Re: [Freeipa-devel] [PATCH] 761 keytab manipulation permission management

Fri, 17 Oct 2014 02:08:32 -0700 

Dne 16.10.2014 v 20:28 Martin Kosek napsal(a):

On 10/16/2014 07:03 PM, Petr Vobornik wrote:

On 16.10.2014 11:53, Jan Cholasta wrote:

Dne 16.10.2014 v 11:24 Petr Vobornik napsal(a):

On 16.10.2014 09:54, Jan Cholasta wrote:

Dne 13.10.2014 v 12:42 Petr Vobornik napsal(a):

On 8.10.2014 18:51, Petr Vobornik wrote:

On 1.10.2014 18:15, Petr Vobornik wrote:

Hello list,

Patch for: https://fedorahosted.org/freeipa/ticket/4419



New revisions of 761 and 763 with updated API and ACIs:


Given:


Given the implementation, I see you can't remove it from

snip

OK, you are obviously not responsible for this mess, so let's go with
it.

snip

ugly hacks though.)>

snip

I'm not particularly happy about the '_subtype' option bussiness,
but at
least it's not invasive, so I guess it's OK.

Note that I still think this API sucks and we should instead go
with the
generic member-like attribute approach, or take our time to design it
properly so that it fits in the framework (no time in 4.1) instead of
making it a hacky Franken-API like it is now.



and a discussion with Honza

I've attached alternative versions of this patch - based on 761-1 with
API as
follows:

   ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
   ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
   ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
   ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

   ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
   ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups
STR
   ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
   ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

and updated ACIs

Both approaches have their own drawbacks.


Given the discussion we had, I think I can live with this version too,
especially if it makes the API or the code less hackier than with the
API version I proposed.

So if Honza ACKs the code, I am fine with this API version.


Patch 761:

ACK on the approach.

The commands do not show failed members in CLI, to fix this, add:

    Str('ipaallowedtoperform_read_keys',
        label=_('Failed allowed to retrieve keytab'),
    ),
    Str('ipaallowedtoperform_write_keys',
        label=_('Failed allowed to create keytab'),
    ),
to the global output param lists in service and host plugins. (Feel free to fix the label to your liking.) 


Patch 763:

ACK.

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to