On 03/25/2013 02:41 PM, Martin Kosek wrote:
> On 03/18/2013 12:38 PM, Jan Cholasta wrote:
>> Hi,
>> this patch implements <https://fedorahosted.org/freeipa/ticket/3329>.
>> Because the design is not finished yet, this is a minimal implementation - it
>> uses the krbTicketFlags attribute directly (which means no delegation of 
>> rights
>> to modify specific flags to specific admins) and there is no support for
>> per-service type default values.
>> Honza
> I checked what you have already and this is what I found:
> 1) Internal error if I try to remove krbticketflags via *attr functions:
> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> # ipa service-add foo/`hostname`
> ------------------------------------------------------------------------
> Added service "foo/vm-037.idm.lab.bos.redhat....@idm.lab.bos.redhat.com"
> ------------------------------------------------------------------------
> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, 
> the
> only thing that's left to be decided is the granularity of the ACIs used to
> control this flag.

I read this part of design proposal discussion wrong, this is already decided -
we do not want to have a fine grain granularity, these are too powerful flags
to be delegated per-flag to lower admins.

So I think that you current approach is sufficient, I do not think we need to
add this attribute to some host/service related permission to avoid allowing
this sensitive attribute for lower level admins automatically. If someone wants
it, he can add and assign an appropriate permission.


Freeipa-devel mailing list

Reply via email to