`--hosts` option added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab

in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page

https://fedorahosted.org/freeipa/ticket/4777


I'm pondering how to handle Web UI. I'm not font of adding a third pair of tables to host and service details pages because the amount of space on the page required for the keytab management is much bigger than its importance compared to other fields.
--
Petr Vobornik
From 5a7b77d47abd5b0ca5b97b667d1478c5e8f8dc3d Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Mon, 1 Dec 2014 10:15:21 +0100
Subject: [PATCH] add --hosts option to allow/retrieve keytab methods

`--hosts` option added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab

in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page

https://fedorahosted.org/freeipa/ticket/4777
---
 API.txt                                     | 24 ++++++++----
 VERSION                                     |  4 +-
 ipalib/plugins/host.py                      | 18 ++++++---
 ipalib/plugins/service.py                   | 18 ++++++---
 ipatests/test_xmlrpc/test_host_plugin.py    | 58 ++++++++++++++++++++++++++---
 ipatests/test_xmlrpc/test_service_plugin.py | 42 ++++++++++++++++-----
 6 files changed, 128 insertions(+), 36 deletions(-)

diff --git a/API.txt b/API.txt
index 2a63f1e2349f0df69433fa7cb742e269cd42d79f..8c0b530cb0b7855594beeb12f891c29e31893ed5 100644
--- a/API.txt
+++ b/API.txt
@@ -1826,10 +1826,11 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: host_allow_create_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -1838,10 +1839,11 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: host_allow_retrieve_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -1866,10 +1868,11 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: host_disallow_create_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -1878,10 +1881,11 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: host_disallow_retrieve_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3529,10 +3533,11 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: service_allow_create_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3541,10 +3546,11 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: service_allow_retrieve_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3568,10 +3574,11 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: service_disallow_create_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3580,10 +3587,11 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: service_disallow_retrieve_keytab
-args: 1,6,3
+args: 1,7,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
diff --git a/VERSION b/VERSION
index 461c701ad335bb8a4ee168d27e92e1957faa967b..55aff95ebbca21c4cfaecee8c128ec54788017cb 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=109
-# Last change: npmccallum - display qrcode by default
+IPA_API_VERSION_MINOR=110
+# Last change: pvoborni - allow to retrieve keytab by hosts
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index c4d4bdf6473e0f34c8c68754d6c98e93d173d8fa..038163dbb529a041b96f1bea8ccdb6bc101c101f 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -211,12 +211,18 @@ host_output_params = (
     Str('ipaallowedtoperform_read_keys_group',
         label=_('Groups allowed to retrieve keytab'),
     ),
+    Str('ipaallowedtoperform_read_keys_host',
+        label=_('Hosts allowed to retrieve keytab'),
+    ),
     Str('ipaallowedtoperform_write_keys_user',
         label=_('Users allowed to create keytab'),
     ),
     Str('ipaallowedtoperform_write_keys_group',
         label=_('Groups allowed to create keytab'),
     ),
+    Str('ipaallowedtoperform_write_keys_host',
+        label=_('Hosts allowed to create keytab'),
+    ),
     Str('ipaallowedtoperform_read_keys',
         label=_('Failed allowed to retrieve keytab'),
     ),
@@ -284,8 +290,8 @@ class host(LDAPObject):
         'managing': ['host'],
         'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule',
         'sudorule'],
-        'ipaallowedtoperform_read_keys': ['user', 'group'],
-        'ipaallowedtoperform_write_keys': ['user', 'group'],
+        'ipaallowedtoperform_read_keys': ['user', 'group', 'host'],
+        'ipaallowedtoperform_write_keys': ['user', 'group', 'host'],
     }
     bindable = True
     relationships = {
@@ -1201,7 +1207,7 @@ class host_remove_managedby(LDAPRemoveMember):
 
 @register()
 class host_allow_retrieve_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to retrieve a keytab of this host.')
+    __doc__ = _('Allow users, groups or hosts to retrieve a keytab of this host.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPAddMember.has_output_params + host_output_params
 
@@ -1219,7 +1225,7 @@ class host_allow_retrieve_keytab(LDAPAddMember):
 
 @register()
 class host_disallow_retrieve_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to retrieve a keytab of this host.')
+    __doc__ = _('Disallow users, groups or hosts to retrieve a keytab of this host.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPRemoveMember.has_output_params + host_output_params
 
@@ -1236,7 +1242,7 @@ class host_disallow_retrieve_keytab(LDAPRemoveMember):
 
 @register()
 class host_allow_create_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to create a keytab of this host.')
+    __doc__ = _('Allow users, groups or hosts to create a keytab of this host.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPAddMember.has_output_params + host_output_params
 
@@ -1254,7 +1260,7 @@ class host_allow_create_keytab(LDAPAddMember):
 
 @register()
 class host_disallow_create_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to create a keytab of this host.')
+    __doc__ = _('Disallow users, groups or hosts to create a keytab of this host.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPRemoveMember.has_output_params + host_output_params
 
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 2f703544452c6d7ee2de8eceeb5f2a26afed44f2..68c7759aa3ef57bb6e37cb29b4368f8ea805dbc4 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -137,12 +137,18 @@ output_params = (
     Str('ipaallowedtoperform_read_keys_group',
         label=_('Groups allowed to retrieve keytab'),
     ),
+    Str('ipaallowedtoperform_read_keys_host',
+        label=_('Hosts allowed to retrieve keytab'),
+    ),
     Str('ipaallowedtoperform_write_keys_user',
         label=_('Users allowed to create keytab'),
     ),
     Str('ipaallowedtoperform_write_keys_group',
         label=_('Groups allowed to create keytab'),
     ),
+    Str('ipaallowedtoperform_write_keys_host',
+        label=_('Hosts allowed to create keytab'),
+    ),
     Str('ipaallowedtoperform_read_keys',
         label=_('Failed allowed to retrieve keytab'),
     ),
@@ -350,8 +356,8 @@ class service(LDAPObject):
     attribute_members = {
         'managedby': ['host'],
         'memberof': ['role'],
-        'ipaallowedtoperform_read_keys': ['user', 'group'],
-        'ipaallowedtoperform_write_keys': ['user', 'group'],
+        'ipaallowedtoperform_read_keys': ['user', 'group', 'host'],
+        'ipaallowedtoperform_write_keys': ['user', 'group', 'host'],
     }
     bindable = True
     relationships = {
@@ -711,7 +717,7 @@ class service_remove_host(LDAPRemoveMember):
 
 @register()
 class service_allow_retrieve_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to retrieve a keytab of this service.')
+    __doc__ = _('Allow users, groups or hosts to retrieve a keytab of this service.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPAddMember.has_output_params + output_params
 
@@ -729,7 +735,7 @@ class service_allow_retrieve_keytab(LDAPAddMember):
 
 @register()
 class service_disallow_retrieve_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to retrieve a keytab of this service.')
+    __doc__ = _('Disallow users, groups or hosts to retrieve a keytab of this service.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPRemoveMember.has_output_params + output_params
 
@@ -746,7 +752,7 @@ class service_disallow_retrieve_keytab(LDAPRemoveMember):
 
 @register()
 class service_allow_create_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to create a keytab of this service.')
+    __doc__ = _('Allow users, groups or hosts to create a keytab of this service.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPAddMember.has_output_params + output_params
 
@@ -764,7 +770,7 @@ class service_allow_create_keytab(LDAPAddMember):
 
 @register()
 class service_disallow_create_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to create a keytab of this service.')
+    __doc__ = _('Disallow users, groups or hosts to create a keytab of this service.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPRemoveMember.has_output_params + output_params
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 67acb765fc1716e10ac7846d8780bf031c9f079e..4a156edc29972ba85eff8315d2c3033c69578a20 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -1420,6 +1420,7 @@ class test_host_allowed_to(Declarative):
         ('group_del', [group1], {}),
         ('group_del', [group2], {}),
         ('host_del', [fqdn1], {}),
+        ('host_del', [fqdn2], {}),
     ]
 
     tests = [
@@ -1503,6 +1504,29 @@ class test_host_allowed_to(Declarative):
                 ),
             ),
         ),
+        dict(
+            desc='Create %r' % fqdn2,
+            command=(
+                'host_add', [fqdn2],
+                dict(
+                    force=True,
+                ),
+            ),
+            expected=dict(
+                value=fqdn2,
+                summary=u'Added host "%s"' % fqdn2,
+                result=dict(
+                    dn=dn2,
+                    fqdn=[fqdn2],
+                    krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
+                    objectclass=objectclasses.host,
+                    ipauniqueid=[fuzzy_uuid],
+                    managedby_host=[fqdn2],
+                    has_keytab=False,
+                    has_password=False,
+                ),
+            ),
+        ),
 
         # verify
         dict(
@@ -1513,6 +1537,7 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
@@ -1535,6 +1560,7 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[[user1, u'This entry is already a member']],
                     ),
                 ),
@@ -1553,20 +1579,22 @@ class test_host_allowed_to(Declarative):
             desc='Allow %r, %r to a retrieve keytab of %r' % (
                 group1, group2, fqdn1),
             command=('host_allow_retrieve_keytab', [fqdn1],
-                     dict(group=[group1, group2])),
+                     dict(group=[group1, group2], host=[fqdn2])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
-                completed=2,
+                completed=3,
                 result=dict(
                     dn=dn1,
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1581,6 +1609,7 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -1590,6 +1619,7 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1604,6 +1634,7 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
@@ -1613,6 +1644,7 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1623,22 +1655,25 @@ class test_host_allowed_to(Declarative):
             desc='Allow %r, %r to a create keytab of %r' % (
                 group1, user1, fqdn1),
             command=('host_allow_create_keytab', [fqdn1],
-                     dict(group=[group1, group2], user=[user1])),
+                     dict(group=[group1, group2], user=[user1], host=[fqdn2])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
-                completed=3,
+                completed=4,
                 result=dict(
                     dn=dn1,
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1648,11 +1683,12 @@ class test_host_allowed_to(Declarative):
         dict(
             desc='Duplicate add: %r, %r' % (user1, group1),
             command=('host_allow_create_keytab', [fqdn1],
-                     dict(group=[group1], user=[user1])),
+                     dict(group=[group1], user=[user1], host=[fqdn2])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[[group1, u'This entry is already a member']],
+                        host=[[fqdn2, u'This entry is already a member']],
                         user=[[user1, u'This entry is already a member']],
                     ),
                 ),
@@ -1662,8 +1698,10 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1678,6 +1716,7 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -1687,8 +1726,10 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1703,6 +1744,7 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
@@ -1712,8 +1754,10 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1733,8 +1777,10 @@ class test_host_allowed_to(Declarative):
                     has_password=False,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1756,8 +1802,10 @@ class test_host_allowed_to(Declarative):
                     has_password=False,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn2],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn2],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 927ce73f86a0025b8384cf0126ef00be3598975a..5d09cf120c40adf5828f08298498332876659ab4 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -882,6 +882,7 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
@@ -903,6 +904,7 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[[user1, u'This entry is already a member']],
                     ),
                 ),
@@ -917,22 +919,24 @@ class test_service_allowed_to(Declarative):
         ),
 
         dict(
-            desc='Allow %r, %r to a retrieve keytab of %r' % (
-                group1, group2, service1),
+            desc='Allow %r, %r, %r to a retrieve keytab of %r' % (
+                group1, group2, fqdn1, service1),
             command=('service_allow_retrieve_keytab', [service1],
-                     dict(group=[group1, group2])),
+                     dict(group=[group1, group2], host=[fqdn1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
-                completed=2,
+                completed=3,
                 result=dict(
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -947,6 +951,7 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -955,6 +960,7 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -969,6 +975,7 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
@@ -977,6 +984,7 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -984,24 +992,27 @@ class test_service_allowed_to(Declarative):
         ),
 
         dict(
-            desc='Allow %r, %r to a create keytab of %r' % (
-                group1, user1, service1),
+            desc='Allow %r, %r, %r to a create keytab of %r' % (
+                group1, user1, fqdn1, service1),
             command=('service_allow_create_keytab', [service1],
-                     dict(group=[group1, group2], user=[user1])),
+                     dict(group=[group1, group2], user=[user1], host=[fqdn1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
-                completed=3,
+                completed=4,
                 result=dict(
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1011,11 +1022,12 @@ class test_service_allowed_to(Declarative):
         dict(
             desc='Duplicate add: %r, %r' % (user1, group1),
             command=('service_allow_create_keytab', [service1],
-                     dict(group=[group1], user=[user1])),
+                     dict(group=[group1], user=[user1], host=[fqdn1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[[group1, u'This entry is already a member']],
+                        host=[[fqdn1, u'This entry is already a member']],
                         user=[[user1, u'This entry is already a member']],
                     ),
                 ),
@@ -1024,8 +1036,10 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1040,6 +1054,7 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -1048,8 +1063,10 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1064,6 +1081,7 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
                         user=[],
                     ),
                 ),
@@ -1072,8 +1090,10 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1091,8 +1111,10 @@ class test_service_allowed_to(Declarative):
                     has_keytab=False,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1110,8 +1132,10 @@ class test_service_allowed_to(Declarative):
                 result=dict(
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
                     ipakrbokasdelegate=True,
                     krbprincipalname=[service1],
                     krbticketflags=[u'1048704'],
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to