[Freeipa-devel] [PATCH] 916 vault: add vault container commands

Jan Cholasta jcholast at redhat.com
Tue Sep 1 14:26:05 UTC 2015 

On 26.8.2015 13:22, Petr Vobornik wrote:
> On 08/25/2015 08:04 PM, Petr Vobornik wrote:
>> adds commands:
>> * vaultcontainer-show [--service <service>|--user <user> ]
>> * vaultcontainer-add-owner
>>       [--service <service>|--user <user> ]
>>       [--users <users>]  [--groups <groups>] [--services <services>]
>> * vaultcontainer-remove-owner
>>       [--service <service>|--user <user> ]
>>       [--users <users>]  [--groups <groups>] [--services <services>]
>>
>> https://fedorahosted.org/freeipa/ticket/5250
>>
>> Use cases:
>> 1. When user/service is deleted, associated vault container looses
>> owner. There was no API command to set the owner.
>> 2. Change owner of container by admin to manage access.
>>
>> Show command was added to show current owners.
>>
>> Find command was not added, should it be?
>>
>>
>
> There is also a design for vault container ownership handling created by
> Endi - it's for future Vault 2.0.
>
> http://www.freeipa.org/page/V4/Password_Vault_2.0#Adding_container_owner
>
> This patch has a different API than the proposed - different way of
> specifying the container. The design page uses path e.g. /users/foobar.
> This patch uses the same way as vaults e.g. --user=foobar. This means
> that the implementation in this patch cannot manage ownership of parent
> vault containers e.g. cn=users,cn=vaults,cn=kra,$SUFFIX.
>
> Do we want to go with this approach in 4.2?
>
> Attaching also new path which removes setting of owner which doesn't
> exist so that integrity is OK and that it is consistent with removing of
> user.
>
> Updated patch attached - output fix.

We had a long discussion about this with Petr and we think the best 
approach is as follows:

   * Add new "Vault administrators" privilege. Vault administrators will 
have unrestricted access to vaults and vault containers, including the 
power to add/remove owners of vaults and vault containers.

   * Remove the ability of vault owners to add/remove other vault 
owners. If vault owner needs to be changed, vault administrator has to 
do it. Note that vault owners will still have the ability to add/remove 
vault members.

   * When adding new vault container, set owner to the current user. If 
vault container owner needs to be changed, vault administrator has to do it.

   * Allow adding vaults and vault containers only if the owner is set 
to the current user.

   * Introduce commands to modify vault container owner and to delete 
vault container, so the administrator has a choice between assigning 
ownership or deleting an unowned container.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list