[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Jan Cholasta jcholast at redhat.com
Fri Oct 17 09:06:48 UTC 2014 

Dne 16.10.2014 v 20:28 Martin Kosek napsal(a):
> On 10/16/2014 07:03 PM, Petr Vobornik wrote:
>> On 16.10.2014 11:53, Jan Cholasta wrote:
>>> Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):
>>>> On 16.10.2014 09:54, Jan Cholasta wrote:
>>>>> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>>>>>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>>>>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>>>>>> Hello list,
>>>>>>>>
>>>>>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>>>>>
>>>>>>>
>>>>>>> New revisions of 761 and 763 with updated API and ACIs:
>>
>> Given:
>>
>>> Given the implementation, I see you can't remove it from
>> snip
>>> OK, you are obviously not responsible for this mess, so let's go with
>>> it.
>> snip
>>> ugly hacks though.)>
>> snip
>>>>> I'm not particularly happy about the '_subtype' option bussiness,
>>>>> but at
>>>>> least it's not invasive, so I guess it's OK.
>>>>>
>>>>> Note that I still think this API sucks and we should instead go
>>>>> with the
>>>>> generic member-like attribute approach, or take our time to design it
>>>>> properly so that it fits in the framework (no time in 4.1) instead of
>>>>> making it a hacky Franken-API like it is now.
>>>>>
>>
>> and a discussion with Honza
>>
>> I've attached alternative versions of this patch - based on 761-1 with
>> API as
>> follows:
>>
>>    ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>    ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>    ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
>>    ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
>>
>>    ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
>>    ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups
>> STR
>>    ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
>>    ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR
>>
>> and updated ACIs
>>
>> Both approaches have their own drawbacks.
>
> Given the discussion we had, I think I can live with this version too,
> especially if it makes the API or the code less hackier than with the
> API version I proposed.
>
> So if Honza ACKs the code, I am fine with this API version.

Patch 761:

ACK on the approach.

The commands do not show failed members in CLI, to fix this, add:

     Str('ipaallowedtoperform_read_keys',
         label=_('Failed allowed to retrieve keytab'),
     ),
     Str('ipaallowedtoperform_write_keys',
         label=_('Failed allowed to create keytab'),
     ),

to the global output param lists in service and host plugins. (Feel free 
to fix the label to your liking.)


Patch 763:

ACK.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list