NACK. I will not comment on mechanics, if you get an ACK from Honza, it is good
enough. I just do not like the API. It is hard to guess what
"host-add-retrieve-keytab" means. That word does not even make much sense.
Can we use something more readable? For example:
ipa host-add-allowed-operation HOSTNAME --operation read_keys --users=STR
--groups STR
ipa host-add-allowed-operation HOSTNAME --operation write_keys --users=STR
--groups STR
and
ipa host-remove-allowed-operation HOSTNAME --operation read_keys --users=STR
--groups STR
ipa host-remove-allowed-operation HOSTNAME --operation write_keys --users=STR
--groups STR
Same with services. At least to me, it looks more readable.
Thanks,
Martin
On 10/03/2014 04:08 PM, Petr Vobornik wrote:
New revision according to Honza's recommendations. Comments inline.
On 1.10.2014 18:15, Petr Vobornik wrote:
Hello list,
Patch for: https://fedorahosted.org/freeipa/ticket/4419
Before I start any work on Web UI and tests I would like to gather
feedback on:
- the new API
- member attributes with subtypes management approach
- ACI
I did not do any ACI work in the patch yet. I assume that we would like
to add the attr into 'System: Read Host|Service' permission. But I
think that write right should have it's own permission.
I have added 2 new permissions. Simo, are they OK?
for services:
'System: Manage Service Keytab Permissions': {
'ipapermright': {'read', 'search', 'compare', 'write'},
'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
'default_privileges': {'Service Administrators', 'Host Administrators'},
},
for hosts:
'System: Manage Host Keytab Permissions': {
'ipapermright': {'read', 'search', 'compare', 'write'},
'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
'default_privileges': {'Host Administrators'},
},
I'm not sure about the write right for 'objectclass' but it's required in order
to add 'ipaallowedoperations' oc.
Patch info:
Adds new API:
ipa host-add-retrieve-keytab HOSTNAME --users=STR --groups=STR
ipa host-add-write-keytab HOSTNAME --users=STR --groups=STR
ipa host-remove-retrieve-keytab HOSTNAME --users=STR --groups=STR
ipa host-remove-write-keytab HOSTNAME --users=STR --groups=STR
ipa service-add-retrieve-keytab PRINCIPAL --users=STR --groups=STR
ipa service-add-write-keytab PRINCIPAL --users=STR --groups=STR
ipa service-remove-retrieve-keytab PRINCIPAL --users=STR --groups=STR
ipa service-remove-write-keytab PRINCIPAL --users=STR --groups=STR
*-write-keytab commands were changed to *-create-keytab to be consistent with
descriptions
these methods add or remove user or group DNs in `ipaallowedtoperform`
attr with `read_keys` and `write_keys` subtypes.
service|host-mod|show outputs these attrs only with --all option as:
--all is no longer required
Users allowed to retrieve keytab: user1
Groups allowed to retrieve keytab: group1
Users allowed to write keytab: user1
Groups allowed to write keytab: group1
1) This patch implements subtypes support for attributes members. It's
done to be relatively reusable but it's confined within the RFE
boundaries. I.e. it does not contain support for standard attributes or
is not integrated into LDAPAddMember or LDAPRemoveMember commands. It's
rather as separate opt-ins. One of the reasons was also not to disturb
existing code at the end of 4-1
milestone.
Was replaced by more specific methods more local to a service and a host
plugins.
3) Adding of object class is implemented as a reusable method since this
code is used on many places and most likely will be also used in new
features. Older code may be refactored later.
Thanks
RPC tests added in patch #763.
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
