[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Jan Cholasta jcholast at redhat.com
Thu Oct 16 09:53:48 UTC 2014 

Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):
> On 16.10.2014 09:54, Jan Cholasta wrote:
>> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>>> Hello list,
>>>>>
>>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>>
>>>>
>>>> New revisions of 761 and 763 with updated API and ACIs:
>>>>
>>>> ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups
>>>> STR
>>>>    ipa host-disallow-operation HOSTNAME retrieve-keytab --users=STR
>>>> --groups STR
>>>>    ipa host-allow-operation HOSTNAME create-keytab --users=STR
>>>> --groups STR
>>>>    ipa host-disallow-operation HOSTNAME create-keytab --users=STR
>>>> --groups STR
>>>>
>>>>    ipa service-allow-operation PRINCIPAL retrieve-keytab --users=STR
>>>> --groups STR
>>>>    ipa service-disallow-operation PRINCIPAL retrieve-keytab --users=STR
>>>> --groups STR
>>>>    ipa service-allow-operation PRINCIPAL create-keytab --users=STR
>>>> --groups STR
>>>>    ipa service-disallow-operation PRINCIPAL create-keytab --users=STR
>>>> --groups STR
>>>>
>>>> ACIs are targeted to specific operations by including subtypes.
>>>>
>>>
>>> patch #761 rebased because of VERSION bump
>>
>> Since we are apparently not going to treat ipaAllowedToPerform as a
>> member attribute, you should remove reference to it from
>> attribute_members and relationships attributes of service and host.
>
> I still think of it a as member attribute, at least internally.

Given the implementation, I see you can't remove it from 
attribute_members, but it should be removed from relationships nonetheless.

>
>>
>> What's up with ipaallowedtoperform_subtypes_map? Why rename the
>> operations?
>
> It's not renaming. It's a change of internal raw LDAP value into
> self-describing name consistent with terminology of ipa-getkeytab

OK, you are obviously not responsible for this mess, so let's go with it.

>
>>
>> You probably don't want to hardcode 'ipaallowedtoperform_read_keys' in
>> rename_ipaallowedtoperform_to_ldap().
>
> Fixed, but it doesn't make much difference given that the method has
> only one purpose.

Sorry, I missed the comment at the beginning of service_allow_operation, 
it indeed does not make any difference. (I can't say I'm a fan of such 
ugly hacks though.)

>
>>
>> Why do you override get_args() in service_{,dis}allow_operation instead
>> of overriding takes_args?
>
> Fixed
>
>>
>> I'm not particularly happy about the '_subtype' option bussiness, but at
>> least it's not invasive, so I guess it's OK.
>>
>> Note that I still think this API sucks and we should instead go with the
>> generic member-like attribute approach, or take our time to design it
>> properly so that it fits in the framework (no time in 4.1) instead of
>> making it a hacky Franken-API like it is now.
>>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list