[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Petr Vobornik pvoborni at redhat.com
Fri Oct 17 11:48:16 UTC 2014 

On 17.10.2014 11:06, Jan Cholasta wrote:
> Dne 16.10.2014 v 20:28 Martin Kosek napsal(a):
>> On 10/16/2014 07:03 PM, Petr Vobornik wrote:
>>> On 16.10.2014 11:53, Jan Cholasta wrote:
>>>> Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):
>>>>> On 16.10.2014 09:54, Jan Cholasta wrote:
>>>>>> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>>>>>>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>>>>>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>>>>>>> Hello list,
>>>>>>>>>
>>>>>>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>>>>>>
>>>>>>>>
>>>>>>>> New revisions of 761 and 763 with updated API and ACIs:
>>>
>>> Given:
>>>
>>>> Given the implementation, I see you can't remove it from
>>> snip
>>>> OK, you are obviously not responsible for this mess, so let's go with
>>>> it.
>>> snip
>>>> ugly hacks though.)>
>>> snip
>>>>>> I'm not particularly happy about the '_subtype' option bussiness,
>>>>>> but at
>>>>>> least it's not invasive, so I guess it's OK.
>>>>>>
>>>>>> Note that I still think this API sucks and we should instead go
>>>>>> with the
>>>>>> generic member-like attribute approach, or take our time to design it
>>>>>> properly so that it fits in the framework (no time in 4.1) instead of
>>>>>> making it a hacky Franken-API like it is now.
>>>>>>
>>>
>>> and a discussion with Honza
>>>
>>> I've attached alternative versions of this patch - based on 761-1 with
>>> API as
>>> follows:
>>>
>>>    ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>>    ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>>    ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
>>>    ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
>>>
>>>    ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
>>>    ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups
>>> STR
>>>    ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
>>>    ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR
>>>
>>> and updated ACIs
>>>
>>> Both approaches have their own drawbacks.
>>
>> Given the discussion we had, I think I can live with this version too,
>> especially if it makes the API or the code less hackier than with the
>> API version I proposed.
>>
>> So if Honza ACKs the code, I am fine with this API version.
>
> Patch 761:
>
> ACK on the approach.
>
> The commands do not show failed members in CLI, to fix this, add:
>
>      Str('ipaallowedtoperform_read_keys',
>          label=_('Failed allowed to retrieve keytab'),
>      ),
>      Str('ipaallowedtoperform_write_keys',
>          label=_('Failed allowed to create keytab'),
>      ),
>
> to the global output param lists in service and host plugins. (Feel free
> to fix the label to your liking.)

Added

>
>
> Patch 763:
>
> ACK.
>

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-7-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 33279 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141017/ab65df55/attachment.bin>

More information about the Freeipa-devel mailing list