[Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command
Petr Viktorin
pviktori at redhat.com
Mon Jun 30 13:00:02 UTC 2014
On 06/30/2014 02:37 PM, Simo Sorce wrote:
> On Mon, 2014-06-30 at 12:19 +0200, Petr Viktorin wrote:
>> On 06/30/2014 10:58 AM, Martin Kosek wrote:
>>> On 06/30/2014 10:55 AM, Petr Viktorin wrote:
>>>> On 06/27/2014 05:18 PM, Martin Kosek wrote:
>>>>> On 06/27/2014 05:16 PM, Simo Sorce wrote:
>>>>>> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:
>>>>>>> On 06/27/2014 05:10 PM, Simo Sorce wrote:
>>>>>>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:
>>>>>>>>> Host Administrators could not write to service keytab attribute and
>>>>>>>>> thus they could not run the host-disable command.
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4284
>>>>>>>>>
>>>>>>>>
>>>>>>>> Any reason why Host Administrators are not members of the service
>>>>>>>> Administrators group/permission by default ?
>>>>>>>>
>>>>>>>> Simo.
>>>>>>>>
>>>>>>>
>>>>>>> I assume that the original intent was to allow admins to separate this
>>>>>>> privileges. I.e. allow service administrators manage services on hosts but do
>>>>>>> not allow them delete or disable the hosts.
>>>>>>
>>>>>> Sure, but I asked the opposite question. I understand you may want to
>>>>>> have Service Administrators that cannot manage the host object.
>>>>>> But is there ever a case where Host Administrator is not also Service
>>>>>> Administrator ?
>>>>>>
>>>>>>> This patch fixes the reported request for Foreman integration, if you have a
>>>>>>> better one fixing it as well, we can go different way.
>>>>>>
>>>>>> I was wondering if a group membership change wouldn't solve a class of
>>>>>> problems, instead of fixing this on per permission basis, that's all.
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>>
>>>>> Sure, good thinking. I do not think that current framework can make one
>>>>> privilege a member of another one, so this would need to be hacked in. CCing
>>>>> Petr3 to get his view on this.
>>>>
>>>> Right, it would need to be hacked in.
>>>> At the directory level there's normal membership, so any
>>>> permission/privilege/role/group can be nested in any other, but IPA will
>>>> probably give incomplete/confusing output for such memberships, and it won't
>>>> let you edit them.
>>>
>>> Ok. In that case, it seems to me that the lesser evil would be to just add this
>>> missing permission (or defer the ticket if nacked).
>>>
>>> Martin
>>
>> I agree. ACK if Simo is OK with it as well.
>
> Sure, no issues here.
>
> Simo.
>
>
>
Pushed to master: 50c30c8401c21d43414404bd5caa157196449e4c
--
Petr³
More information about the Freeipa-devel
mailing list