[Freeipa-devel] [PATCH] 916 vault: add vault container commands
Jan Cholasta
jcholast at redhat.com
Tue Sep 1 14:26:05 UTC 2015
On 26.8.2015 13:22, Petr Vobornik wrote:
> On 08/25/2015 08:04 PM, Petr Vobornik wrote:
>> adds commands:
>> * vaultcontainer-show [--service <service>|--user <user> ]
>> * vaultcontainer-add-owner
>> [--service <service>|--user <user> ]
>> [--users <users>] [--groups <groups>] [--services <services>]
>> * vaultcontainer-remove-owner
>> [--service <service>|--user <user> ]
>> [--users <users>] [--groups <groups>] [--services <services>]
>>
>> https://fedorahosted.org/freeipa/ticket/5250
>>
>> Use cases:
>> 1. When user/service is deleted, associated vault container looses
>> owner. There was no API command to set the owner.
>> 2. Change owner of container by admin to manage access.
>>
>> Show command was added to show current owners.
>>
>> Find command was not added, should it be?
>>
>>
>
> There is also a design for vault container ownership handling created by
> Endi - it's for future Vault 2.0.
>
> http://www.freeipa.org/page/V4/Password_Vault_2.0#Adding_container_owner
>
> This patch has a different API than the proposed - different way of
> specifying the container. The design page uses path e.g. /users/foobar.
> This patch uses the same way as vaults e.g. --user=foobar. This means
> that the implementation in this patch cannot manage ownership of parent
> vault containers e.g. cn=users,cn=vaults,cn=kra,$SUFFIX.
>
> Do we want to go with this approach in 4.2?
>
> Attaching also new path which removes setting of owner which doesn't
> exist so that integrity is OK and that it is consistent with removing of
> user.
>
> Updated patch attached - output fix.
We had a long discussion about this with Petr and we think the best
approach is as follows:
* Add new "Vault administrators" privilege. Vault administrators will
have unrestricted access to vaults and vault containers, including the
power to add/remove owners of vaults and vault containers.
* Remove the ability of vault owners to add/remove other vault
owners. If vault owner needs to be changed, vault administrator has to
do it. Note that vault owners will still have the ability to add/remove
vault members.
* When adding new vault container, set owner to the current user. If
vault container owner needs to be changed, vault administrator has to do it.
* Allow adding vaults and vault containers only if the owner is set
to the current user.
* Introduce commands to modify vault container owner and to delete
vault container, so the administrator has a choice between assigning
ownership or deleting an unowned container.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list