[Freeipa-devel] [PATCH] 0635 Support delegating RBAC roles to service principals
Petr Viktorin
pviktori at redhat.com
Wed Aug 20 16:09:05 UTC 2014
On 08/20/2014 10:59 AM, Martin Kosek wrote:
> On 08/19/2014 07:49 PM, Petr Viktorin wrote:
>> On 08/19/2014 01:41 PM, Martin Kosek wrote:
>>> On 08/19/2014 01:28 PM, Petr Viktorin wrote:
>>>> Services can now be added to roles.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3164
>>>>
>>>>
>>>> I added a new integration test for checking that a service can actually use the
>>>> right granted by a role. I don't think there's a good way to do this kind of
>>>> thing in our Declarative test suite.
>>>
>>> 1) I think you also need to update service object's attribute_members so that
>>> it can properly show role membership.
>>
>> Right, added (with tests).
>
> Thanks! (especially for the tests)
>
> I am thinking about one usability improvement. All over the code, we allow to
> specify services without the REALM as the realm is pretty clear and we do not
> need it from the user:
>
> # ipa service-add test/`hostname`
> ------------------------------------------------------------------
> Added service "test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST"
> ------------------------------------------------------------------
> Principal: test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
> Managed by: ipa.mkosek-fedora20.test
>
> However, the new --services option does not allow that:
>
> ]# ipa role-add-member foo --services test/`hostname`
> Role name: foo
> Description: foo
> Failed members:
> member user:
> member group:
> member host:
> member host group:
> member service: test/ipa.mkosek-fedora20.test: no such entry
> -------------------------
> Number of members added 0
> -------------------------
>
> Could we just add the realm if it does not exists in the service-add-member
> precallback?
Looks like we want to add it any time we look up a service, right?
This additional patch should do that.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0636.2-service-Normalize-service-principal-in-get_dn.patch
Type: text/x-patch
Size: 3041 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140820/777e466b/attachment.bin>
More information about the Freeipa-devel
mailing list