Bug 58517 - add further improvements to UDM ABAC authorization
Summary: add further improvements to UDM ABAC authorization
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.2-2-errata
Assignee: Florian Best
QA Contact: Felix Botner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-08-11 18:15 CEST by Florian Best
Modified: 2025-08-20 15:28 CEST (History)
0 users

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2025-08-11 18:15:41 CEST 
Further enhancements for the authorization feature in UDM should be published.

A summary of the changes will be given, when they are merged to the main branch.
Comment 1 Florian Best univentionstaff 2025-08-13 16:00:07 CEST 
Basically the following changes:
* Actor roles aren't cached anymore as when changing the roles of actors a restart was required. This irritated the customer.
* stricter config parsing can be done, with --strict, for UDM modules or properties which doesn't exists, it will add an error. It will show a warning, in unstrict mode. We can't yet change to unstrict by default because extended attributes are not loaded.
* rules for linux-client-manager role to read/partially write DNS,DHCP,Network settings have been added.
* cleanup of policy configuration: some not existing property names in groups/group were removed.
* the internal UCR variable name 'directory/manager/type-checking/strict' had a typo: mananger → manager.


univention-python.yaml
2f67fec54133 | fix(udm): fix typo in UCR variable name

univention-python (15.2.2)
79435c14544b | feat(python): add more functionality for univention.dn
2f67fec54133 | fix(udm): fix typo in UCR variable name

univention-directory-reports.yaml
c674c964d73c | feat(udm-reports): add authorization checks for UDM reports

univention-directory-reports (14.2.0)
c674c964d73c | feat(udm-reports): add authorization checks for UDM reports

univention-directory-manager-modules.yaml
2f67fec54133 | fix(udm): fix typo in UCR variable name

univention-directory-manager-modules (17.2.12)
0c61f3b35214 | style(udm-authorization): normalize default config and add descriptions
287ddf55a670 | feat(udm-authorization): de-duplicate permissions for multiple modules which can be part of a single bundle
c7319c2a7870 | fix(udm-authorization): do not cache actor roles
b3502d03fe9e | fix(udm-authorization): remove properties which do not exists
1354b2e468db | feat(udm-authorization): add option for strict config parsing
b626db04b857 | feat(udm): extend linux-client-manager role by network permissions
2f67fec54133 | fix(udm): fix typo in UCR variable name
c674c964d73c | feat(udm-reports): add authorization checks for UDM reports
ee6e35011a34 | style(udm): format code in unified way
0c86b4c673ff | style: add format-skip markers

univention-directory-manager-modules (10.0.29-27)
r58517 | Bug #37740: display error information in specific circumstances

ucs-test (12.2.41)
9afe64e397e4 | test(ucs-test): add directory reports tests

ucs-test (12.2.40)
4165a3b3887d | test(udm-reports): add directory reports tests
Comment 2 Felix Botner univentionstaff 2025-08-13 17:03:29 CEST 
OK - changes
OK - tests
OK - yaml
OK - update/installation