[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Petr Vobornik pvoborni at redhat.com
Thu Oct 16 09:24:39 UTC 2014 

On 16.10.2014 09:54, Jan Cholasta wrote:
> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>> Hello list,
>>>>
>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>
>>>
>>> New revisions of 761 and 763 with updated API and ACIs:
>>>
>>> ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups
>>> STR
>>>    ipa host-disallow-operation HOSTNAME retrieve-keytab --users=STR
>>> --groups STR
>>>    ipa host-allow-operation HOSTNAME create-keytab --users=STR
>>> --groups STR
>>>    ipa host-disallow-operation HOSTNAME create-keytab --users=STR
>>> --groups STR
>>>
>>>    ipa service-allow-operation PRINCIPAL retrieve-keytab --users=STR
>>> --groups STR
>>>    ipa service-disallow-operation PRINCIPAL retrieve-keytab --users=STR
>>> --groups STR
>>>    ipa service-allow-operation PRINCIPAL create-keytab --users=STR
>>> --groups STR
>>>    ipa service-disallow-operation PRINCIPAL create-keytab --users=STR
>>> --groups STR
>>>
>>> ACIs are targeted to specific operations by including subtypes.
>>>
>>
>> patch #761 rebased because of VERSION bump
>
> Since we are apparently not going to treat ipaAllowedToPerform as a
> member attribute, you should remove reference to it from
> attribute_members and relationships attributes of service and host.

I still think of it a as member attribute, at least internally.

>
> What's up with ipaallowedtoperform_subtypes_map? Why rename the operations?

It's not renaming. It's a change of internal raw LDAP value into 
self-describing name consistent with terminology of ipa-getkeytab

>
> You probably don't want to hardcode 'ipaallowedtoperform_read_keys' in
> rename_ipaallowedtoperform_to_ldap().

Fixed, but it doesn't make much difference given that the method has 
only one purpose.

>
> Why do you override get_args() in service_{,dis}allow_operation instead
> of overriding takes_args?

Fixed

>
> I'm not particularly happy about the '_subtype' option bussiness, but at
> least it's not invasive, so I guess it's OK.
>
> Note that I still think this API sucks and we should instead go with the
> generic member-like attribute approach, or take our time to design it
> properly so that it fits in the framework (no time in 4.1) instead of
> making it a hacky Franken-API like it is now.
>
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-4-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 27146 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141016/76a38816/attachment.bin>

More information about the Freeipa-devel mailing list