[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins
Martin Kosek
mkosek at redhat.com
Mon Mar 25 15:21:26 UTC 2013
On 03/25/2013 02:41 PM, Martin Kosek wrote:
> On 03/18/2013 12:38 PM, Jan Cholasta wrote:
>> Hi,
>>
>> this patch implements <https://fedorahosted.org/freeipa/ticket/3329>.
>>
>> Because the design is not finished yet, this is a minimal implementation - it
>> uses the krbTicketFlags attribute directly (which means no delegation of rights
>> to modify specific flags to specific admins) and there is no support for
>> per-service type default values.
>>
>> Honza
>>
>>
>
> I checked what you have already and this is what I found:
>
> 1) Internal error if I try to remove krbticketflags via *attr functions:
>
> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> # ipa service-add foo/`hostname`
> ------------------------------------------------------------------------
> Added service "foo/vm-037.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM"
> ------------------------------------------------------------------------
> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
>
>
> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, the
> only thing that's left to be decided is the granularity of the ACIs used to
> control this flag.
I read this part of design proposal discussion wrong, this is already decided -
we do not want to have a fine grain granularity, these are too powerful flags
to be delegated per-flag to lower admins.
So I think that you current approach is sufficient, I do not think we need to
add this attribute to some host/service related permission to avoid allowing
this sensitive attribute for lower level admins automatically. If someone wants
it, he can add and assign an appropriate permission.
Martin
More information about the Freeipa-devel
mailing list