[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

[Jan Cholasta]

On 25.3.2013 16:21, Martin Kosek wrote:
> On 03/25/2013 02:41 PM, Martin Kosek wrote:
>> I checked what you have already and this is what I found:
>>
>> 1) Internal error if I try to remove krbticketflags via *attr functions:
>>
>> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
>> ipa: ERROR: an internal error has occurred
>> # ipa service-add foo/`hostname`
>> ------------------------------------------------------------------------
>> Added service "foo/vm-037.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM"
>> ------------------------------------------------------------------------
>> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
>> ipa: ERROR: an internal error has occurred

Fixed.

>>
>>
>> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, the
>> only thing that's left to be decided is the granularity of the ACIs used to
>> control this flag.

RFE page updated.

>
> I read this part of design proposal discussion wrong, this is already decided -
> we do not want to have a fine grain granularity, these are too powerful flags
> to be delegated per-flag to lower admins.
>
> So I think that you current approach is sufficient, I do not think we need to
> add this attribute to some host/service related permission to avoid allowing
> this sensitive attribute for lower level admins automatically. If someone wants
> it, he can add and assign an appropriate permission.

Correct, this has been already decided.

Updated patch attached.

Honza

-- 
Jan Cholasta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-120.1-Add-Kerberos-ticket-flags-management-to-service-and-.patch
Type: text/x-patch
Size: 22610 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130326/8de594f3/attachment.bin>