
default:description: Manage FAS user agreements
tiran commented 4 years ago

The self-service permissions is going to be tricky. Untested ACI:

dn: cn=agreements,$SUFFIX
add:aci: (targetattr = "member")(targetfilter = "(objectclass=fasagreement)")(version 3.0; acl "Allow users to consent to an agreement"; allow (selfwrite) userattr != "member#USERDN";)
ryanlerch commented 4 years ago

This all looks pretty perfect. Just one question though, if group "Developers" is part of the "X" agreement and i try to add "Joe" to the "Developers" group, but "Joe" has not signed the "X" agreement, it currently allows me to. Is this something we want to or can enforce on the IPA side?

tiran commented 4 years ago

This all looks pretty perfect. Just one question though, if group "Developers" is part of the "X" agreement and i try to add "Joe" to the "Developers" group, but "Joe" has not signed the "X" agreement, it currently allows me to. Is this something we want to or can enforce on the IPA side?

I don't think it's possible with an ACI, at least it doesn't look straight forward to me. There is always the option of a pre_callback on group_add_member.

How should groups with multiple agreements work? Is it an logical OR or logical AND relationship?

ryanlerch commented 4 years ago

How should groups with multiple agreements work? Is it an logical OR or logical AND relationship?

I discussed this with @abompard a few weeks ago, and IIRC, we agreed on an AND relationship here. https://github.com/fedora-infra/freeipa-fas/issues/46#issuecomment-625657436

If a group has two agreements, for example the fedora one, and the centos one, it would make the most sense that the user would have to have signed both before being added to the group.

ryanlerch commented 4 years ago

i'm +1 for these changes, FWIW @tiran thanks again for this!

tiran commented 4 years ago

I've rebased on master to solve a merge conflict in Makefile.