[Freeipa-devel] [PATCH] 761 keytab manipulation permission management
Martin Kosek
mkosek at redhat.com
Fri Oct 3 14:24:10 UTC 2014
NACK. I will not comment on mechanics, if you get an ACK from Honza, it is good
enough. I just do not like the API. It is hard to guess what
"host-add-retrieve-keytab" means. That word does not even make much sense.
Can we use something more readable? For example:
ipa host-add-allowed-operation HOSTNAME --operation read_keys --users=STR
--groups STR
ipa host-add-allowed-operation HOSTNAME --operation write_keys --users=STR
--groups STR
and
ipa host-remove-allowed-operation HOSTNAME --operation read_keys --users=STR
--groups STR
ipa host-remove-allowed-operation HOSTNAME --operation write_keys --users=STR
--groups STR
Same with services. At least to me, it looks more readable.
Thanks,
Martin
On 10/03/2014 04:08 PM, Petr Vobornik wrote:
> New revision according to Honza's recommendations. Comments inline.
>
> On 1.10.2014 18:15, Petr Vobornik wrote:
>> Hello list,
>>
>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>
>> Before I start any work on Web UI and tests I would like to gather
>> feedback on:
>> - the new API
>> - member attributes with subtypes management approach
>> - ACI
>>
>> I did not do any ACI work in the patch yet. I assume that we would like
>> to add the attr into 'System: Read Host|Service' permission. But I
>> think that write right should have it's own permission.
>
> I have added 2 new permissions. Simo, are they OK?
>
> for services:
> 'System: Manage Service Keytab Permissions': {
> 'ipapermright': {'read', 'search', 'compare', 'write'},
> 'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
> 'default_privileges': {'Service Administrators', 'Host Administrators'},
> },
>
> for hosts:
> 'System: Manage Host Keytab Permissions': {
> 'ipapermright': {'read', 'search', 'compare', 'write'},
> 'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
> 'default_privileges': {'Host Administrators'},
> },
>
> I'm not sure about the write right for 'objectclass' but it's required in order
> to add 'ipaallowedoperations' oc.
>
>>
>> Patch info:
>> Adds new API:
>> ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
>> ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
>> ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
>> ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR
>>
>> ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
>> ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
>> ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
>> ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR
>
> *-write-keytab commands were changed to *-create-keytab to be consistent with
> descriptions
>
>>
>> these methods add or remove user or group DNs in `ipaallowedtoperform`
>> attr with `read_keys` and `write_keys` subtypes.
>>
>> service|host-mod|show outputs these attrs only with --all option as:
>
> --all is no longer required
>
>>
>> Users allowed to retrieve keytab: user1
>> Groups allowed to retrieve keytab: group1
>> Users allowed to write keytab: user1
>> Groups allowed to write keytab: group1
>>
>> 1) This patch implements subtypes support for attributes members. It's
>> done to be relatively reusable but it's confined within the RFE
>> boundaries. I.e. it does not contain support for standard attributes or
>> is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's
>> rather as separate opt-ins. One of the reasons was also not to disturb
>> existing code at the end of 4-1
>> milestone.
>
> Was replaced by more specific methods more local to a service and a host plugins.
>
>>
>> 3) Adding of object class is implemented as a reusable method since this
>> code is used on many places and most likely will be also used in new
>> features. Older code may be refactored later.
>>
>> Thanks
>
> RPC tests added in patch #763.
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
More information about the Freeipa-devel
mailing list