ITTN Category: Informational

1 IPA Server Topology¶

FreeIPA servers are multi-master; meaning that changes to the directory can be made at any given server and will be distributed to all other masters. Because all IPA servers are masters and fully replicated, LDAP queries and changes can be made at Cerro Pachon when the link to La Serena has been severed.

Two IPA servers (ipa1.<site>.<domain> and ipa2.<site>.<domain>) are deployed at each site, providing quick LDAP lookups and redundancy.

2 Group membership and access grants¶

Host access and sudo permissions are applied to groups of hosts (hostgroups), and groups of users (user groups/unix groups). Access is always provided by assigning users to user groups, and hosts to host-groups.

2.1 Group membership¶

Access control can be delegated to users by granting them permissions to manage memberships for groups.

2.1.1 Example: adding a user to a group¶

2.2 Hostgroup membership¶

Hosts must always be added to a hostgroup via an automember rule. Hostgroups that have an automember rule will evict any hosts from the group that don’t match the regex, so automember rules are all or nothing.

2.2.1 Example: creating a new automember rule and adding hosts¶

2.2.2 Example: adding a host to an existing automember rule¶

$ ipa automember-add-condition auxtel \
   --type=hostgroup --key=fqdn \
   --inclusive-regex='^ts-csc-generic-01\.cp\.lsst\.org$'
------------------------------
Added condition(s) to "auxtel"
------------------------------
  Automember Rule: auxtel
  Inclusive Regex: fqdn=^at-.*, fqdn=^atarchiver.*, fqdn=^ats-.*, fqdn=^atsccs.*, fqdn=^atsdaq.*,
                   fqdn=^atshcu.*, fqdn=^auxtel-control-01.*, fqdn=^ts-csc-generic-01\.cp\.lsst\.org$
----------------------------
Number of conditions added 1
----------------------------
$ ipa automember-rebuild --type=hostgroup
---------------------------------------------------------
Automember rebuild task finished. Processed (87) entries.
---------------------------------------------------------

2.3 HBAC and sudo¶

Two levels of access are provided: basic login access to the host (which is generally done through SSH) and full sudo permissions.

Unix user group for host access (HBAC): <cluster>
Unix user group for sudo access: <cluster>-sudo
IPA host group: <cluster>

Two access rules are used: an HBAC rule that grants access to the host, and a sudo rule that grants full sudo access.

HBAC rule: <cluster>-users
Sudo rule: <cluster>-sudo

Note

Our current convention is that user groups and hostgroups are always singular. Sudo rules are always <cluster>-sudo and HBAC rules are always <cluster>-users.

This convention is not necessarily ideal and is subject to revision, but right now this is the pattern that we’re following. We benefit from having a consistent pattern that avoids transcription and consistency errors. In the future we can (and probably should) revise this in the future.

2.4 Example: amor cluster¶

A group named amor would be configured as follows:

Unix user group for host access (HBAC): amor
Unix user group for sudo access: amor-sudo
IPA host group: amor

The access rules are as follows:

HBAC rule: amor-users
Sudo rule: amor-sudo

Users with access to amor hosts would be added to the amor unix group.

Users with sudo permissions to amor amor hosts would be added to the amor-sudo unix group.

$ ipa hostgroup-show amor
  Host-group: amor
  Description: amor nodes
  Member hosts: amor02.cp.lsst.org, amor01.cp.lsst.org
  Member of Sudo rule: amor-sudo    # see: `ipa sudorule-show amor-sudo`
  Member of HBAC rule: amor-users   # see: `ipa hbacrule-show amor-users`

$ ipa hbacrule-show amor-users
  Rule name: amor-users
  Service category: all
  Enabled: TRUE
  User Groups: amor   # see: `ipa group-show amor`
  Host Groups: amor   # see: `ipa hostgroup-show amor`

$ ipa sudorule-show amor-sudo
  Rule name: amor-sudo
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: amor-sudo  # see: `ipa group-show amor-sudo`
  Host Groups: amor       # see: `ipa hostgroup-show amor`

2.5 Example: Creating an `hvac` hostgroup and user group¶

In this example we create the following resources:

hvac unix user group for host access (HBAC)
hvac-sudo unix user group for sudo access
hvac IPA host group
hvac-users HBAC rule
hvac-sudo Sudo rule

2.5.1 User group creation¶

$ ipa group-add hvac --desc "Summit HVAC users"
------------------
Added group "hvac"
------------------
  Group name: hvac
  Description: Summit HVAC users
  GID: 73027

$ ipa group-add hvac-sudo --desc "Summit HVAC sudo users"
------------------
Added group "hvac-sudo"
------------------
  Group name: hvac-sudo
  Description: Summit HVAC sudo users
  GID: 73034

$ ipa hostgroup-add hvac --desc "Summit HVAC servers"
----------------------
Added hostgroup "hvac"
----------------------
  Host-group: hvac
  Description: Summit HVAC servers

$ ipa hbacrule-add hvac-users --servicecat=all
----------------------------
Added HBAC rule "hvac-users"
----------------------------
  Rule name: hvac-users
  Service category: all
  Enabled: TRUE
$ ipa hbacrule-add-host hvac-users --hostgroups=hvac
  Rule name: hvac-users
  Service category: all
  Enabled: TRUE
  Host Groups: hvac
-------------------------
Number of members added 1
-------------------------
$ ipa hbacrule-add-user hvac-users --groups=hvac
  Rule name: hvac-users
  Service category: all
  Enabled: TRUE
  User Groups: hvac
  Host Groups: hvac
-------------------------
Number of members added 1
-------------------------

$ ipa sudorule-add hvac-sudo --cmdcat=all --runasusercat=all --runasgroupcat=all
---------------------------
Added Sudo Rule "hvac-sudo"
---------------------------
  Rule name: hvac-sudo
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
$ ipa sudorule-add-user hvac-sudo --groups=hvac-sudo
  Rule name: hvac-sudo
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: hvac-sudo
-------------------------
Number of members added 1
-------------------------
$ ipa sudorule-add-host hvac-sudo --hostgroups=hvac
  Rule name: hvac-sudo
  Enabled: TRUE
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  User Groups: hvac-sudo
  Host Groups: hvac
-------------------------
Number of members added 1
-------------------------

3 IPA Directory RBAC¶

IPA Directory RBAC differs from host access control because while host access control provides access to hosts and sudo, IPA RBAC grants permissions to modify the directory itself.

Roles bundle together groups of users, and groups of privileges.

A fully expanded RBAC role looks roughly like the following:

Desktop Support (RBAC Role)
- User groups: desktop-support (see: ipa group-show desktop-support)
- Privileges:
  
  Stage User Provisioning (see ipa privilege-show "Stage User Provisioning")
  
  System: Add Stage User (see ipa permission-show "System: Add Stage User")
  
  Granted rights: add
  
  Subtree: cn=staged users,cn=accounts,cn=provisioning,dc=lsst,dc=cloud
  
  System: Modify Stage User (see ipa permission-show "System: Modify Stage User")
  
  Granted rights: modify
  
  Subtree: cn=staged users,cn=accounts,cn=provisioning,dc=lsst,dc=cloud
  
  System: Delete Stage User (see ipa permission-show "System: Delete Stage User")
  
  Granted rights: delete
  
  Subtree: cn=staged users,cn=accounts,cn=provisioning,dc=lsst,dc=cloud
  
  VPN Group Administrators (see ipa privilege-show "VPN Group Administrators")
  
  “Manage Chile VPN group” (see ipa permission-show "Manage Chile VPN group")
  
  Granted rights: write
  
  Target DN: cn=vpn-cl,cn=groups,cn=accounts,dc=lsst,dc=cloud
  
  Target group: vpn-cl

4 Service accounts and bind DNs¶

Some services need to bind to the LDAP directory, and can’t use a normal IPA user. Examples of this are applications like Foreman and Dex (and OIDC provider).

ITTN-010: User Identification and Authorization