Project

General

Profile

Actions
Copy link

tickets #161900

closed

Permissions to edit VPN group

Added by crameleon 24 days ago. Updated 24 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
firstyear
Category:
FreeIPA/Kanidm
Target version:
-
Start date:
2024-06-06
Due date:
% Done:

0%

Estimated time:

Description

Hi,

as part of onboarding a new user we need to add them to the vpn group. I took the liberty to refactor your existing SSH key management page to add the instructions there: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/Kanidm_Account_Management, but noticed I'm not authorized to modify the vpn group:

crameleon@thor1:/home/crameleon> kanidm group add-members vpn wombelix
2024-06-06T19:29:44.362310Z ERROR kanidm_cli: HTTP Error: 403 Forbidden AccessDenied "b5ea6d43-508f-4604-9c49-e331b2f5beb8"
crameleon@thor1:/home/crameleon> kanidm group add-members vpn@infra.opensuse.org wombelix
2024-06-06T19:29:53.621948Z ERROR kanidm_cli: HTTP Error: 403 Forbidden AccessDenied "fce2057a-8436-4a50-8ea0-bdaba87dc99c"

Ideally, everyone who can add new users should also be able to add them to the vpn group (previously, we did this through the FreeIPA GUI as well).
Could we have this please? :-)

Cheers
Georg

Actions
Copy link
 #1

Updated by crameleon 24 days ago

  • Assignee set to firstyear
  • Private changed from Yes to No
Actions
Copy link
 #2

Updated by firstyear 24 days ago

Easy to do :) what's the group name for users who on board and create new users? I'll grant it so that members of the "user create/onboard" group can modify the vpn group.

Actions
Copy link
 #3

Updated by crameleon 24 days ago

Hmm, which of the groups I am in allowed me to create the person? :-)

Actions
Copy link
 #4

Updated by firstyear 24 days ago

I'll make a user-onboarding group then too 🤣

I think you're part of idm_admins which gives you a lot of power to create accounts, but it's not a group I think we want everyone in.

Actions
Copy link
 #5

Updated by crameleon 24 days ago

Ah, sure, that makes sense.
But maybe make it something more generic, like "user-management" or similar? It might be good to have the same group be allowed to create and edit other groups and users.

Actions
Copy link
 #6

Updated by firstyear 24 days ago

Yep, that was the plan :)

Actions
Copy link
 #7

Updated by firstyear 24 days ago

Done. Users who need to onboard new accounts should be added as members of "user-management". user-management has the ability to create and modify people, create and modify groups, and to extend and assign unix/posix attributes. Additionally, user-management is now listed as the "owner" of the vpn group, and can add members to that group as required.

"user-management" can be extended by members of kanidm-admins, which today us yourself and myself.

Hopefully that solves the problems :)

PS: the vpn group is still controlled by freeipa - currently, to add members to the vpn group you need to do it on freeipa until we disable the freeipa sync. This is because the way Kanidm sync works is that we consider all the groups and users fed to us by freeipa as being owned by that provider, so until that authority is released kanidm can't alter that group.

Actions
Copy link
 #8

Updated by crameleon 24 days ago

  • Status changed from New to Resolved

Thank you, sounds great! I might ask to set it as the owner for some other ACL related groups at some point.

Actions
Copy link
 #9

Updated by firstyear 24 days ago

Of course, no problem at all :)

You should be able to do that yourself with "kanidm group set-entry-manager ". So in this case I did "kanidm group set-entry-manager vpn user-management". That way you can delegate that user-management is the owner and has access to modify the vpn group.

Actions
Copy link
 #10

Updated by crameleon 24 days ago

Even better! :-)

Actions
Copy link

Also available in: Atom PDF