[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Martin Kosek mkosek at redhat.com
Fri Oct 3 14:24:10 UTC 2014 

NACK. I will not comment on mechanics, if you get an ACK from Honza, it is good 
enough. I just do not like the API. It is hard to guess what 
"host-add-retrieve-keytab" means. That word does not even make much sense.

Can we use something more readable? For example:

ipa host-add-allowed-operation HOSTNAME --operation read_keys --users=STR 
--groups STR
ipa host-add-allowed-operation HOSTNAME --operation write_keys --users=STR 
--groups STR

and

ipa host-remove-allowed-operation HOSTNAME --operation read_keys --users=STR 
--groups STR
ipa host-remove-allowed-operation HOSTNAME --operation write_keys --users=STR 
--groups STR

Same with services. At least to me, it looks more readable.

Thanks,
Martin

On 10/03/2014 04:08 PM, Petr Vobornik wrote:
> New revision according to Honza's recommendations. Comments inline.
>
> On 1.10.2014 18:15, Petr Vobornik wrote:
>> Hello list,
>>
>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>
>> Before I start any work on Web UI and tests I would like to gather
>> feedback on:
>> - the new API
>> - member attributes with subtypes management approach
>> - ACI
>>
>> I did not do any ACI work in the patch yet. I assume that we would like
>> to add the attr into  'System: Read Host|Service' permission. But I
>> think that write right should have it's own permission.
>
> I have added 2 new permissions. Simo, are they OK?
>
> for services:
> 'System: Manage Service Keytab Permissions': {
>      'ipapermright': {'read', 'search', 'compare', 'write'},
>      'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
>      'default_privileges': {'Service Administrators', 'Host Administrators'},
> },
>
> for hosts:
> 'System: Manage Host Keytab Permissions': {
>      'ipapermright': {'read', 'search', 'compare', 'write'},
>      'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
>      'default_privileges': {'Host Administrators'},
> },
>
> I'm not sure about the write right for 'objectclass' but it's required in order
> to add 'ipaallowedoperations' oc.
>
>>
>> Patch info:
>> Adds new API:
>>    ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
>>    ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
>>    ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
>>    ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR
>>
>>    ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
>>    ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
>>    ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
>>    ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR
>
> *-write-keytab commands were changed to *-create-keytab to be consistent with
> descriptions
>
>>
>> these methods add or remove user or group DNs in `ipaallowedtoperform`
>> attr with `read_keys` and `write_keys` subtypes.
>>
>> service|host-mod|show outputs these attrs only with --all option as:
>
> --all is no longer required
>
>>
>>    Users allowed to retrieve keytab: user1
>>    Groups allowed to retrieve keytab: group1
>>    Users allowed to write keytab: user1
>>    Groups allowed to write keytab: group1
>>
>> 1) This patch implements subtypes support for attributes members. It's
>> done to be relatively reusable but it's confined within the RFE
>> boundaries. I.e. it does not contain support for standard attributes or
>> is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's
>> rather as separate opt-ins. One of the reasons was also not to disturb
>> existing code at the end of 4-1
>> milestone.
>
> Was replaced by more specific methods more local to a service and a host plugins.
>
>>
>> 3) Adding of object class is implemented as a reusable method since this
>> code is used on many places and most likely will be also used in new
>> features. Older code may be refactored later.
>>
>> Thanks
>
> RPC tests added in patch #763.
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

More information about the Freeipa-devel mailing list