[Freeipa-devel] [PATCH] 0635 Support delegating RBAC roles to service principals
Martin Kosek
mkosek at redhat.com
Wed Aug 20 08:59:23 UTC 2014
On 08/19/2014 07:49 PM, Petr Viktorin wrote:
> On 08/19/2014 01:41 PM, Martin Kosek wrote:
>> On 08/19/2014 01:28 PM, Petr Viktorin wrote:
>>> Services can now be added to roles.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3164
>>>
>>>
>>> I added a new integration test for checking that a service can actually use the
>>> right granted by a role. I don't think there's a good way to do this kind of
>>> thing in our Declarative test suite.
>>
>> 1) I think you also need to update service object's attribute_members so that
>> it can properly show role membership.
>
> Right, added (with tests).
Thanks! (especially for the tests)
I am thinking about one usability improvement. All over the code, we allow to
specify services without the REALM as the realm is pretty clear and we do not
need it from the user:
# ipa service-add test/`hostname`
------------------------------------------------------------------
Added service "test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST"
------------------------------------------------------------------
Principal: test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
Managed by: ipa.mkosek-fedora20.test
However, the new --services option does not allow that:
]# ipa role-add-member foo --services test/`hostname`
Role name: foo
Description: foo
Failed members:
member user:
member group:
member host:
member host group:
member service: test/ipa.mkosek-fedora20.test: no such entry
-------------------------
Number of members added 0
-------------------------
Could we just add the realm if it does not exists in the service-add-member
precallback?
Martin
More information about the Freeipa-devel
mailing list