[Freeipa-devel] [PATCH] 761 keytab manipulation permission management
Petr Vobornik
pvoborni at redhat.com
Wed Oct 1 16:15:22 UTC 2014
Hello list,
Patch for: https://fedorahosted.org/freeipa/ticket/4419
Before I start any work on Web UI and tests I would like to gather
feedback on:
- the new API
- member attributes with subtypes management approach
- ACI
I did not do any ACI work in the patch yet. I assume that we would like
to add the attr into 'System: Read Host|Service' permission. But I
think that write right should have it's own permission.
Patch info:
Adds new API:
ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR
ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR
these methods add or remove user or group DNs in `ipaallowedtoperform`
attr with `read_keys` and `write_keys` subtypes.
service|host-mod|show outputs these attrs only with --all option as:
Users allowed to retrieve keytab: user1
Groups allowed to retrieve keytab: group1
Users allowed to write keytab: user1
Groups allowed to write keytab: group1
1) This patch implements subtypes support for attributes members. It's
done to be relatively reusable but it's confined within the RFE
boundaries. I.e. it does not contain support for standard attributes or
is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's
rather as separate opt-ins. One of the reasons was also not to disturb
existing code at the end of 4-1
milestone.
2) I tried to keep the command names or attr label short, but they are
still long like a novel. Any shorter recommendations are welcome.
3) Adding of object class is implemented as a reusable method since this
code is used on many places and most likely will be also used in new
features. Older code may be refactored later.
Thanks
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 26467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141001/831e6fbc/attachment.bin>
More information about the Freeipa-devel
mailing list