diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2011-10-24 18:18:10 -0500 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2011-10-26 12:53:28 +0000 |
| commit | f168afbeb6e88e6ba66d7472529c35ed78dc6bc0 (patch) | |
| tree | ebadbb98c5c688c9c7bb00f81598868fb7678057 /install | |
| parent | 0450934e366c37d01fe84a2c23ed196bf8dd6f89 (diff) | |
| download | freeipa-f168afbeb6e88e6ba66d7472529c35ed78dc6bc0.tar.gz freeipa-f168afbeb6e88e6ba66d7472529c35ed78dc6bc0.tar.xz freeipa-f168afbeb6e88e6ba66d7472529c35ed78dc6bc0.zip | |
Removed HBAC deny rule warning.
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
Diffstat (limited to 'install')
| -rw-r--r-- | install/html/Makefile.am | 1 | ||||
| -rw-r--r-- | install/html/hbac-deny-remove.html | 83 | ||||
| -rw-r--r-- | install/ui/hbac.js | 44 | ||||
| -rw-r--r-- | install/ui/ipa.css | 5 | ||||
| -rw-r--r-- | install/ui/ipa.js | 9 | ||||
| -rwxr-xr-x | install/ui/test/bin/update_ipa_init.sh | 27 | ||||
| -rw-r--r-- | install/ui/test/data/hbacrule_find.json | 40 | ||||
| -rw-r--r-- | install/ui/test/data/hbacrule_show.json | 2 | ||||
| -rw-r--r-- | install/ui/test/data/ipa_init.json | 11 | ||||
| -rw-r--r-- | install/ui/webui.js | 6 |
10 files changed, 29 insertions, 199 deletions
diff --git a/install/html/Makefile.am b/install/html/Makefile.am index c310be6d2..46e8683c8 100644 --- a/install/html/Makefile.am +++ b/install/html/Makefile.am @@ -5,7 +5,6 @@ app_DATA = \ ssbrowser.html \ browserconfig.html \ unauthorized.html \ - hbac-deny-remove.html \ ipa_error.css \ $(NULL) diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html deleted file mode 100644 index 7debfea76..000000000 --- a/install/html/hbac-deny-remove.html +++ /dev/null @@ -1,83 +0,0 @@ -<!DOCTYPE html> -<html> -<head> -<meta charset="utf-8"> - <title>IPA: Identity Policy Audit</title> - - <script type="text/javascript" src="../ui/jquery.js"></script> - - <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" /> - <link rel="stylesheet" type="text/css" href="../ui/ipa.css" /> - <link rel="stylesheet" type="text/css" href="ipa_error.css" /> - - -</head> - -<body class="info-page"> - - <div class="container_1"> - <div class="header-logo"> - <img src="../ui/ipalogo.png" /><img src="../ui/ipabanner.png" /> - </div> - <div class="textblockkrb"> - <h1>Removal of HBAC Deny Rules.</h1> - <p>FreeIPA has dropped support for DENY rules from the HBAC - specification. </p> - <p>The former design of HBAC specifies that<p> - <ol> - <li> If no ALLOW rules match, access is denied</li> - <li> If one or more ALLOW rules match and no DENY rules match, - access is allowed</li> - <li>If one or more DENY rules match, access is denied</li> - </ol> - <p>Thus, DENY rules exist only to provide exceptions from the ALLOW - rules. There exists no ALLOW+DENY combination that cannot be - constructed from ALLOW rules only.[1]</P> - - <p>DENY rules introduce a lot of edge-cases for evaluation. The most - important of which is the availability of the group membership for - the user logging in. Depending on the mechanism used to log in (for - example, GSSAPI over SSH or cross-realm Kerberos trust where the - user is provided by the PAC), SSSD's cache may not have a complete - list of groups for this user. If the login is occurring during - offline mode (where SSSD cannot contact the LDAP server to refresh - the user's groups), SSSD cannot determine whether DENY rules would - match for the user. This therefore translates into a potential - security issue.</p> - - <p>We implemented a workaround in the SSSD evaluator to resolve this by - guaranteeing that we do a full lookup of all groups referenced by - rules while we are retrieving the rules from FreeIPA. However, this - requires at least one additional lookup against the LDAP server - (possibly many if there is need to resolve nestings). This results - in a significantly slower login while online.</p> - - <p>We also have issues related to source host evaluation. Some - applications will provide an IP address instead of a hostname in the - pam_rhost attribute. Our only recourse here is to perform a - reverse-DNS lookup to try and identify the real hostname(s) of the - server. However, in many real-world environments, reverse DNS is - unavailable or misconfigured. In the case of ALLOW rules, this would - lead to a match failure and an implicit denial. However, a failure - to properly match a DENY rule can result in unexpected access being - granted. This is a potentially serious security issue.</p> - - <p>Given these edge cases (and performance issues of the noted - workaround), The FreeIPA team decided to drop DENY rules from the - HBAC specification and limit HBAC only to ALLOW rules (which are - much safer). Beyond the obvious advantages for our implementation, - this should make it less complex for users to write their rules.</p> - - <p>[1] Some rules are complex to simulate, such as "Allow access from - all PAM services EXCEPT telnet". But a safer and clearer - implementation approach does all access via whitelist. If a FreeIPA - implementation is using an exception rule, the administrators - should re-evaluate the justification. - </p> - </div> - - </div> - -</body> - -</html> diff --git a/install/ui/hbac.js b/install/ui/hbac.js index fb57dd158..e05e43f6b 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -554,47 +554,3 @@ IPA.hbacrule_details_facet = function(spec) { return that; }; - - -IPA.hbac_deny_warning_dialog = function(container) { - var dialog = IPA.dialog({ - 'title': 'HBAC Deny Rules found' - }); - - var link_path = "config"; - if (IPA.use_static_files){ - link_path = "html"; - } - - dialog.create = function() { - dialog.container.append( - "HBAC rules with type deny have been found."+ - " These rules have been deprecated." + - " Please remove them, and restructure the HBAC rules." ); - $('<p/>').append($('<a/>',{ - text: 'Click here for more information', - href: '../' +link_path +'/hbac-deny-remove.html', - target: "_blank", - style: 'target: tab; color: blue; ' - })).appendTo(dialog.container); - }; - - dialog.create_button({ - name: 'edit', - label: 'Edit HBAC Rules', - click: function() { - dialog.close(); - IPA.nav.show_page('hbacrule', 'search'); - } - }); - - dialog.create_button({ - name: 'ignore', - label: 'Ignore for now', - click: function() { - dialog.close(); - } - }); - - dialog.open(); -}; diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 0652b375a..86d3b9db5 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -696,11 +696,6 @@ span.main-nav-off > a:visited { padding-left: 0.5em; } -.hbac-deny-rule { - color: red; -} - - .search-table tfoot td { padding: 0.5em 0 0 1em; border-top: 1px solid #dfdfdf; diff --git a/install/ui/ipa.js b/install/ui/ipa.js index 381f128c2..15088f61a 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -169,15 +169,6 @@ var IPA = ( function () { } })); - batch.add_command(IPA.command({ - entity: 'hbacrule', - method: 'find', - options:{"accessruletype":"deny"}, - on_success: function(data, text_status, xhr) { - that.hbac_deny_rules = data; - } - })); - batch.execute(); }; diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh index 2fc9c2170..26cbc9679 100755 --- a/install/ui/test/bin/update_ipa_init.sh +++ b/install/ui/test/bin/update_ipa_init.sh @@ -15,7 +15,30 @@ then exit 1 fi - +json="{ + \"method\": \"batch\", + \"params\": [ + [ + { + \"method\": \"i18n_messages\", + \"params\": [[], {}] + }, + { + \"method\": \"user_find\", + \"params\":[[], { \"whoami\": true, \"all\": true }] + }, + { + \"method\": \"env\", + \"params\": [[], {}] + }, + { + \"method\": \"dns_is_enabled\", + \"params\": [[], {}] + } + ], + {} + ] +}" curl -v\ -H "Content-Type: application/json"\ @@ -24,6 +47,6 @@ curl -v\ --delegation always\ -u :\ --cacert /etc/ipa/ca.crt\ - -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}'\ + -d "$json"\ -X POST\ https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json index 3801a7d44..1775119c8 100644 --- a/install/ui/test/data/hbacrule_find.json +++ b/install/ui/test/data/hbacrule_find.json @@ -2,7 +2,7 @@ "error": null, "id": null, "result": { - "count": 4, + "count": 1, "result": [ { "accessruletype": [ @@ -30,45 +30,9 @@ "usercategory": [ "all" ] - }, - { - "accessruletype": [ - "deny" - ], - "cn": [ - "deny1" - ], - "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", - "ipaenabledflag": [ - "TRUE" - ] - }, - { - "accessruletype": [ - "deny" - ], - "cn": [ - "deny2" - ], - "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", - "ipaenabledflag": [ - "TRUE" - ] - }, - { - "accessruletype": [ - "deny" - ], - "cn": [ - "deny3" - ], - "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", - "ipaenabledflag": [ - "TRUE" - ] } ], - "summary": "4 HBAC rules matched", + "summary": "1 HBAC rule matched", "truncated": false } } diff --git a/install/ui/test/data/hbacrule_show.json b/install/ui/test/data/hbacrule_show.json index 2c0b64b39..293ed0031 100644 --- a/install/ui/test/data/hbacrule_show.json +++ b/install/ui/test/data/hbacrule_show.json @@ -4,7 +4,7 @@ "result": { "result": { "accessruletype": [ - "deny" + "allow" ], "accesstime": [ "periodic daily 0800-1400", diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 78b18ee11..dfd1fa68a 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -2,7 +2,7 @@ "error": null, "id": null, "result": { - "count": 5, + "count": 4, "results": [ { "error": null, @@ -204,11 +204,9 @@ }, "hbacrule": { "active": "Active", - "allow": "Allow", "any_host": "Any Host", "any_service": "Any Service", "anyone": "Anyone", - "deny": "Deny", "host": "Accessing", "inactive": "Inactive", "ipaenabledflag": "Rule status", @@ -533,13 +531,6 @@ "result": true, "summary": null, "value": "" - }, - { - "count": 0, - "error": null, - "result": [], - "summary": "0 HBAC rules matched", - "truncated": false } ] } diff --git a/install/ui/webui.js b/install/ui/webui.js index 189cddda1..daa22b22a 100644 --- a/install/ui/webui.js +++ b/install/ui/webui.js @@ -167,12 +167,6 @@ $(function() { IPA.nav.update(); $('#login_header').html(IPA.messages.login.header); - - if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){ - if (IPA.nav.name === 'admin'){ - IPA.hbac_deny_warning_dialog(); - } - } } |