On 06/30/2014 10:55 AM, Petr Viktorin wrote: > On 06/27/2014 05:18 PM, Martin Kosek wrote: >> On 06/27/2014 05:16 PM, Simo Sorce wrote: >>> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: >>>> On 06/27/2014 05:10 PM, Simo Sorce wrote: >>>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: >>>>>> Host Administrators could not write to service keytab attribute and >>>>>> thus they could not run the host-disable command. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/4284 >>>>>> >>>>> >>>>> Any reason why Host Administrators are not members of the service >>>>> Administrators group/permission by default ? >>>>> >>>>> Simo. >>>>> >>>> >>>> I assume that the original intent was to allow admins to separate this >>>> privileges. I.e. allow service administrators manage services on hosts but >>>> do >>>> not allow them delete or disable the hosts. >>> >>> Sure, but I asked the opposite question. I understand you may want to >>> have Service Administrators that cannot manage the host object. >>> But is there ever a case where Host Administrator is not also Service >>> Administrator ? >>> >>>> This patch fixes the reported request for Foreman integration, if you have >>>> a >>>> better one fixing it as well, we can go different way. >>> >>> I was wondering if a group membership change wouldn't solve a class of >>> problems, instead of fixing this on per permission basis, that's all. >>> >>> Simo. >>> >> >> Sure, good thinking. I do not think that current framework can make one >> privilege a member of another one, so this would need to be hacked in. CCing >> Petr3 to get his view on this. > > Right, it would need to be hacked in. > At the directory level there's normal membership, so any > permission/privilege/role/group can be nested in any other, but IPA will > probably give incomplete/confusing output for such memberships, and it won't > let you edit them.
Ok. In that case, it seems to me that the lesser evil would be to just add this missing permission (or defer the ticket if nacked). Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
