[Freeipa-devel] [PATCHES] 94-99 Read and use per-service PAC type

Fri Mar 1 07:33:51 UTC 2013

On 02/28/2013 03:28 PM, Simo Sorce wrote:
> On Thu, 2013-02-28 at 13:02 +0100, Martin Kosek wrote:
>> On 02/28/2013 12:42 PM, Sumit Bose wrote:
>>> On Thu, Feb 28, 2013 at 08:44:35AM +0100, Martin Kosek wrote:
>>>> On 02/27/2013 06:48 PM, Sumit Bose wrote:
> 
>>>> Hi Sumit,
>>>>
>>>> This looks like a good idea and would prevent the magic default PAC type, yes.
>>>> Though I would not add this service-specific setting to global IPA config object.
>>>>
>>>> I would rather like to see that in the service tree, for example as a
>>>> configuration option of the service root which could be controlled with
>>>> serviceconfig-* commands (we already have dnsconfig, trustconfig), e.g:
>>>>
>>>> # ipa serviceconfig-add-pacmap --service=nfs --pac-type=NONE
>>>> # ipa serviceconfig-add-pacmap --service=cifs --pac-type=PAD
>>>> # ipa serviceconfig-show
>>>>   Default PAC Map: nfs:NONE, cifs:PAD
>>>
>>> Are you thinking of having this in addition to the for-all-services
>>> default values in cn=ipaConfig,cn=etc or shall those be dropped? I don't
>>> like the first case because then three different objects needs to be
>>> consulted to find out which is the right type. This wouldn't be an issue
>>> for the plugin, but I think it is hard for the user/admin to follow.
>>
>> Hm, you are right.
>>
>>>
>>> If the current defaults shall be dropped I think this is a major change
>>> because it will require changes in the current CLI and WebUI which will
>>> be visible to the users. I'm not against this change, I'm just wondering
>>> if it is worth the effort for the next release?
>>>
>>> Maybe an argument to keep this is in global default is that the settings
>>> are used for the host/*.* services as well which are in a different
>>> sub-tree of the cn=accounts container. Additionally in future we might
>>> want apply those setting to the user TGTs as well?
>>
>> Yeah, that was actually my point. That we are mixing service-specific PAC
>> "rules" to the global setting. Which may be shared with host/*.* principals and
>> user principals. This automatic PAC rules may require some designing so that is
>> is generally usable.
> 
> I think putting everything in the general config is more understandable
> and discoverable. These per-service defaults are basically exceptions to
> the general rule so it make sense to keep everything together.
> 
> Simo.
> 

Ok, if these are really just an exceptions to the general rule (and there will
not be too many of them), I think we can leave it in config entry. But if we
expect to have exceptions for other types of entries (hosts, users), I think we
should rather use something like "service:nfs:NONE" do distinguish this exception.

Question is, do we want to implement the interface and processing for that in
current Sumit's patches or do we use that is they are?

Martin