On Mon, 2014-06-30 at 12:19 +0200, Petr Viktorin wrote: > On 06/30/2014 10:58 AM, Martin Kosek wrote: > > On 06/30/2014 10:55 AM, Petr Viktorin wrote: > >> On 06/27/2014 05:18 PM, Martin Kosek wrote: > >>> On 06/27/2014 05:16 PM, Simo Sorce wrote: > >>>> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: > >>>>> On 06/27/2014 05:10 PM, Simo Sorce wrote: > >>>>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: > >>>>>>> Host Administrators could not write to service keytab attribute and > >>>>>>> thus they could not run the host-disable command. > >>>>>>> > >>>>>>> https://fedorahosted.org/freeipa/ticket/4284 > >>>>>>> > >>>>>> > >>>>>> Any reason why Host Administrators are not members of the service > >>>>>> Administrators group/permission by default ? > >>>>>> > >>>>>> Simo. > >>>>>> > >>>>> > >>>>> I assume that the original intent was to allow admins to separate this > >>>>> privileges. I.e. allow service administrators manage services on hosts > >>>>> but do > >>>>> not allow them delete or disable the hosts. > >>>> > >>>> Sure, but I asked the opposite question. I understand you may want to > >>>> have Service Administrators that cannot manage the host object. > >>>> But is there ever a case where Host Administrator is not also Service > >>>> Administrator ? > >>>> > >>>>> This patch fixes the reported request for Foreman integration, if you > >>>>> have a > >>>>> better one fixing it as well, we can go different way. > >>>> > >>>> I was wondering if a group membership change wouldn't solve a class of > >>>> problems, instead of fixing this on per permission basis, that's all. > >>>> > >>>> Simo. > >>>> > >>> > >>> Sure, good thinking. I do not think that current framework can make one > >>> privilege a member of another one, so this would need to be hacked in. > >>> CCing > >>> Petr3 to get his view on this. > >> > >> Right, it would need to be hacked in. > >> At the directory level there's normal membership, so any > >> permission/privilege/role/group can be nested in any other, but IPA will > >> probably give incomplete/confusing output for such memberships, and it > >> won't > >> let you edit them. > > > > Ok. In that case, it seems to me that the lesser evil would be to just add > > this > > missing permission (or defer the ticket if nacked). > > > > Martin > > I agree. ACK if Simo is OK with it as well.
Sure, no issues here. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel