[Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Petr Vobornik pvoborni at redhat.com
Fri Oct 3 14:08:53 UTC 2014 

New revision according to Honza's recommendations. Comments inline.

On 1.10.2014 18:15, Petr Vobornik wrote:
> Hello list,
>
> Patch for: https://fedorahosted.org/freeipa/ticket/4419
>
> Before I start any work on Web UI and tests I would like to gather
> feedback on:
> - the new API
> - member attributes with subtypes management approach
> - ACI
>
> I did not do any ACI work in the patch yet. I assume that we would like
> to add the attr into  'System: Read Host|Service' permission. But I
> think that write right should have it's own permission.

I have added 2 new permissions. Simo, are they OK?

for services:
'System: Manage Service Keytab Permissions': {
     'ipapermright': {'read', 'search', 'compare', 'write'},
     'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
     'default_privileges': {'Service Administrators', 'Host 
Administrators'},
},

for hosts:
'System: Manage Host Keytab Permissions': {
     'ipapermright': {'read', 'search', 'compare', 'write'},
     'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
     'default_privileges': {'Host Administrators'},
},

I'm not sure about the write right for 'objectclass' but it's required 
in order to add 'ipaallowedoperations' oc.

>
> Patch info:
> Adds new API:
>    ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
>    ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
>    ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
>    ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR
>
>    ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
>    ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
>    ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
>    ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR

*-write-keytab commands were changed to *-create-keytab to be consistent 
with descriptions

>
> these methods add or remove user or group DNs in `ipaallowedtoperform`
> attr with `read_keys` and `write_keys` subtypes.
>
> service|host-mod|show outputs these attrs only with --all option as:

--all is no longer required

>
>    Users allowed to retrieve keytab: user1
>    Groups allowed to retrieve keytab: group1
>    Users allowed to write keytab: user1
>    Groups allowed to write keytab: group1
>
> 1) This patch implements subtypes support for attributes members. It's
> done to be relatively reusable but it's confined within the RFE
> boundaries. I.e. it does not contain support for standard attributes or
> is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's
> rather as separate opt-ins. One of the reasons was also not to disturb
> existing code at the end of 4-1
> milestone.

Was replaced by more specific methods more local to a service and a host 
plugins.

>
> 3) Adding of object class is implemented as a reusable method since this
> code is used on many places and most likely will be also used in new
> features. Older code may be refactored later.
>
> Thanks

RPC tests added in patch #763.
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0761-1-keytab-manipulation-permission-management.patch
Type: text/x-patch
Size: 34666 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141003/623f27d1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0763-tests-management-of-keytab-permissions.patch
Type: text/x-patch
Size: 30459 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141003/623f27d1/attachment-0001.bin>

More information about the Freeipa-devel mailing list