On 03/25/2013 02:41 PM, Martin Kosek wrote:
> On 03/18/2013 12:38 PM, Jan Cholasta wrote:
>> Hi,
>>
>> this patch implements <https://fedorahosted.org/freeipa/ticket/3329>.
>>
>> Because the design is not finished yet, this is a minimal implementation - it
>> uses the krbTicketFlags attribute directly (which means no delegation of 
>> rights
>> to modify specific flags to specific admins) and there is no support for
>> per-service type default values.
>>
>> Honza
>>
>>
> 
> I checked what you have already and this is what I found:
> 
> 1) Internal error if I try to remove krbticketflags via *attr functions:
> 
> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> # ipa service-add foo/`hostname`
> ------------------------------------------------------------------------
> Added service "foo/vm-037.idm.lab.bos.redhat....@idm.lab.bos.redhat.com"
> ------------------------------------------------------------------------
> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> 
> 
> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, 
> the
> only thing that's left to be decided is the granularity of the ACIs used to
> control this flag.

I read this part of design proposal discussion wrong, this is already decided -
we do not want to have a fine grain granularity, these are too powerful flags
to be delegated per-flag to lower admins.

So I think that you current approach is sufficient, I do not think we need to
add this attribute to some host/service related permission to avoid allowing
this sensitive attribute for lower level admins automatically. If someone wants
it, he can add and assign an appropriate permission.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to