[Freeipa-devel] [PATCH] 761 keytab manipulation permission management
Martin Kosek
mkosek at redhat.com
Mon Oct 6 10:53:57 UTC 2014
On 10/06/2014 10:33 AM, Jan Cholasta wrote:
> Dne 3.10.2014 v 17:02 Martin Kosek napsal(a):
>> On 10/03/2014 04:59 PM, Jan Cholasta wrote:
>>> Dne 3.10.2014 v 16:47 Petr Vobornik napsal(a):
>>>> On 3.10.2014 16:24, Martin Kosek wrote:
>>>>> NACK. I will not comment on mechanics, if you get an ACK from Honza, it
>>>>> is good enough. I just do not like the API. It is hard to guess what
>>>>> "host-add-retrieve-keytab" means. That word does not even make much
>>>>> sense.
>>>>>
>>>>> Can we use something more readable? For example:
>>>>>
>>>>> ipa host-add-allowed-operation HOSTNAME --operation read_keys
>>>>> --users=STR --groups STR
>>>>> ipa host-add-allowed-operation HOSTNAME --operation write_keys
>>>>> --users=STR --groups STR
>>>>>
>>>>> and
>>>>>
>>>>> ipa host-remove-allowed-operation HOSTNAME --operation read_keys
>>>>> --users=STR --groups STR
>>>>> ipa host-remove-allowed-operation HOSTNAME --operation write_keys
>>>>> --users=STR --groups STR
>>>>>
>>>>> Same with services. At least to me, it looks more readable.
>>>>>
>>>>> Thanks,
>>>>> Martin
>>>>>
>>>>
>>>> Seems to me as adding of allowed operation. Not allowing an operation.
>>>
>>> +1
>>>
>>>>
>>>> What about:
>>>>
>>>> ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>>> ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
>>>> ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
>>>> ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR
>>>
>>> I like these the best. Maybe with a -to or -by suffix.
>>>
>>>>
>>>> or if we expect more operations in a future:
>>>>
>>>> ipa host-allow-operation HOSTNAME --operation read-keys --users=STR
>>>> --groups STR
>>>> ipa host-disallow-operation HOSTNAME --operation read-keys --users=STR
>>>> --groups STR
>>>> ipa host-allow-operation HOSTNAME --operation write-keys --users=STR
>>>> --groups STR
>>>> ipa host-disallow-operation HOSTNAME --operation write-keys --users=STR
>>>> --groups STR
>>>>
>>>> or if we want to keep 'add' and 'remove' in command names:
>>>>
>>>> ipa host-add-retrieve-keytab-right HOSTNAME --users=STR --groups=STR
>>>> ipa host-add-create-keytab-right HOSTNAME --users=STR --groups=STR
>>>> ipa host-remove-retrieve-keytab-right HOSTNAME --users=STR --groups=STR
>>>> ipa host-remove-create-keytab-right HOSTNAME --users=STR --groups=STR
>>>>
>>>>
>>>> personally I'm not a fan o the --operation switch, but could be
>>>> persuaded by a 'future' usage.
>>>
>>> Not a fan either, because it is not consistent with the rest of the
>>> framework.
>>> Also, non-optional options are not really options.
>>
>> Right. Though mandatory options is a concept already existing in FreeIPA
>> framework in many places.
>
> That does not make it right.
Right :-)
>> What I see as a deal breaker is that with
>> --operation switch, we are ready for dozens of potential future
>> operations. With operation hardcoded in command name, we are not.
>
> I don't see dozens of operations coming in the near future, there's no need for
> a premature optimization like this.
My point was that it will be difficult to switch from having per-operation
commands to one general command for all operations later, however far the
future is.
Given there is no clear agreement on the API (ipa host-allow-operation vs.
host-allow-read-keytab+host-allow-write-keytab) yet, I would like to ask Rob or
Simo for their opinion/vote here too so that we can select an approach and go
with it.
Martin
More information about the Freeipa-devel
mailing list