[Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
Simo Sorce
ssorce at redhat.com
Fri Jun 27 15:16:52 UTC 2014
On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:
> On 06/27/2014 05:10 PM, Simo Sorce wrote:
> > On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:
> >> Host Administrators could not write to service keytab attribute and
> >> thus they could not run the host-disable command.
> >>
> >> https://fedorahosted.org/freeipa/ticket/4284
> >>
> >
> > Any reason why Host Administrators are not members of the service
> > Administrators group/permission by default ?
> >
> > Simo.
> >
>
> I assume that the original intent was to allow admins to separate this
> privileges. I.e. allow service administrators manage services on hosts but do
> not allow them delete or disable the hosts.
Sure, but I asked the opposite question. I understand you may want to
have Service Administrators that cannot manage the host object.
But is there ever a case where Host Administrator is not also Service
Administrator ?
> This patch fixes the reported request for Foreman integration, if you have a
> better one fixing it as well, we can go different way.
I was wondering if a group membership change wouldn't solve a class of
problems, instead of fixing this on per permission basis, that's all.
Simo.
More information about the Freeipa-devel
mailing list