Re: [Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command

Mon, 30 Jun 2014 06:01:06 -0700 

On 06/30/2014 02:37 PM, Simo Sorce wrote:

On Mon, 2014-06-30 at 12:19 +0200, Petr Viktorin wrote:

On 06/30/2014 10:58 AM, Martin Kosek wrote:

On 06/30/2014 10:55 AM, Petr Viktorin wrote:

On 06/27/2014 05:18 PM, Martin Kosek wrote:

On 06/27/2014 05:16 PM, Simo Sorce wrote:

On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:

On 06/27/2014 05:10 PM, Simo Sorce wrote:

On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:

Host Administrators could not write to service keytab attribute and
thus they could not run the host-disable command.

https://fedorahosted.org/freeipa/ticket/4284



Any reason why Host Administrators are not members of the service
Administrators group/permission by default ?

Simo.



I assume that the original intent was to allow admins to separate this
privileges. I.e. allow service administrators manage services on hosts but do
not allow them delete or disable the hosts.


Sure, but I asked the opposite question. I understand you may want to
have Service Administrators that cannot manage the host object.
But is there ever a case where Host Administrator is not also Service
Administrator ?


This patch fixes the reported request for Foreman integration, if you have a
better one fixing it as well, we can go different way.


I was wondering if a group membership change wouldn't solve a class of
problems, instead of fixing this on per permission basis, that's all.

Simo.



Sure, good thinking. I do not think that current framework can make one
privilege a member of another one, so this would need to be hacked in. CCing
Petr3 to get his view on this.


Right, it would need to be hacked in.
At the directory level there's normal membership, so  any
permission/privilege/role/group can be nested in any other, but IPA will
probably give incomplete/confusing output for such memberships, and it won't
let you edit them.


Ok. In that case, it seems to me that the lesser evil would be to just add this
missing permission (or defer the ticket if nacked).

Martin


I agree. ACK if Simo is OK with it as well.


Sure, no issues here.

Simo.




Pushed to master: 50c30c8401c21d43414404bd5caa157196449e4c


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to