[Freeipa-devel] Multitenancy in FreeIPA
Adam Young
ayoung at redhat.com
Fri Dec 16 09:32:49 UTC 2011
On 12/15/2011 07:09 PM, Dmitri Pal wrote:
> On 12/15/2011 12:24 PM, Adam Young wrote:
>> When updating IPA, schema changes need to be applied to each of the
>> the tenant trees.
>> API
>> Each of the RPCs need to allow an optional parameter tenant. Members
>> of the original domain with an approapriate Permission will be able to
>> perform operations inside the tenant specified.
> Why you need this? The principal of the authenticated user will give you
> the tenant domain info.
>
"Members of the original domain with an approapriate Permission will be
able to perform operations inside the tenant specified. "
This is the override. This allows a super user account that can clean
things up for the end users. Say the hosting domain is
fedorahosted.org, but someone in a tenant of FREEIPA has managed to
delete the admin account. dpal at FEDORAHOSTED.ORG can make a call with
"tenant": "freeipa.org" and add a new admin account.
More information about the Freeipa-devel
mailing list