On 06/11/2014 06:39 PM, Petr Viktorin wrote: > Patch 0578 does the conversion > > Patch 0579 fixes https://fedorahosted.org/freeipa/ticket/4252 and provides > permissions needed for automatic enrollment (from > http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser)
1) Inconsistent casing in permission names: System: Add Hosts System: Add krbPrincipalName to a host System: Enroll a host System: Manage Host SSH Public Keys System: Manage host keytab System: Modify Hosts System: Remove Hosts 2) This ACI does not look right, missing enrolledby: + 'System: Enroll a host': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'objectclass'}, When I fixed 2) via permission-mod, client enrollment with user with "Host Administrators" privilege worked fine. 3) I hit one issue when I open the Web UI host tab, I get "Insufficient access: No such virtual command" error triggered by "cert-show" command. We will need to add the permission "System: Read Virtual Operations" that Honza is creating also to "Host Administrators" to fix that part. 4) I ran unit tests and few missing attributes: - update hosts ACI should get "macaddress" attribute 5) I hit one nasty issue when running the unit tests (when my master stopped working as host account was deleted) - host_is_master function in baseldap no longer works as we hid cn=masters from regular users: def host_is_master(ldap, fqdn): """ Check to see if this host is a master. Raises an exception if a master, otherwise returns nothing. """ master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api. env.basedn) try: ldap.get_entry(master_dn, ['objectclass']) raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted or disabled')) except errors.NotFound: # Good, not a master return This means, that host-del on a master machine or service-del on master service happily passes. We need to make sure this functionality is still working after the permission refactoring. Should we reconsider the cn=masters tree and allow authenticated users see the list of IPA servers (without digging into any other detail like services) then? Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel