[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Jan Cholasta jcholast at redhat.com
Fri Oct 17 11:52:30 UTC 2014 

Dne 17.10.2014 v 13:48 Petr Vobornik napsal(a):
> On 17.10.2014 11:06, Jan Cholasta wrote:
>> Dne 16.10.2014 v 20:28 Martin Kosek napsal(a):
>>> On 10/16/2014 07:03 PM, Petr Vobornik wrote:
>>>> On 16.10.2014 11:53, Jan Cholasta wrote:
>>>>> Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):
>>>>>> On 16.10.2014 09:54, Jan Cholasta wrote:
>>>>>>> Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):
>>>>>>>> On 8.10.2014 18:51, Petr Vobornik wrote:
>>>>>>>>> On 1.10.2014 18:15, Petr Vobornik wrote:
>>>>>>>>>> Hello list,
>>>>>>>>>>
>>>>>>>>>> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> New revisions of 761 and 763 with updated API and ACIs:
>>>>
>>>> Given:
>>>>
>>>>> Given the implementation, I see you can't remove it from
>>>> snip
>>>>> OK, you are obviously not responsible for this mess, so let's go with
>>>>> it.
>>>> snip
>>>>> ugly hacks though.)>
>>>> snip
>>>>>>> I'm not particularly happy about the '_subtype' option bussiness,
>>>>>>> but at
>>>>>>> least it's not invasive, so I guess it's OK.
>>>>>>>
>>>>>>> Note that I still think this API sucks and we should instead go
>>>>>>> with the
>>>>>>> generic member-like attribute approach, or take our time to
>>>>>>> design it
>>>>>>> properly so that it fits in the framework (no time in 4.1)
>>>>>>> instead of
>>>>>>> making it a hacky Franken-API like it is now.
>>>>>>>
>>>>
>>>> and a discussion with Honza
>>>>
>>>> I've attached alternative versions of this patch - based on 761-1 with
>>>> API as
>>>> follows:
>>>>
>>>>    ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>>>    ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>>>    ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
>>>>    ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
>>>>
>>>>    ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
>>>>    ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups
>>>> STR
>>>>    ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
>>>>    ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups
>>>> STR
>>>>
>>>> and updated ACIs
>>>>
>>>> Both approaches have their own drawbacks.
>>>
>>> Given the discussion we had, I think I can live with this version too,
>>> especially if it makes the API or the code less hackier than with the
>>> API version I proposed.
>>>
>>> So if Honza ACKs the code, I am fine with this API version.
>>
>> Patch 761:
>>
>> ACK on the approach.
>>
>> The commands do not show failed members in CLI, to fix this, add:
>>
>>      Str('ipaallowedtoperform_read_keys',
>>          label=_('Failed allowed to retrieve keytab'),
>>      ),
>>      Str('ipaallowedtoperform_write_keys',
>>          label=_('Failed allowed to create keytab'),
>>      ),
>>
>> to the global output param lists in service and host plugins. (Feel free
>> to fix the label to your liking.)
>
> Added

Thanks, ACK.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list