[Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
Petr Viktorin
pviktori at redhat.com
Mon Jun 30 10:19:41 UTC 2014
On 06/30/2014 10:58 AM, Martin Kosek wrote:
> On 06/30/2014 10:55 AM, Petr Viktorin wrote:
>> On 06/27/2014 05:18 PM, Martin Kosek wrote:
>>> On 06/27/2014 05:16 PM, Simo Sorce wrote:
>>>> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:
>>>>> On 06/27/2014 05:10 PM, Simo Sorce wrote:
>>>>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:
>>>>>>> Host Administrators could not write to service keytab attribute and
>>>>>>> thus they could not run the host-disable command.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/4284
>>>>>>>
>>>>>>
>>>>>> Any reason why Host Administrators are not members of the service
>>>>>> Administrators group/permission by default ?
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>>
>>>>> I assume that the original intent was to allow admins to separate this
>>>>> privileges. I.e. allow service administrators manage services on hosts but do
>>>>> not allow them delete or disable the hosts.
>>>>
>>>> Sure, but I asked the opposite question. I understand you may want to
>>>> have Service Administrators that cannot manage the host object.
>>>> But is there ever a case where Host Administrator is not also Service
>>>> Administrator ?
>>>>
>>>>> This patch fixes the reported request for Foreman integration, if you have a
>>>>> better one fixing it as well, we can go different way.
>>>>
>>>> I was wondering if a group membership change wouldn't solve a class of
>>>> problems, instead of fixing this on per permission basis, that's all.
>>>>
>>>> Simo.
>>>>
>>>
>>> Sure, good thinking. I do not think that current framework can make one
>>> privilege a member of another one, so this would need to be hacked in. CCing
>>> Petr3 to get his view on this.
>>
>> Right, it would need to be hacked in.
>> At the directory level there's normal membership, so any
>> permission/privilege/role/group can be nested in any other, but IPA will
>> probably give incomplete/confusing output for such memberships, and it won't
>> let you edit them.
>
> Ok. In that case, it seems to me that the lesser evil would be to just add this
> missing permission (or defer the ticket if nacked).
>
> Martin
I agree. ACK if Simo is OK with it as well.
--
Petr³
More information about the Freeipa-devel
mailing list