Nethserver-delegation needs testers

stephdl · November 5, 2015, 8:31pm

should be corrected install yum install nethserver-delegated-panel-0.0.2-1.el6.noarch.rpm

stephdl · November 8, 2015, 3:26am

I have almost done the Panel for the contribs, thanks to @Ctek for giving me the way

@davidep I can be wrong but I’m not sure that permissions for the DashBoard are located in /usr/share/nethesis/NethServer/Authorization/base.json, I cannot instantiated the permissions for a user.

All Panels can be delegated except the Dashboard !!!

davidep · November 8, 2015, 3:12pm

Dashboard is quite different from other modules. It instantiates its contents depending on the “admin” condition.

github.com

NethServer/nethserver-base/blob/master/root/usr/share/nethesis/NethServer/Module/Dashboard.php#L42


    return \Nethgui\Module\SimpleModuleAttributesProvider::extendModuleAttributes($base, 'Status', 10);
}


public function bind(\Nethgui\Controller\RequestInterface $request)
{
    $user = $request->getUser();


    $isAdmin = ($user->hasCredential('username') && in_array($user->getCredential('username'), array('admin', 'root')))
        || ($user->hasCredential('groups') && in_array('administrators', $user->getCredential('groups')));
    
    $this->loadChildrenDirectory($this,
        $isAdmin ? 'Dashboard' : 'UserDashboard');
    $this->sortChildren(array($this, "sortPlugin"));


    parent::bind($request);
}


public function sortPlugin($a, $b)
{
    if ($a->sortId == $b->sortId) {
        return 0;

stephdl · November 8, 2015, 4:04pm

Thank @davidep, can you explain why the authorisation doesn’t depend of base.json file ?..other modules can be also quite sensible from a security point of view and they don’t have this kind of authorisation.

Like this we can not delegate the dashboard

davidep · November 8, 2015, 8:05pm

It’s not easy to explain… Well, first of all, for “historical reasons”. Dashboard is the default module. A Location header is sent if the module name is missing in the request URL.

Before the “dependency injection” refactor it was not possible to calculate the redirect on the User object in index.php, because User was not instantiated.

Perhaps we can now arrange the things differently and obtain two distinct default dashboard modules: the Admin’s one and the User’s one.

Another approach could be invoking the Authorization procedures to make the Dashboard plugins behave like the root level modules and allow granting/delegating them.

Ctek · November 8, 2015, 8:35pm

@davidep
Just an idea, maybe i’m off track here…
Wouldn’t be easier to create a meta module that is substitute for dashboard ? This way there is not need to refactor all the code for the dasboard.

BR
Bogdan

stephdl · November 8, 2015, 9:52pm

Install the version nethserver-delegated-panel-0.0.3-1.ns6.sdl.noarch.rpm a plugin is now available in the User and Group panel —> see the first post for installing it.

either you can allow all modules for a group or an user, but you can also specify which modules you want to be allowed.

as always, let me know your thoughts.

alefattorini · April 23, 2016, 12:23pm

New bounty created!

It’s time to move in with this!

stephdl · September 28, 2016, 5:28am

I need to try nethserver-delegated-panel on NS7, a templated file /usr/share/nethesis/NethServer/Authorization/base.json is still needed

davidep · September 28, 2016, 7:17am

I see two possible ways of doing it:

The quicker: define a template for base.json in your package, and bind nethserver-httpd-update event to re-expand it when the RPM restore its original state
The smartest: add another .json file (being template or not) under the same dir with additional rules that refine or override the rules from base.json.

In both cases be aware of the bug/limitation of PolicyRule I said above:

stephdl · October 1, 2016, 8:49am

Well I need to rewrite it quite entirely for NS7

stephdl · June 29, 2017, 7:22pm

For NS6 ONLY

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.0.4-1.ns6.sdl.noarch.rpm

after that you can choose which panels are available for what groups or users

stephdl · July 7, 2017, 8:53pm

bump kamikazes needed

dnutan · July 9, 2017, 12:02pm

Strange thing. After setting user delegations (Dashboard panel, shutdown, Users manager, User profile) and logging out from root, I’m trapped in an Anonymous session with full permission:

/var/log/messages reports the root user logout:

Jul  9 12:35:32 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user root logged out

but server-admin keeps logged in as Anonymous, and any logout attempt reports:

Jul  9 13:06:26 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user  logged out
Jul  9 13:06:30 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user  logged out

/var/log/secure shows:

Jul  9 13:06:27 server sudo:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/password-expiration
Jul  9 13:06:30 server sudo:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/password-expiration

Can access all panels but dashboard.
Clearing browsing data or closing and reopening the browser has no effect.
When browsing to the server-manager from a different browser no login prompt is requested, instead I’m directly logged-in as Anonymous, with full access (as before).
Rebooting the server has no difference.

The delegated user has a ' character within the LastName:

#/var/log/secure
COMMAND=/sbin/e-smith/db accounts setprop user1 FirstName User Street  Department  Uid 5000 MailStatus enabled PhoneNumber  MailForwardStatus disabled AdminAllPanels disabled City  PassExpires yes LastName O'ne Company  Samba enabled MailSpamRetentionStatus disabled __state active AdminPanels Dashboard,Shutdown,User,UserProfile

/var/log/audit/audit.log:

type=USER_START msg=audit(1499601307.224:2434): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1499601307.246:2435): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1499601307.246:2436): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1499601307.255:2437): user pid=10944 uid=498 auid=4294967295 ses=4294967295 msg='cwd="/usr/share/nethesis/nethserver-manager" cmd=2F7362696E2F652D736D6974682F6C6F67766965776572202D6F2031323732373637202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=? res=success'
type=CRED_ACQ msg=audit(1499601307.257:2438): user pid=10944 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'

A warning logged:

Use of uninitialized value in numeric gt (>) at /usr/share/perl5/vendor_perl/Authen/SASL/Perl.pm line 130.

for a dependency from centos-base repo:

# rpm -qf /usr/share/perl5/vendor_perl/Authen/SASL/Perl.pm
perl-Authen-SASL-2.13-3.el6.noarch

Edit: Restored a good snapshot + updates, created a user, set delegation for disk usage: same behavior.

stephdl · July 10, 2017, 8:27pm

I cannot reproduce

is it the same with another vm ?

It is not a bug, it is a feature

stephdl · July 10, 2017, 8:33pm

edit : same behaviour when I created a user and its password but with no previous login

The template I put in /usr/share/nethesis/NethServer/Authorization/DelegatedPanel.json is the bug, let’s investigate

dnutan · July 10, 2017, 8:37pm

I recall to have tried with a user with no previous login or with login just to server-manager (but no ssh or anything else).

stephdl · July 10, 2017, 8:39pm

could you please test something
in /usr/share/nethesis/NethServer/Authorization/DelegatedPanel.json remove the 2,3,4 line

[
-{
-}
-,

dnutan · July 10, 2017, 9:07pm

Yep! it works.

stephdl · July 10, 2017, 9:09pm

in fact I’m the bug, I needed to do a quick trick (I noted fixme in the code, because I known that it was bad)