[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Petr Vobornik pvoborni at redhat.com
Thu Oct 16 17:03:04 UTC 2014 

On 16.10.2014 11:53, Jan Cholasta wrote:
> Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):
>> On 16.10.2014 09:54, Jan Cholasta wrote:
>>> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>>>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>>>> Hello list,
>>>>>>
>>>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>>>
>>>>>
>>>>> New revisions of 761 and 763 with updated API and ACIs:

Given:

> Given the implementation, I see you can't remove it from
snip
> OK, you are obviously not responsible for this mess, so let's go with it.
snip
> ugly hacks though.)>
snip
>>> I'm not particularly happy about the '_subtype' option bussiness, but at
>>> least it's not invasive, so I guess it's OK.
>>>
>>> Note that I still think this API sucks and we should instead go with the
>>> generic member-like attribute approach, or take our time to design it
>>> properly so that it fits in the framework (no time in 4.1) instead of
>>> making it a hacky Franken-API like it is now.
>>>

and a discussion with Honza

I've attached alternative versions of this patch - based on 761-1 with 
API as follows:

   ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
   ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
   ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
   ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

   ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
   ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
   ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
   ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

and updated ACIs

Both approaches have their own drawbacks.
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-6-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 32862 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141016/25aff3ec/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0763-2-tests-management-of-keytab-permissions.patch
Type: text/x-patch
Size: 30495 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141016/25aff3ec/attachment-0001.bin>

More information about the Freeipa-devel mailing list