[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Petr Vobornik pvoborni at redhat.com
Wed Oct 1 16:15:22 UTC 2014 

Hello list,

Patch for: https://fedorahosted.org/freeipa/ticket/4419

Before I start any work on Web UI and tests I would like to gather 
feedback on:
- the new API
- member attributes with subtypes management approach
- ACI

I did not do any ACI work in the patch yet. I assume that we would like 
to add the attr into  'System: Read Host|Service' permission. But I 
think that write right should have it's own permission.

Patch info:
Adds new API:
   ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
   ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
   ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
   ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR

   ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
   ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
   ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
   ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR

these methods add or remove user or group DNs in `ipaallowedtoperform` 
attr with `read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

   Users allowed to retrieve keytab: user1
   Groups allowed to retrieve keytab: group1
   Users allowed to write keytab: user1
   Groups allowed to write keytab: group1

1) This patch implements subtypes support for attributes members. It's 
done to be relatively reusable but it's confined within the RFE 
boundaries. I.e. it does not contain support for standard attributes or 
is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's 
rather as separate opt-ins. One of the reasons was also not to disturb 
existing code at the end of 4-1
milestone.

2) I tried to keep the command names or attr label short, but they are 
still long like a novel. Any shorter recommendations are welcome.

3) Adding of object class is implemented as a reusable method since this 
code is used on many places and most likely will be also used in new 
features. Older code may be refactored later.

Thanks
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 26467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141001/831e6fbc/attachment.bin>

More information about the Freeipa-devel mailing list