Add a second admin for use with a single realm
254 views
Skip to first unread message
simv...@gmail.com
May 9, 2016, 8:59:31 AM5/9/16
to privacyidea
Hello!
I need to create a "sub-admin" with administrative power only for a specific realm.
I've created two admin users with "pi-manage admin".
# pi-manage admin list
_Name email_
admin None
admin_b None
Admin is the standard/full administrator and admin_b is the administrator for realm "b".
These are the two policy created:
Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite, enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync, unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser, enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP, enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable, enrollU2F, manage_machine_tokens, getrandom, userlist, getserial, radiusserver_write, system_documentation, caconnectordelete, caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin
Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms, deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial, disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b
Logging in with "admin" (via WEB) I can manage users/settings, but NOT:
- Enroll a new token (the list of TOKEN type is NULL)
- Edit the Policy (REPLY: Admin actions are defined, but the action policywrite is not allowed!)
Logging in with "admin_b" (always via WEB) the options are limited but:
admin_b can't see users for realm "a", but can create users for that realm ("a")!
Removing the two policy "admin" and "admin_b" can do everything.
Which is the best setting for create administrative account for use one specific realm by API?
Thank you very much!
---
Sim
I need to create a "sub-admin" with administrative power only for a specific realm.
I've created two admin users with "pi-manage admin".
# pi-manage admin list
_Name email_
admin None
admin_b None
Admin is the standard/full administrator and admin_b is the administrator for realm "b".
These are the two policy created:
Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite, enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync, unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser, enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP, enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable, enrollU2F, manage_machine_tokens, getrandom, userlist, getserial, radiusserver_write, system_documentation, caconnectordelete, caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin
Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms, deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial, disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b
Logging in with "admin" (via WEB) I can manage users/settings, but NOT:
- Enroll a new token (the list of TOKEN type is NULL)
- Edit the Policy (REPLY: Admin actions are defined, but the action policywrite is not allowed!)
Logging in with "admin_b" (always via WEB) the options are limited but:
admin_b can't see users for realm "a", but can create users for that realm ("a")!
Removing the two policy "admin" and "admin_b" can do everything.
Which is the best setting for create administrative account for use one specific realm by API?
Thank you very much!
---
Sim
Cornelius Kölbel
May 9, 2016, 9:56:19 AM5/9/16
to priva...@googlegroups.com
Hi Sim,
this seems due to the fact, that the realm of the admin is falsely used
as the user_realm when searching for the policies.
Your admin is in no realm, so a policy with an empty user realm is
search. But your policy contains correctly realmB.
-> Bug with mixing up admin realm and user realm.
If you are willing to pull the git repo, I will be able to provide a fix
shortly.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
this seems due to the fact, that the realm of the admin is falsely used
as the user_realm when searching for the policies.
Your admin is in no realm, so a policy with an empty user realm is
search. But your policy contains correctly realmB.
-> Bug with mixing up admin realm and user realm.
If you are willing to pull the git repo, I will be able to provide a fix
shortly.
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
simv...@gmail.com
May 9, 2016, 10:22:00 AM5/9/16
to privacyidea
Hello Cornelius,
currently I have a production server and a development server but both installed with apt-get.
It is not urgent, but can I ask you if this is the correct way? I need a "sub-administrator" for a specific realm to use ONLY with REST/API.
Otherwise I can create user in that local-realm, add a Policy scope: admin with that user (as my example) and increase security with a Policy webui { "login_mode": "disable" }.
In this way I'll block web access, but not REST/API functions.
With "pi-manage admin add" the user will be also able to connect to web
Right?
Thanks again
---
Sim
currently I have a production server and a development server but both installed with apt-get.
It is not urgent, but can I ask you if this is the correct way? I need a "sub-administrator" for a specific realm to use ONLY with REST/API.
Otherwise I can create user in that local-realm, add a Policy scope: admin with that user (as my example) and increase security with a Policy webui { "login_mode": "disable" }.
In this way I'll block web access, but not REST/API functions.
With "pi-manage admin add" the user will be also able to connect to web
Right?
Thanks again
---
Sim
Cornelius Kölbel
May 9, 2016, 10:31:41 AM5/9/16
to simv...@gmail.com, privacyidea
Hi Sim,
In theory this is right. See my latest email.
As far as the empty token type drop down is concerned, this is a UI bug.
So using the REST API should work.
Yes, login mode disable will not block API.
(Afaik)
Local admins can always login. Independent on the login mode.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
-------- Ursprüngliche Nachricht --------
Von: simv...@gmail.com
Datum: 09.05.2016 16:22 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: [privacyidea] Add a second admin for use with a single realm
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/e93fd56e-e647-4ad2-a7d3-06cfa5950b87%40googlegroups.com.
simv...@gmail.com
May 10, 2016, 3:36:31 AM5/10/16
to privacyidea, simv...@gmail.com
Hello
I've patched manually this: /privacyidea/lib/policy.py
(https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)
The "Tokens -> Enroll token -> Enroll a new token" now work correctly,
but "Config -> Policies -> EDIT/CREATE" show me: "Admin actions are defined, but the action policywrite is not allowed!"
I'm not sure if this is the same problem or not.
Thank you!
---
Sim
I've patched manually this: /privacyidea/lib/policy.py
(https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)
The "Tokens -> Enroll token -> Enroll a new token" now work correctly,
but "Config -> Policies -> EDIT/CREATE" show me: "Admin actions are defined, but the action policywrite is not allowed!"
I'm not sure if this is the same problem or not.
Thank you!
---
Sim
Cornelius Kölbel
May 10, 2016, 4:25:56 AM5/10/16
to priva...@googlegroups.com
Hi Sim,
the enrollment thing was a pure UI problem.
The error "Admin actions are defined, but the action policywrite is not
allowed!" is coming directly from the policy checking of the server.
I assume this is a side effect from the policy you are creating.
I further assume, you are creating a policy with a realm set and he is
mistaking this realm for the administrators realm.
Can you please provide the data of the policy, you are trying to set?
Thanks a lot
Cornelius
the enrollment thing was a pure UI problem.
The error "Admin actions are defined, but the action policywrite is not
allowed!" is coming directly from the policy checking of the server.
I assume this is a side effect from the policy you are creating.
I further assume, you are creating a policy with a realm set and he is
mistaking this realm for the administrators realm.
Can you please provide the data of the policy, you are trying to set?
Thanks a lot
Cornelius
simv...@gmail.com
May 10, 2016, 5:28:06 AM5/10/16
to privacyidea
Hello Cornelius,
the policy are as my first post:
Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite, enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync, unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser, enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP, enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable, enrollU2F, manage_machine_tokens, getrandom, userlist, getserial, radiusserver_write, system_documentation, caconnectordelete, caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin
Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms, deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial, disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b
Administrator "admin" can't edit/add/change anything.
For example I can't add a new "generic" policy or edit the first policy.
Thanks again
---
Sim
the policy are as my first post:
Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite, enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync, unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser, enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP, enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable, enrollU2F, manage_machine_tokens, getrandom, userlist, getserial, radiusserver_write, system_documentation, caconnectordelete, caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin
Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms, deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial, disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b
For example I can't add a new "generic" policy or edit the first policy.
Thanks again
---
Sim
Cornelius Kölbel
May 10, 2016, 6:08:05 AM5/10/16
to priva...@googlegroups.com
Hi Sim,
sorry, I was not clear enough.
Yes, you configured these two policies.
But AFTER you configured and saved these policies, you obviously try to
write another policy and you get
"Admin actions are
defined, but the action policywrite is not allowed!"
So which administrator tries to write what policydata.
I need the administrator and the data of the third policy.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/c8600053-9710-4c59-a52f-a0d8ab7413a0%40googlegroups.com.
sorry, I was not clear enough.
Yes, you configured these two policies.
But AFTER you configured and saved these policies, you obviously try to
write another policy and you get
"Admin actions are
defined, but the action policywrite is not allowed!"
I need the administrator and the data of the third policy.
Kind regards
Cornelius
simv...@gmail.com
May 10, 2016, 8:13:57 AM5/10/16
to privacyidea
Hello!
It's not simple to describe....
The admin used to update/add in this example is always the "first" (full admin).
For example editing superuser policy (the first) I receive that error.
Also creating a new policy (webui) with User-Realm and User-Resolver selected (example "realm = a, b" + "resolver = a-mysql, b-mysql") I receive the error.
Instead creating a new policy (webui) without User-Realm and User-Resolver I can add it.
Certainly there is some problem with policy and multiple admin/realm context.
Let me know if you need other details and excuse me if my description was not clear
Thank you!
---
Sim
It's not simple to describe....
The admin used to update/add in this example is always the "first" (full admin).
For example editing superuser policy (the first) I receive that error.
Also creating a new policy (webui) with User-Realm and User-Resolver selected (example "realm = a, b" + "resolver = a-mysql, b-mysql") I receive the error.
Instead creating a new policy (webui) without User-Realm and User-Resolver I can add it.
Certainly there is some problem with policy and multiple admin/realm context.
Let me know if you need other details and excuse me if my description was not clear
Thank you!
---
Sim
Cornelius Kölbel
May 10, 2016, 9:33:04 AM5/10/16
to priva...@googlegroups.com
Hi Sim,
thanks. But I absolutely can not reproduce this.
Can you please turn on debug log
http://privacyidea.readthedocs.io/en/latest/installation/system/logging.html
and reproduce this?
(Unfortunately this code does not have much log outputs there, but we
will try).
Then send me the debug log and I will try to understand, what is
happening.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/0dadb7a0-8c8c-499d-9e03-a99fc6427277%40googlegroups.com.
thanks. But I absolutely can not reproduce this.
Can you please turn on debug log
http://privacyidea.readthedocs.io/en/latest/installation/system/logging.html
and reproduce this?
(Unfortunately this code does not have much log outputs there, but we
will try).
Then send me the debug log and I will try to understand, what is
happening.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages