[Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
Petr Viktorin
pviktori at redhat.com
Mon Jun 30 08:55:53 UTC 2014
On 06/27/2014 05:18 PM, Martin Kosek wrote:
> On 06/27/2014 05:16 PM, Simo Sorce wrote:
>> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:
>>> On 06/27/2014 05:10 PM, Simo Sorce wrote:
>>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:
>>>>> Host Administrators could not write to service keytab attribute and
>>>>> thus they could not run the host-disable command.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4284
>>>>>
>>>>
>>>> Any reason why Host Administrators are not members of the service
>>>> Administrators group/permission by default ?
>>>>
>>>> Simo.
>>>>
>>>
>>> I assume that the original intent was to allow admins to separate this
>>> privileges. I.e. allow service administrators manage services on hosts but do
>>> not allow them delete or disable the hosts.
>>
>> Sure, but I asked the opposite question. I understand you may want to
>> have Service Administrators that cannot manage the host object.
>> But is there ever a case where Host Administrator is not also Service
>> Administrator ?
>>
>>> This patch fixes the reported request for Foreman integration, if you have a
>>> better one fixing it as well, we can go different way.
>>
>> I was wondering if a group membership change wouldn't solve a class of
>> problems, instead of fixing this on per permission basis, that's all.
>>
>> Simo.
>>
>
> Sure, good thinking. I do not think that current framework can make one
> privilege a member of another one, so this would need to be hacked in. CCing
> Petr3 to get his view on this.
Right, it would need to be hacked in.
At the directory level there's normal membership, so any
permission/privilege/role/group can be nested in any other, but IPA will
probably give incomplete/confusing output for such memberships, and it
won't let you edit them.
--
Petr³
More information about the Freeipa-devel
mailing list