freeipa/doc/designs/membermanager.md
Christian Heimes 9f2553c64f Add explicit syntax language to code blocks
m2r converts code blocks into ReST code blocks with syntax highlighting.
Auto-detection of the language does not work correctly, though.
Explicitly set the language for console, ini, and Python blocks.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-21 07:42:20 +02:00

3.8 KiB

Member Manager for group membership

Overview

A member manager is a principal that is able to manage members of a group. Member managers are able to add new members to a group or remove existing members from a group. They cannot modify additional attributes of a group as a part of the member manager role.

Member management is implemented for user groups and host groups. Membership can be managed by users or user groups. Member managers are independent from members. A principal can be a member manager of a group without being a member of a group.

Use Cases

An administrator can use member management feature to delegate some control over user groups and host groups to users. For example a project manager is now able to add new team members to a project group.

A NFS admin with member management capability for a host group is able to indirectly influence an HBAC rules and control which hosts can connect to an NFS file share.

Implementation

The user group commands and host group commands are extended to handle member managers. The plugin classes grow two additional sub commands, one for adding and one for removing member managers. The show command prints member manager users and member manager groups. The find command can search by member manager.

Member managers are stored in a new LDAP attribute memberManager with OID 2.16.840.1.113730.3.8.23.1. It is multi-valued and contains DNs of users and groups which can manage members of the group. The attribute can be added to entries with object class ipaUserGroup or ipaHostGroup. The attribute is indexed and its membership controlled by referential integrity postoperation plugin. New userattr ACIs grant principals with user DN or group DN in memberManager write permission to the member attribute of the group.

The memberManager attribute is protected by the generic read and modify permissions for each type of group. It is readable by everybody with System: Read Groups / System: Read Hostgroups permission and writable by everybody with System: Modify Groups / System: Modify Hostgroups permission.

Examples

Add example user and groups:

$ kinit admin
$ ipa user-add john --first John --last Doe --random
$ ipa user-add tom --first Tom --last Doe --random
$ ipa group-add project
$ ipa group-add project_admins

Make user and group member managers:

$ ipa group-add-member-manager project --users=john
$ ipa group-add-member-manager project --groups=project_admins

Show group:

$ ipa group-show project
  Group name: project
  GID: 787600003
  Membership managed by groups: project_admins
  Membership managed by users: john

Find groups by member managers:

$ ipa group-find --membermanager-users=john
---------------
1 group matched
---------------
  Group name: project
  GID: 787600003
----------------------------
Number of entries returned 1
----------------------------
$ ipa group-find --membermanager-groups=project_admins
---------------
1 group matched
---------------
  Group name: project
  GID: 787600003
----------------------------
Number of entries returned 1
----------------------------

Use member management capability:

$ kinit john
$ ipa group-add-member project --users=tom
  Group name: project
  GID: 787600003
  Member users: tom
  Membership managed by groups: project_admins
  Membership managed by users: john
-------------------------
Number of members added 1
-------------------------

Remove member management capability:

$ kinit admin
$ ipa group-remove-member-manager project --groups=project_admins
  Group name: project
  GID: 787600003
  Member users: tom
  Membership managed by users: john
---------------------------
Number of members removed 1
---------------------------