Re: [Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Fri, 03 Oct 2014 07:55:38 -0700 

On 10/03/2014 04:47 PM, Petr Vobornik wrote:

On 3.10.2014 16:24, Martin Kosek wrote:

NACK. I will not comment on mechanics, if you get an ACK from Honza, it
is good enough. I just do not like the API. It is hard to guess what
"host-add-retrieve-keytab" means. That word does not even make much sense.

Can we use something more readable? For example:

ipa host-add-allowed-operation HOSTNAME --operation read_keys
--users=STR --groups STR
ipa host-add-allowed-operation HOSTNAME --operation write_keys
--users=STR --groups STR

and

ipa host-remove-allowed-operation HOSTNAME --operation read_keys
--users=STR --groups STR
ipa host-remove-allowed-operation HOSTNAME --operation write_keys
--users=STR --groups STR

Same with services. At least to me, it looks more readable.

Thanks,
Martin



Seems to me as adding of allowed operation. Not allowing an operation.

What about:

ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

or if we expect more operations in a future:

ipa host-allow-operation HOSTNAME --operation read-keys --users=STR --groups STR
ipa host-disallow-operation HOSTNAME --operation read-keys --users=STR --groups
STR
ipa host-allow-operation HOSTNAME --operation write-keys --users=STR --groups 
STR
ipa host-disallow-operation HOSTNAME --operation write-keys --users=STR
--groups STR

or if we want to keep 'add' and 'remove' in command names:

ipa host-add-retrieve-keytab-right HOSTNAME --users=STR --groups=STR
ipa host-add-create-keytab-right HOSTNAME --users=STR --groups=STR
ipa host-remove-retrieve-keytab-right HOSTNAME --users=STR --groups=STR
ipa host-remove-create-keytab-right HOSTNAME --users=STR --groups=STR


personally I'm not a fan o the --operation switch, but could be persuaded by a
'future' usage.


ipa host-allow-operation HOSTNAME --operation read-keys --users=STR --groups STR
and friends looks the best to me. Given the way the ipaAllowedOperation attribute is designed (countless possible sub types), new future operations can be expected. Simo or Rob, any opinion on this API? 

Martin

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to