On 10/03/2014 04:47 PM, Petr Vobornik wrote:
On 3.10.2014 16:24, Martin Kosek wrote:
NACK. I will not comment on mechanics, if you get an ACK from Honza, it
is good enough. I just do not like the API. It is hard to guess what
"host-add-retrieve-keytab" means. That word does not even make much sense.

Can we use something more readable? For example:

ipa host-add-allowed-operation HOSTNAME --operation read_keys
--users=STR --groups STR
ipa host-add-allowed-operation HOSTNAME --operation write_keys
--users=STR --groups STR


ipa host-remove-allowed-operation HOSTNAME --operation read_keys
--users=STR --groups STR
ipa host-remove-allowed-operation HOSTNAME --operation write_keys
--users=STR --groups STR

Same with services. At least to me, it looks more readable.


Seems to me as adding of allowed operation. Not allowing an operation.

What about:

ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

or if we expect more operations in a future:

ipa host-allow-operation HOSTNAME --operation read-keys --users=STR --groups STR
ipa host-disallow-operation HOSTNAME --operation read-keys --users=STR --groups
ipa host-allow-operation HOSTNAME --operation write-keys --users=STR --groups 
ipa host-disallow-operation HOSTNAME --operation write-keys --users=STR
--groups STR

or if we want to keep 'add' and 'remove' in command names:

ipa host-add-retrieve-keytab-right HOSTNAME --users=STR --groups=STR
ipa host-add-create-keytab-right HOSTNAME --users=STR --groups=STR
ipa host-remove-retrieve-keytab-right HOSTNAME --users=STR --groups=STR
ipa host-remove-create-keytab-right HOSTNAME --users=STR --groups=STR

personally I'm not a fan o the --operation switch, but could be persuaded by a
'future' usage.

ipa host-allow-operation HOSTNAME --operation read-keys --users=STR --groups STR

and friends looks the best to me. Given the way the ipaAllowedOperation attribute is designed (countless possible sub types), new future operations can be expected. Simo or Rob, any opinion on this API?


Freeipa-devel mailing list

Reply via email to