tickets #161900
closed
Permissions to edit VPN group
Added by crameleon 24 days ago.
Updated 24 days ago.
Description
Hi,
as part of onboarding a new user we need to add them to the vpn
group. I took the liberty to refactor your existing SSH key management page to add the instructions there: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/Kanidm_Account_Management, but noticed I'm not authorized to modify the vpn group:
crameleon@thor1:/home/crameleon> kanidm group add-members vpn wombelix
2024-06-06T19:29:44.362310Z ERROR kanidm_cli: HTTP Error: 403 Forbidden AccessDenied "b5ea6d43-508f-4604-9c49-e331b2f5beb8"
crameleon@thor1:/home/crameleon> kanidm group add-members vpn@infra.opensuse.org wombelix
2024-06-06T19:29:53.621948Z ERROR kanidm_cli: HTTP Error: 403 Forbidden AccessDenied "fce2057a-8436-4a50-8ea0-bdaba87dc99c"
Ideally, everyone who can add new users should also be able to add them to the vpn group (previously, we did this through the FreeIPA GUI as well).
Could we have this please? :-)
Cheers
Georg
- Assignee set to firstyear
- Private changed from Yes to No
Easy to do :) what's the group name for users who on board and create new users? I'll grant it so that members of the "user create/onboard" group can modify the vpn group.
Hmm, which of the groups I am in allowed me to create the person? :-)
I'll make a user-onboarding group then too 🤣
I think you're part of idm_admins which gives you a lot of power to create accounts, but it's not a group I think we want everyone in.
Ah, sure, that makes sense.
But maybe make it something more generic, like "user-management" or similar? It might be good to have the same group be allowed to create and edit other groups and users.
Yep, that was the plan :)
Done. Users who need to onboard new accounts should be added as members of "user-management". user-management has the ability to create and modify people, create and modify groups, and to extend and assign unix/posix attributes. Additionally, user-management is now listed as the "owner" of the vpn group, and can add members to that group as required.
"user-management" can be extended by members of kanidm-admins, which today us yourself and myself.
Hopefully that solves the problems :)
PS: the vpn group is still controlled by freeipa - currently, to add members to the vpn group you need to do it on freeipa until we disable the freeipa sync. This is because the way Kanidm sync works is that we consider all the groups and users fed to us by freeipa as being owned by that provider, so until that authority is released kanidm can't alter that group.
- Status changed from New to Resolved
Thank you, sounds great! I might ask to set it as the owner for some other ACL related groups at some point.
Of course, no problem at all :)
You should be able to do that yourself with "kanidm group set-entry-manager ". So in this case I did "kanidm group set-entry-manager vpn user-management". That way you can delegate that user-management is the owner and has access to modify the vpn group.
Also available in: Atom
PDF