[Freeipa-devel] [PATCH] 761 keytab manipulation permission management
Petr Vobornik
pvoborni at redhat.com
Fri Oct 3 14:08:53 UTC 2014
New revision according to Honza's recommendations. Comments inline.
On 1.10.2014 18:15, Petr Vobornik wrote:
> Hello list,
>
> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>
> Before I start any work on Web UI and tests I would like to gather
> feedback on:
> - the new API
> - member attributes with subtypes management approach
> - ACI
>
> I did not do any ACI work in the patch yet. I assume that we would like
> to add the attr into 'System: Read Host|Service' permission. But I
> think that write right should have it's own permission.
I have added 2 new permissions. Simo, are they OK?
for services:
'System: Manage Service Keytab Permissions': {
'ipapermright': {'read', 'search', 'compare', 'write'},
'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
'default_privileges': {'Service Administrators', 'Host
Administrators'},
},
for hosts:
'System: Manage Host Keytab Permissions': {
'ipapermright': {'read', 'search', 'compare', 'write'},
'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
'default_privileges': {'Host Administrators'},
},
I'm not sure about the write right for 'objectclass' but it's required
in order to add 'ipaallowedoperations' oc.
>
> Patch info:
> Adds new API:
> ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
> ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
> ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
> ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR
>
> ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
> ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
> ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
> ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR
*-write-keytab commands were changed to *-create-keytab to be consistent
with descriptions
>
> these methods add or remove user or group DNs in `ipaallowedtoperform`
> attr with `read_keys` and `write_keys` subtypes.
>
> service|host-mod|show outputs these attrs only with --all option as:
--all is no longer required
>
> Users allowed to retrieve keytab: user1
> Groups allowed to retrieve keytab: group1
> Users allowed to write keytab: user1
> Groups allowed to write keytab: group1
>
> 1) This patch implements subtypes support for attributes members. It's
> done to be relatively reusable but it's confined within the RFE
> boundaries. I.e. it does not contain support for standard attributes or
> is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's
> rather as separate opt-ins. One of the reasons was also not to disturb
> existing code at the end of 4-1
> milestone.
Was replaced by more specific methods more local to a service and a host
plugins.
>
> 3) Adding of object class is implemented as a reusable method since this
> code is used on many places and most likely will be also used in new
> features. Older code may be refactored later.
>
> Thanks
RPC tests added in patch #763.
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-1-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 34666 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141003/623f27d1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0763-tests-management-of-keytab-permissions.patch
Type: text/x-patch
Size: 30459 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141003/623f27d1/attachment-0001.bin>
More information about the Freeipa-devel
mailing list