[Freeipa-devel] [PATCH] 0635 Support delegating RBAC roles to service principals

Martin Kosek mkosek at redhat.com
Thu Aug 21 12:33:05 UTC 2014 

On 08/20/2014 06:09 PM, Petr Viktorin wrote:
> On 08/20/2014 10:59 AM, Martin Kosek wrote:
>> On 08/19/2014 07:49 PM, Petr Viktorin wrote:
>>> On 08/19/2014 01:41 PM, Martin Kosek wrote:
>>>> On 08/19/2014 01:28 PM, Petr Viktorin wrote:
>>>>> Services can now be added to roles.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3164
>>>>>
>>>>>
>>>>> I added a new integration test for checking that a service can actually
>>>>> use the
>>>>> right granted by a role. I don't think there's a good way to do this kind of
>>>>> thing in our Declarative test suite.
>>>>
>>>> 1) I think you also need to update service object's attribute_members so that
>>>> it can properly show role membership.
>>>
>>> Right, added (with tests).
>>
>> Thanks! (especially for the tests)
>>
>> I am thinking about one usability improvement. All over the code, we allow to
>> specify services without the REALM as the realm is pretty clear and we do not
>> need it from the user:
>>
>> # ipa service-add test/`hostname`
>> ------------------------------------------------------------------
>> Added service "test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST"
>> ------------------------------------------------------------------
>>    Principal: test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
>>    Managed by: ipa.mkosek-fedora20.test
>>
>> However, the new --services option does not allow that:
>>
>> ]# ipa role-add-member foo --services test/`hostname`
>>    Role name: foo
>>    Description: foo
>>    Failed members:
>>      member user:
>>      member group:
>>      member host:
>>      member host group:
>>      member service: test/ipa.mkosek-fedora20.test: no such entry
>> -------------------------
>> Number of members added 0
>> -------------------------
>>
>> Could we just add the realm if it does not exists in the service-add-member
>> precallback?
> 
> Looks like we want to add it any time we look up a service, right?
> This additional patch should do that.

Right. This approach works for me, ACK on both.

Pushed to:
master: a8ba6b3b8cdaf39152bce394ad419d28037f687e
ipa-4-1: e49768864f5fd735f9f30241b22c595908b762af

Martin

More information about the Freeipa-devel mailing list