Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
On 11/18/2010 10:06 PM, Rob Crittenden wrote:
Adam Young wrote:
On 11/18/2010 05:05 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite confused at what it is supposed to do (think ab out seeing
it in
a log file and wondering what it means w/o further context).
What does it mean to add a host into a host (host-add-host) ?
And which one is added to the other one ? test in test2 or test2 in
test?
I do not know if we can change names/syntax to make this more
immediately understandable, but if we can I'd like to do that.
Obscure/confusing syntaxes generally makes it easier to do mistakes,
which are bad in a tool used to manage security.
Simo.
Switched to host-add-managedby and host-remove-managedby.
Re-based against tip.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Just tried to apply to master. am failed, and patch -p provided the
following rej:
--- ipalib/plugins/host.py
+++ ipalib/plugins/host.py
@@ -101,6 +104,9 @@
Flag('has_keytab',
label=_('Keytab'),
),
+ Str('managedby_host',
+ label='Managed by',
+ ),
Str('subject',
label=_('Subject'),
),
@@ -453,6 +463,7 @@
Display information about a host.
"""
has_output_params = LDAPRetrieve.has_output_params + host_output_params
+ member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
As well as
--- tests/test_xmlrpc/test_host_plugin.py
+++ tests/test_xmlrpc/test_host_plugin.py
@@ -221,6 +228,7 @@
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)],
+ managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
@@ -247,6 +255,7 @@
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)],
has_keytab=False,
+ managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
tests/test_xmlrpc/test_host_plugin.py.rej (END)
Can you try with patch 604 applied?
rob
ACK and pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
On 11/18/2010 10:06 PM, Rob Crittenden wrote:
Adam Young wrote:
On 11/18/2010 05:05 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite confused at what it is supposed to do (think ab out seeing
it in
a log file and wondering what it means w/o further context).
What does it mean to add a host into a host (host-add-host) ?
And which one is added to the other one ? test in test2 or test2 in
test?
I do not know if we can change names/syntax to make this more
immediately understandable, but if we can I'd like to do that.
Obscure/confusing syntaxes generally makes it easier to do mistakes,
which are bad in a tool used to manage security.
Simo.
Switched to host-add-managedby and host-remove-managedby.
Re-based against tip.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Just tried to apply to master. am failed, and patch -p provided the
following rej:
--- ipalib/plugins/host.py
+++ ipalib/plugins/host.py
@@ -101,6 +104,9 @@
Flag('has_keytab',
label=_('Keytab'),
),
+ Str('managedby_host',
+ label='Managed by',
+ ),
Str('subject',
label=_('Subject'),
),
@@ -453,6 +463,7 @@
Display information about a host.
"""
has_output_params = LDAPRetrieve.has_output_params + host_output_params
+ member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
As well as
--- tests/test_xmlrpc/test_host_plugin.py
+++ tests/test_xmlrpc/test_host_plugin.py
@@ -221,6 +228,7 @@
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)],
+ managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
@@ -247,6 +255,7 @@
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)],
has_keytab=False,
+ managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
tests/test_xmlrpc/test_host_plugin.py.rej (END)
Can you try with patch 604 applied?
rob
ACK pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
Adam Young wrote:
On 11/18/2010 05:05 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite confused at what it is supposed to do (think ab out seeing it in
a log file and wondering what it means w/o further context).
What does it mean to add a host into a host (host-add-host) ?
And which one is added to the other one ? test in test2 or test2 in
test?
I do not know if we can change names/syntax to make this more
immediately understandable, but if we can I'd like to do that.
Obscure/confusing syntaxes generally makes it easier to do mistakes,
which are bad in a tool used to manage security.
Simo.
Switched to host-add-managedby and host-remove-managedby.
Re-based against tip.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Just tried to apply to master. am failed, and patch -p provided the
following rej:
--- ipalib/plugins/host.py
+++ ipalib/plugins/host.py
@@ -101,6 +104,9 @@
Flag('has_keytab',
label=_('Keytab'),
),
+ Str('managedby_host',
+ label='Managed by',
+ ),
Str('subject',
label=_('Subject'),
),
@@ -453,6 +463,7 @@
Display information about a host.
"""
has_output_params = LDAPRetrieve.has_output_params + host_output_params
+ member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
As well as
--- tests/test_xmlrpc/test_host_plugin.py
+++ tests/test_xmlrpc/test_host_plugin.py
@@ -221,6 +228,7 @@
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)],
+ managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
@@ -247,6 +255,7 @@
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1, api.env.realm)],
has_keytab=False,
+ managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
tests/test_xmlrpc/test_host_plugin.py.rej (END)
Can you try with patch 604 applied?
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
On 11/18/2010 05:05 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite confused at what it is supposed to do (think ab out seeing it in
a log file and wondering what it means w/o further context).
What does it mean to add a host into a host (host-add-host) ?
And which one is added to the other one ? test in test2 or test2 in
test?
I do not know if we can change names/syntax to make this more
immediately understandable, but if we can I'd like to do that.
Obscure/confusing syntaxes generally makes it easier to do mistakes,
which are bad in a tool used to manage security.
Simo.
Switched to host-add-managedby and host-remove-managedby.
Re-based against tip.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Just tried to apply to master. am failed, and patch -p provided the
following rej:
--- ipalib/plugins/host.py
+++ ipalib/plugins/host.py
@@ -101,6 +104,9 @@
Flag('has_keytab',
label=_('Keytab'),
),
+Str('managedby_host',
+label='Managed by',
+),
Str('subject',
label=_('Subject'),
),
@@ -453,6 +463,7 @@
Display information about a host.
"""
has_output_params = LDAPRetrieve.has_output_params +
host_output_params
+member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
As well as
--- tests/test_xmlrpc/test_host_plugin.py
+++ tests/test_xmlrpc/test_host_plugin.py
@@ -221,6 +228,7 @@
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1,
api.env.realm)],
+managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
@@ -247,6 +255,7 @@
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%...@%s' % (fqdn1,
api.env.realm)],
has_keytab=False,
+managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=u'Mon Aug 09 15:02:27 2010 UTC',
valid_not_after=u'Sun Aug 09 15:02:27 2020 UTC',
tests/test_xmlrpc/test_host_plugin.py.rej (END)
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite confused at what it is supposed to do (think ab out seeing it in
a log file and wondering what it means w/o further context).
What does it mean to add a host into a host (host-add-host) ?
And which one is added to the other one ? test in test2 or test2 in
test?
I do not know if we can change names/syntax to make this more
immediately understandable, but if we can I'd like to do that.
Obscure/confusing syntaxes generally makes it easier to do mistakes,
which are bad in a tool used to manage security.
Simo.
Switched to host-add-managedby and host-remove-managedby.
Re-based against tip.
rob
>From 6ab1ba45c3b43911677a5371c76494478a40ce38 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 10 Nov 2010 16:47:29 -0500
Subject: [PATCH 2/2] Add managedby to Host entries
This will allow others to provision on behalf of the host.
ticket 280
---
install/share/default-aci.ldif |8 ++
ipalib/plugins/host.py | 36 -
tests/test_xmlrpc/test_host_plugin.py | 112 +++-
tests/test_xmlrpc/test_hostgroup_plugin.py |1 +
tests/test_xmlrpc/test_netgroup_plugin.py |1 +
tests/test_xmlrpc/test_service_plugin.py |2 +
6 files changed, 154 insertions(+), 6 deletions(-)
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 2ca3006..e03c65c 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -51,3 +51,11 @@ changetype: modify
add: aci
aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; acl "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";;)
+# Define which hosts can edit other hosts
+# The managedby attribute stores the DN of hosts that are allowed to manage
+# another host.
+dn: cn=computers,cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
+
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 23728fa..2e77dd5 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -65,6 +65,9 @@ EXAMPLES:
Disable the host kerberos key:
ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-managedby --hosts=test2 test
"""
import platform
@@ -98,6 +101,9 @@ host_output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
+Str('managedby_host',
+label='Managed by',
+),
Str('subject',
label=_('Subject'),
),
@@ -135,17 +141,18 @@ class host(LDAPObject):
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
-'nshardwareplatform', 'nsosversion',
+'nshardwareplatform', 'nsosversion', 'managedby'
]
default_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
-'krblastpwdchange',
+'krblastpwdchange', 'managedby'
]
uuid_attribute = 'ipauniqueid'
attribute_members = {
'enrolledby': ['user'],
'memberof': ['hostgroup', 'netgroup', 'rolegroup'],
+'managedby': ['host'],
}
label = _('Hosts')
@@ -233,6 +240,7 @@ class host_add(LDAPCreate):
has_output_params = LDAPCreate.has_output_params + host_output_params
msg_summary = _('Added host "%(value)s"')
+member_attributes = ['managedby']
takes_options = (
Flag('force',
doc=_('force host name even if not in DNS'),
@@ -286,6 +294,7 @@ class host_del(LDAPDelete):
"""
msg_summary = _('Deleted host "%(value)s"')
+member_attributes = ['managedby']
def pre_callback(self, ldap, dn, *keys, **options):
# If we aren't given a fqdn, find it
@@ -346,6 +355,7 @@ class host_mod(LDAPUpdate):
has_output_params = LDAPUpdate.has_output_params + host_output_params
msg_summary = _('Modified host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPUpdate.takes_options + (
Str('krbprincipalname?',
@@ -404,7 +414,6 @@ class host_mod(LDAPUpdate):
entry_attrs['userpassword'] = ipa_generate_password()
setattr(context, 'randompassword', entry_attrs['userpassword'])
del entry_attrs['random']
-entry_attrs['managedby'] = dn
return dn
@@ -426,6 +435,7 @@ class host_find(LDAPSearch):
msg_summary = ngettext(
Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
Simo Sorce wrote:
On Tue, 09 Nov 2010 14:00:00 -0500
Rob Crittenden wrote:
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
I do not want to nack, but looking at this command in isolation I am
quite confused at what it is supposed to do (think ab out seeing it in
a log file and wondering what it means w/o further context).
What does it mean to add a host into a host (host-add-host) ?
And which one is added to the other one ? test in test2 or test2 in
test?
I do not know if we can change names/syntax to make this more
immediately understandable, but if we can I'd like to do that.
Obscure/confusing syntaxes generally makes it easier to do mistakes,
which are bad in a tool used to manage security.
Simo.
Switched to host-add-managedby and host-remove-managedby.
rob
>From 18dde9f8a0229679e5f9519a71a71acda833d0e2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Wed, 10 Nov 2010 16:47:29 -0500
Subject: [PATCH] Add managedby to Host entries
This will allow others to provision on behalf of the host.
ticket 280
---
ipalib/plugins/host.py | 35 -
tests/test_xmlrpc/test_host_plugin.py | 112 +++-
tests/test_xmlrpc/test_hostgroup_plugin.py |1 +
tests/test_xmlrpc/test_netgroup_plugin.py |1 +
tests/test_xmlrpc/test_service_plugin.py |2 +
5 files changed, 146 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 2c23580..4602f85 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -59,6 +59,9 @@ EXAMPLES:
Disable the host kerberos key:
ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-managedby --hosts=test2 test
"""
import platform
@@ -102,6 +105,9 @@ host_output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
+Str('managedby_host',
+label='Managed by',
+),
Str('subject',
label=_('Subject'),
),
@@ -139,17 +145,18 @@ class host(LDAPObject):
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
-'nshardwareplatform', 'nsosversion',
+'nshardwareplatform', 'nsosversion', 'managedby'
]
default_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
-'krblastpwdchange',
+'krblastpwdchange', 'managedby'
]
uuid_attribute = 'ipauniqueid'
attribute_members = {
'enrolledby': ['user'],
'memberof': ['hostgroup', 'netgroup', 'rolegroup'],
+'managedby': ['host'],
}
label = _('Hosts')
@@ -237,6 +244,7 @@ class host_add(LDAPCreate):
has_output_params = LDAPCreate.has_output_params + host_output_params
msg_summary = _('Added host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPCreate.takes_options + (
Flag('force',
doc=_('force host name even if not in DNS'),
@@ -328,6 +336,7 @@ class host_del(LDAPDelete):
"""
msg_summary = _('Deleted host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPCreate.takes_options + (
Flag('updatedns?',
@@ -441,6 +450,7 @@ class host_mod(LDAPUpdate):
has_output_params = LDAPUpdate.has_output_params + host_output_params
msg_summary = _('Modified host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPUpdate.takes_options + (
Str('krbprincipalname?',
@@ -521,6 +531,7 @@ class host_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d host matched', '%(count)d hosts matched'
)
+member_attributes = ['managedby']
def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
if 'locality' in attrs_list:
@@ -541,6 +552,7 @@ class host_show(LDAPRetrieve):
Display information about a host.
"""
has_output_params = LDAPRetrieve.has_output_params + host_output_params
+member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
@@ -639,3 +651,22 @@ class host_disable(LDAPQuery):
)
api.register(host_disable)
+
+class host_add_managedby(LDAPAddMember):
+"""
+Add hosts that can manage this host.
+"""
+member_attributes = ['managedby']
+has_output_params = LDAPAddMember.has_output_params + host_output_params
+
+api.register(host_add_managedby)
+
+
+class host_remove_managedby(LDAPRemoveMember):
+"""
+Remove hosts that can manage this host.
+"""
+member_attributes = ['managedby']
+has_output_params = LDAPRemoveMember.has_output_params + host_output_params
+
+api.register(host_remove_managedby)
dif
Re: [Freeipa-devel] [PATCH] 607 add managedby to hosts
On Tue, 09 Nov 2010 14:00:00 -0500 Rob Crittenden wrote: > + > + Add a host that can manage this host's keytab and certificate: > + ipa host-add-host --hosts=test2 test > """ > I do not want to nack, but looking at this command in isolation I am quite confused at what it is supposed to do (think ab out seeing it in a log file and wondering what it means w/o further context). What does it mean to add a host into a host (host-add-host) ? And which one is added to the other one ? test in test2 or test2 in test? I do not know if we can change names/syntax to make this more immediately understandable, but if we can I'd like to do that. Obscure/confusing syntaxes generally makes it easier to do mistakes, which are bad in a tool used to manage security. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 607 add managedby to hosts
This will let one host do things on behalf of another host (request a
keytab, certificate, etc).
ticket https://fedorahosted.org/freeipa/ticket/280
rob
>From 9e9ae1b890c324f05af71540763631a6e91c2a06 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 9 Nov 2010 13:57:02 -0500
Subject: [PATCH] Add managedby to Host entries
This will allow others to provision on behalf of the host.
ticket 280
---
ipalib/plugins/host.py | 35 +++-
tests/test_xmlrpc/test_host_plugin.py | 87 +++-
tests/test_xmlrpc/test_hostgroup_plugin.py |1 +
tests/test_xmlrpc/test_netgroup_plugin.py |1 +
tests/test_xmlrpc/test_service_plugin.py |2 +
5 files changed, 121 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 2c23580..d4ba69f 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -59,6 +59,9 @@ EXAMPLES:
Disable the host kerberos key:
ipa host-disable test.example.com
+
+ Add a host that can manage this host's keytab and certificate:
+ ipa host-add-host --hosts=test2 test
"""
import platform
@@ -102,6 +105,9 @@ host_output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
+Str('managedby_host',
+label='Managed by',
+),
Str('subject',
label=_('Subject'),
),
@@ -139,17 +145,18 @@ class host(LDAPObject):
# object_class_config = 'ipahostobjectclasses'
search_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
-'nshardwareplatform', 'nsosversion',
+'nshardwareplatform', 'nsosversion', 'managedby'
]
default_attributes = [
'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
-'krblastpwdchange',
+'krblastpwdchange', 'managedby'
]
uuid_attribute = 'ipauniqueid'
attribute_members = {
'enrolledby': ['user'],
'memberof': ['hostgroup', 'netgroup', 'rolegroup'],
+'managedby': ['host'],
}
label = _('Hosts')
@@ -237,6 +244,7 @@ class host_add(LDAPCreate):
has_output_params = LDAPCreate.has_output_params + host_output_params
msg_summary = _('Added host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPCreate.takes_options + (
Flag('force',
doc=_('force host name even if not in DNS'),
@@ -328,6 +336,7 @@ class host_del(LDAPDelete):
"""
msg_summary = _('Deleted host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPCreate.takes_options + (
Flag('updatedns?',
@@ -441,6 +450,7 @@ class host_mod(LDAPUpdate):
has_output_params = LDAPUpdate.has_output_params + host_output_params
msg_summary = _('Modified host "%(value)s"')
+member_attributes = ['managedby']
takes_options = LDAPUpdate.takes_options + (
Str('krbprincipalname?',
@@ -521,6 +531,7 @@ class host_find(LDAPSearch):
msg_summary = ngettext(
'%(count)d host matched', '%(count)d hosts matched'
)
+member_attributes = ['managedby']
def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
if 'locality' in attrs_list:
@@ -541,6 +552,7 @@ class host_show(LDAPRetrieve):
Display information about a host.
"""
has_output_params = LDAPRetrieve.has_output_params + host_output_params
+member_attributes = ['managedby']
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
@@ -639,3 +651,22 @@ class host_disable(LDAPQuery):
)
api.register(host_disable)
+
+class host_add_host(LDAPAddMember):
+"""
+Add hosts that can manage this host.
+"""
+member_attributes = ['managedby']
+has_output_params = LDAPAddMember.has_output_params + host_output_params
+
+api.register(host_add_host)
+
+
+class host_remove_host(LDAPRemoveMember):
+"""
+Remove hosts that can manage this host.
+"""
+member_attributes = ['managedby']
+has_output_params = LDAPRemoveMember.has_output_params + host_output_params
+
+api.register(host_remove_host)
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
index 283674c..83a2c3b 100644
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -35,6 +35,9 @@ service1 = u'dns/%...@%s' % (fqdn1, api.env.realm)
service1dn = u'krbprincipalname=%s,cn=services,cn=accounts,%s' % (service1.lower(), api.env.basedn)
fqdn2 = u'shouldnotexist.%s' % api.env.domain
dn2 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn2, api.env.basedn)
+fqdn3 = u'testhost2.%s' % api.env.domain
+short3 = u'testhost2'
+dn3 = u'fqdn=%s,cn=computers,cn=accounts,%s' % (fqdn3, api.env.basedn)
servercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3
