Low privilege account for tokens fetch
43 views
Skip to first unread message
Michał Lewandowski
Feb 3, 2017, 8:56:14 AM2/3/17
to privacyidea
Hello,
I'm struggling with task of creation admin account with low privilege that will only fetch authentication items.
I create two accounts with command:
1. pi-manage admin add admin1
2. pi-manage admin add admin2
I want to grand admin1 all privilege so it can administrate UI of privacyIDEA.
Second account should only be able to fetch authentication item and do nothing else.
Could someone explain me how to accomplish this taks?
I've tried setup some policy for those accounts but I've only accomplish situation where on both account I got only fetch privilege.
Thanks,
Michal
Cornelius Kölbel
Feb 4, 2017, 6:44:37 AM2/4/17
to privacyidea
Hi Michal,
If admin1 is supposed to have all rights, you should set a policy in scope "admin" with roughyl all actions. Set "admin1" to be use username in the policy.
Then you can create the policy with the reduced rights.
You can use the policy templates (yellow button in policy UI)
Kind regards
Cornelius
Michał Lewandowski
Feb 6, 2017, 10:17:43 AM2/6/17
to privacyidea
Hello Cornelius,
Still something is not working for me.
My configuration is:
root@XXX:/etc/privacyidea# cat pi.cfg
import logging
# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = ['super']
root@XXX:/etc/privacyidea# pi-manage admin list
Name email
==============================
admin None
webuser None
From UI:
First account:
Policy name - superuser
Scope - admin
Action (All) -
| {
"set": true, "revoke": true, "adduser": true,
"enrollSMS": true, "policydelete": true,
"managesubscription": true, "enrollTIQR": true,
"configdelete": true, "machinelist": true,
"enrollREMOTE": true, "setpin": true, "resync":
true, "unassign": true, "smsgateway_write": true,
"tokenrealms": true, "enrollSPASS": true,
"eventhandling_write": true, "auditlog": true,
"auditlog_download": true, "deleteuser": true,
"clienttype": true, "resolverdelete": true,
"enrollMOTP": true, "enrollPW": true,
"enrollHOTP": true, "enrollQUESTION": true,
"enrollCERTIFICATE": true, "copytokenuser": true,
"configwrite": true, "enrollTOTP": true,
"enrollREGISTRATION": true, "enrollYUBICO": true,
"resolverwrite": true, "updateuser": true,
"enable": true, "enrollU2F": true,
"manage_machine_tokens": true, "enrollPAPER": true,
"getrandom": true, "policywrite": true, "userlist":
true, "getserial": true, "radiusserver_write": true,
"enrollpin": true, "caconnectordelete": true,
"caconnectorwrite": true, "disable": true,
"mresolverdelete": true, "copytokenpin": true,
"enrollRADIUS": true, "smtpserver_write": true,
"set_hsm_password": true, "reset": true,
"system_documentation": true, "getchallenges": true,
"enroll4EYES": true, "enrollYUBIKEY": true,
"fetch_authentication_items": true, "enrollEMAIL": true,
"enrollDAPLUG": true, "mresolverwrite": true,
"losttoken": true, "enrollSSHKEY": true, "importtokens":
true, "triggerchallenge": true, "assign": true,
"delete": true } Realm - blank User - admin Resolver - blank Client - blank Second account: Policy name - superuser Scope - admin Action (only for SSH RSA token and OTP) -
|
Michał Lewandowski
Feb 9, 2017, 6:43:26 AM2/9/17
to privacyidea
I've also change log level to debug and when I enable my two policy I get following error message:
[2017-02-09 12:33:05,697][3234][140629611616000][ERROR][privacyidea.lib.auditmodules.sqlaudit:234] DATA: {'info': 'Admin actions are defined, but the action policywrite is not allowed!', 'administrator': u'admin', 'realm': None, 'success': False, 'privacyidea_server': '10.206.40.107', 'client_user_agent': 'chrome', 'client': '10.95.110.7', 'user': '', 'resolver': '', 'action_detail': '', 'action': 'POST /policy/enable/<name>', 'serial': None}
Could someone help me with this problem?
PS. My policy got different names in "Policy name", first is almighty_admin and second login. There is mistake with it in my previous post.
Thanks,
Michal
Michał Lewandowski
Feb 9, 2017, 8:52:40 AM2/9/17
to privacyidea
Here is also my basic system configuration:
PI.cfg
------
PI_HSM: **default**
PI_LOGFILE: **/var/log/privacyidea/privacyidea.log**
PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem**
PI_PEPPER: **ZmJrpL6Kx9_fMPhqq9uOLfAi**
PI_ENCFILE: **/etc/privacyidea/enckey**
For security reason we do not display the SQL URI, as it may contain the
database credentials.
PI_AUDIT_MODULE: **privacyidea.lib.auditmodules.sqlaudit**
PI_LOGLEVEL: **20**
PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem**
SUPERUSER_REALM: **['super', 'credentials']**
.. note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.
Local Admins
------------
In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:
* **admin** <None>
* **webuser** <None>
System Base Configuration
-------------------------
UiLoginDisplayRealmBox: **0**
AutoResync: **0**
splitAtSign: **0**
UiLoginDisplayHelpButton: **0**
__timestamp__: **1486648120**
ReturnSamlAttributesOnFail: **0**
ReturnSamlAttributes: **1**
PrependPin: **1**
IncFailCountOnFalsePin: **0**
Resolver Configuration
----------------------
The following resolvers are defined. Resolvers are connections to user stores.
To learn more about resolvers read [#resolvers]_.
admins
~~~~~~~~~~~~~~~~~~
* Name of the resolver: admins
* Type of the resolver: passwdresolver
Configuration
.............
fileName: **/home/privacyidea/passwd**
Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:
administrators
~~~~~~~~~~~~~~~
* Name of the realm: administrators
**This is the default realm!**
Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.
The following resolvers are configured in this realm:
* Name: admins
Priority: None
Type: passwdresolver
Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.
The following policies are defined in your system:
almighty_admin
~~~~~~~~~~~~~~~~~
time: ****
user: **[u'admin']**
resolver: **[]**
active: **False**
adminrealm: **[u'super']**
condition: **0**
realm: **[]**
client: **[]**
check_all_resolvers: **False**
action: **{u'set': True, u'revoke': True, u'adduser': True, u'enrollSMS': True, u'policydelete': True, u'policywrite': True, u'enrollTIQR': True, u'configdelete': True, u'machinelist': True, u'enrollREMOTE': True, u'setpin': True, u'resync': True, u'unassign': True, u'tokenrealms': True, u'enrollSPASS': True, u'auditlog': True, u'enrollPAPER': True, u'deleteuser': True, u'enrollEMAIL': True, u'resolverdelete': True, u'enrollMOTP': True, u'enrollPW': True, u'enrollHOTP': True, u'enrollQUESTION': True, u'enrollCERTIFICATE': True, u'copytokenuser': True, u'configwrite': True, u'enrollTOTP': True, u'enrollREGISTRATION': True, u'enrollYUBICO': True, u'reset': True, u'enable': True, u'enrollU2F': True, u'manage_machine_tokens': True, u'getrandom': True, u'system_documentation': True, u'caconnectordelete': True, u'caconnectorwrite': True, u'disable': True, u'radiusserver_write': True, u'getserial': True, u'enrollRADIUS': True, u'copytokenpin': True, u'set_hsm_password': True, u'updateuser': True, u'getchallenges': True, u'enroll4EYES': True, u'smtpserver_write': True, u'fetch_authentication_items': True, u'losttoken': True, u'enrollYUBIKEY': True, u'enrollDAPLUG': True, u'mresolverwrite': True, u'assign': True, u'userlist': True, u'enrollSSHKEY': True, u'importtokens': True, u'delete': True, u'resolverwrite': True, u'mresolverdelete': True}**
scope: **admin**
login
~~~~~~~~~~~~~~~~~
time: ****
user: **[u'webuser']**
resolver: **[]**
active: **False**
adminrealm: **[u'super']**
condition: **0**
realm: **[]**
client: **[]**
check_all_resolvers: **False**
action: **{u'fetch_authentication_items': True, u'getserial': True}**
scope: **admin**
Machine Configuration
---------------------
**TODO**
Token Configuration
-------------------
**TODO**
CA Configuration
----------------
**TODO**
cornelius.koelbel
Feb 9, 2017, 11:45:32 AM2/9/17
to privacyidea
You have not realm "super" so why do you add it in your almighty policy?
Remove it!
There is no user "admin" in a realm "super". This policy will never match.
Try to understand the concept of realms and admin-realms.
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: Michał Lewandowski <michal.lewa...@gmail.com>
Datum: 09.02.17 14:52 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: [privacyidea] Re: Low privilege account for tokens fetch
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/sy8HW4t3rxc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/a2854303-58fd-45b9-a8b9-ce3d6e0aef67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/sy8HW4t3rxc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/a2854303-58fd-45b9-a8b9-ce3d6e0aef67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michał Lewandowski
Feb 10, 2017, 8:26:23 AM2/10/17
to privacyidea
Cornelius,
Thanks for your answer. Now everything work great.
I've always thought that admin users are from default grouped in realm super since it's configured in pi.cfg
SUPERUSER_REALM: **['super']**
SUPERUSER_REALM: **['super']**
Now everything is clear for me.
Thanks,
Michal
Reply all
Reply to author
Forward
0 new messages