[Freeipa-devel] [PATCH] 761 keytab manipulation permission management
Martin Kosek
mkosek at redhat.com
Thu Oct 16 18:28:27 UTC 2014
On 10/16/2014 07:03 PM, Petr Vobornik wrote:
> On 16.10.2014 11:53, Jan Cholasta wrote:
>> Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):
>>> On 16.10.2014 09:54, Jan Cholasta wrote:
>>>> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>>>>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>>>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>>>>> Hello list,
>>>>>>>
>>>>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>>>>
>>>>>>
>>>>>> New revisions of 761 and 763 with updated API and ACIs:
>
> Given:
>
>> Given the implementation, I see you can't remove it from
> snip
>> OK, you are obviously not responsible for this mess, so let's go with it.
> snip
>> ugly hacks though.)>
> snip
>>>> I'm not particularly happy about the '_subtype' option bussiness, but at
>>>> least it's not invasive, so I guess it's OK.
>>>>
>>>> Note that I still think this API sucks and we should instead go with the
>>>> generic member-like attribute approach, or take our time to design it
>>>> properly so that it fits in the framework (no time in 4.1) instead of
>>>> making it a hacky Franken-API like it is now.
>>>>
>
> and a discussion with Honza
>
> I've attached alternative versions of this patch - based on 761-1 with API as
> follows:
>
> ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
> ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
> ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
> ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
>
> ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
> ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
> ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
> ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR
>
> and updated ACIs
>
> Both approaches have their own drawbacks.
Given the discussion we had, I think I can live with this version too,
especially if it makes the API or the code less hackier than with the API
version I proposed.
So if Honza ACKs the code, I am fine with this API version.
Martin
More information about the Freeipa-devel
mailing list