[Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
Martin Kosek
mkosek at redhat.com
Fri Jun 27 15:18:53 UTC 2014
On 06/27/2014 05:16 PM, Simo Sorce wrote:
> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:
>> On 06/27/2014 05:10 PM, Simo Sorce wrote:
>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:
>>>> Host Administrators could not write to service keytab attribute and
>>>> thus they could not run the host-disable command.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4284
>>>>
>>>
>>> Any reason why Host Administrators are not members of the service
>>> Administrators group/permission by default ?
>>>
>>> Simo.
>>>
>>
>> I assume that the original intent was to allow admins to separate this
>> privileges. I.e. allow service administrators manage services on hosts but do
>> not allow them delete or disable the hosts.
>
> Sure, but I asked the opposite question. I understand you may want to
> have Service Administrators that cannot manage the host object.
> But is there ever a case where Host Administrator is not also Service
> Administrator ?
>
>> This patch fixes the reported request for Foreman integration, if you have a
>> better one fixing it as well, we can go different way.
>
> I was wondering if a group membership change wouldn't solve a class of
> problems, instead of fixing this on per permission basis, that's all.
>
> Simo.
>
Sure, good thinking. I do not think that current framework can make one
privilege a member of another one, so this would need to be hacked in. CCing
Petr3 to get his view on this.
Martin
More information about the Freeipa-devel
mailing list