On 12/01/2014 02:33 PM, Jan Cholasta wrote:
Hi,

Dne 1.12.2014 v 14:17 Petr Vobornik napsal(a):
`--hosts` option added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab

in order to allow hosts to retrieve keytab of their services or related
hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval
design page

https://fedorahosted.org/freeipa/ticket/4777

Since groups of users are supported with "group" members, we should
probably also support groups of hosts with "hostgroup" members, for
consistency.

--hostgroup options added.




I'm pondering how to handle Web UI. I'm not font of adding a third pair
of tables to host and service details pages because the amount of space
on the page required for the keytab management is much bigger than its
importance compared to other fields.

Honza

--
Petr Vobornik
From aed7cb6a62ee55a982dcf8aca7da9ac1cd747833 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Mon, 1 Dec 2014 10:15:21 +0100
Subject: [PATCH] add --hosts and --hostgroup options to allow/retrieve keytab
 methods

`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab

in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page

https://fedorahosted.org/freeipa/ticket/4777
---
 API.txt                                     |  32 ++++++--
 VERSION                                     |   4 +-
 ipalib/plugins/host.py                      |  28 +++++--
 ipalib/plugins/service.py                   |  28 +++++--
 ipatests/test_xmlrpc/test_host_plugin.py    | 109 ++++++++++++++++++++++++++--
 ipatests/test_xmlrpc/test_service_plugin.py |  92 ++++++++++++++++++++---
 6 files changed, 257 insertions(+), 36 deletions(-)

diff --git a/API.txt b/API.txt
index 2a63f1e2349f0df69433fa7cb742e269cd42d79f..e9768bf1e87d6679c439b98ed696b720937099d2 100644
--- a/API.txt
+++ b/API.txt
@@ -1826,10 +1826,12 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: host_allow_create_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -1838,10 +1840,12 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: host_allow_retrieve_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -1866,10 +1870,12 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: host_disallow_create_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -1878,10 +1884,12 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: host_disallow_retrieve_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3529,10 +3537,12 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: service_allow_create_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3541,10 +3551,12 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: service_allow_retrieve_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3568,10 +3580,12 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: service_disallow_create_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@@ -3580,10 +3594,12 @@ output: Output('completed', <type 'int'>, None)
 output: Output('failed', <type 'dict'>, None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: service_disallow_retrieve_keytab
-args: 1,6,3
+args: 1,8,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
+option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('user*', alwaysask=True, cli_name='users', csv=True)
diff --git a/VERSION b/VERSION
index 461c701ad335bb8a4ee168d27e92e1957faa967b..55aff95ebbca21c4cfaecee8c128ec54788017cb 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=109
-# Last change: npmccallum - display qrcode by default
+IPA_API_VERSION_MINOR=110
+# Last change: pvoborni - allow to retrieve keytab by hosts
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index c4d4bdf6473e0f34c8c68754d6c98e93d173d8fa..60304535cbb9e3b564368bbc4c24fa6b269cf3ce 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -211,12 +211,24 @@ host_output_params = (
     Str('ipaallowedtoperform_read_keys_group',
         label=_('Groups allowed to retrieve keytab'),
     ),
+    Str('ipaallowedtoperform_read_keys_host',
+        label=_('Hosts allowed to retrieve keytab'),
+    ),
+    Str('ipaallowedtoperform_read_keys_hostgroup',
+        label=_('Host Groups allowed to retrieve keytab'),
+    ),
     Str('ipaallowedtoperform_write_keys_user',
         label=_('Users allowed to create keytab'),
     ),
     Str('ipaallowedtoperform_write_keys_group',
         label=_('Groups allowed to create keytab'),
     ),
+    Str('ipaallowedtoperform_write_keys_host',
+        label=_('Hosts allowed to create keytab'),
+    ),
+    Str('ipaallowedtoperform_write_keys_hostgroup',
+        label=_('Hosts Groups allowed to create keytab'),
+    ),
     Str('ipaallowedtoperform_read_keys',
         label=_('Failed allowed to retrieve keytab'),
     ),
@@ -284,8 +296,8 @@ class host(LDAPObject):
         'managing': ['host'],
         'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule',
         'sudorule'],
-        'ipaallowedtoperform_read_keys': ['user', 'group'],
-        'ipaallowedtoperform_write_keys': ['user', 'group'],
+        'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'],
+        'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'],
     }
     bindable = True
     relationships = {
@@ -1201,7 +1213,8 @@ class host_remove_managedby(LDAPRemoveMember):
 
 @register()
 class host_allow_retrieve_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to retrieve a keytab of this host.')
+    __doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab'
+                ' of this host.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPAddMember.has_output_params + host_output_params
 
@@ -1219,7 +1232,8 @@ class host_allow_retrieve_keytab(LDAPAddMember):
 
 @register()
 class host_disallow_retrieve_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to retrieve a keytab of this host.')
+    __doc__ = _('Disallow users, groups, hosts or host groups to retrieve a '
+                'keytab of this host.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPRemoveMember.has_output_params + host_output_params
 
@@ -1236,7 +1250,8 @@ class host_disallow_retrieve_keytab(LDAPRemoveMember):
 
 @register()
 class host_allow_create_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to create a keytab of this host.')
+    __doc__ = _('Allow users, groups, hosts or host groups to create a keytab '
+                'of this host.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPAddMember.has_output_params + host_output_params
 
@@ -1254,7 +1269,8 @@ class host_allow_create_keytab(LDAPAddMember):
 
 @register()
 class host_disallow_create_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to create a keytab of this host.')
+    __doc__ = _('Disallow users, groups, hosts or host groups to create a '
+                'keytab of this host.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPRemoveMember.has_output_params + host_output_params
 
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 2f703544452c6d7ee2de8eceeb5f2a26afed44f2..b37dc7b4bf56b69df204fd29e9487f1390197bbe 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -137,12 +137,24 @@ output_params = (
     Str('ipaallowedtoperform_read_keys_group',
         label=_('Groups allowed to retrieve keytab'),
     ),
+    Str('ipaallowedtoperform_read_keys_host',
+        label=_('Hosts allowed to retrieve keytab'),
+    ),
+    Str('ipaallowedtoperform_read_keys_hostgroup',
+        label=_('Host Groups allowed to retrieve keytab'),
+    ),
     Str('ipaallowedtoperform_write_keys_user',
         label=_('Users allowed to create keytab'),
     ),
     Str('ipaallowedtoperform_write_keys_group',
         label=_('Groups allowed to create keytab'),
     ),
+    Str('ipaallowedtoperform_write_keys_host',
+        label=_('Hosts allowed to create keytab'),
+    ),
+    Str('ipaallowedtoperform_write_keys_hostgroup',
+        label=_('Host Groups allowed to create keytab'),
+    ),
     Str('ipaallowedtoperform_read_keys',
         label=_('Failed allowed to retrieve keytab'),
     ),
@@ -350,8 +362,8 @@ class service(LDAPObject):
     attribute_members = {
         'managedby': ['host'],
         'memberof': ['role'],
-        'ipaallowedtoperform_read_keys': ['user', 'group'],
-        'ipaallowedtoperform_write_keys': ['user', 'group'],
+        'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'],
+        'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'],
     }
     bindable = True
     relationships = {
@@ -711,7 +723,8 @@ class service_remove_host(LDAPRemoveMember):
 
 @register()
 class service_allow_retrieve_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to retrieve a keytab of this service.')
+    __doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab'
+                ' of this service.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPAddMember.has_output_params + output_params
 
@@ -729,7 +742,8 @@ class service_allow_retrieve_keytab(LDAPAddMember):
 
 @register()
 class service_disallow_retrieve_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to retrieve a keytab of this service.')
+    __doc__ = _('Disallow users, groups, hosts or host groups to retrieve a '
+                'keytab of this service.')
     member_attributes = ['ipaallowedtoperform_read_keys']
     has_output_params = LDAPRemoveMember.has_output_params + output_params
 
@@ -746,7 +760,8 @@ class service_disallow_retrieve_keytab(LDAPRemoveMember):
 
 @register()
 class service_allow_create_keytab(LDAPAddMember):
-    __doc__ = _('Allow users or groups to create a keytab of this service.')
+    __doc__ = _('Allow users, groups, hosts or host groups to create a keytab '
+                'of this service.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPAddMember.has_output_params + output_params
 
@@ -764,7 +779,8 @@ class service_allow_create_keytab(LDAPAddMember):
 
 @register()
 class service_disallow_create_keytab(LDAPRemoveMember):
-    __doc__ = _('Disallow users or groups to create a keytab of this service.')
+    __doc__ = _('Disallow users, groups, hosts or host groups to create a '
+                'keytab of this service.')
     member_attributes = ['ipaallowedtoperform_write_keys']
     has_output_params = LDAPRemoveMember.has_output_params + output_params
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 67acb765fc1716e10ac7846d8780bf031c9f079e..1c46ce9131554b799d25a15922d26ccb92763e93 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -147,6 +147,9 @@ group1 = u'group1'
 group1_dn = get_group_dn(group1)
 group2 = u'group2'
 group2_dn = get_group_dn(group2)
+hostgroup1 = u'testhostgroup1'
+hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
+                    api.env.basedn)
 
 class test_host(Declarative):
 
@@ -1420,6 +1423,8 @@ class test_host_allowed_to(Declarative):
         ('group_del', [group1], {}),
         ('group_del', [group2], {}),
         ('host_del', [fqdn1], {}),
+        ('host_del', [fqdn3], {}),
+        ('hostgroup_del', [hostgroup1], {}),
     ]
 
     tests = [
@@ -1503,6 +1508,49 @@ class test_host_allowed_to(Declarative):
                 ),
             ),
         ),
+        dict(
+            desc='Create %r' % fqdn3,
+            command=(
+                'host_add', [fqdn3],
+                dict(
+                    force=True,
+                ),
+            ),
+            expected=dict(
+                value=fqdn3,
+                summary=u'Added host "%s"' % fqdn3,
+                result=dict(
+                    dn=dn3,
+                    fqdn=[fqdn3],
+                    krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
+                    objectclass=objectclasses.host,
+                    ipauniqueid=[fuzzy_uuid],
+                    managedby_host=[fqdn3],
+                    has_keytab=False,
+                    has_password=False,
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Create %r' % hostgroup1,
+            command=('hostgroup_add', [hostgroup1],
+                dict(description=u'Test hostgroup 1')
+            ),
+            expected=dict(
+                value=hostgroup1,
+                summary=u'Added hostgroup "testhostgroup1"',
+                result=dict(
+                    dn=hostgroup1_dn,
+                    cn=[hostgroup1],
+                    objectclass=objectclasses.hostgroup,
+                    description=[u'Test hostgroup 1'],
+                    ipauniqueid=[fuzzy_uuid],
+                    mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'),
+                                        api.env.basedn)],
+                ),
+            ),
+        ),
 
         # verify
         dict(
@@ -1513,6 +1561,8 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
@@ -1535,6 +1585,8 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[[user1, u'This entry is already a member']],
                     ),
                 ),
@@ -1553,20 +1605,25 @@ class test_host_allowed_to(Declarative):
             desc='Allow %r, %r to a retrieve keytab of %r' % (
                 group1, group2, fqdn1),
             command=('host_allow_retrieve_keytab', [fqdn1],
-                     dict(group=[group1, group2])),
+                     dict(group=[group1, group2], host=[fqdn3],
+                          hostgroup=[hostgroup1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
-                completed=2,
+                completed=4,
                 result=dict(
                     dn=dn1,
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1581,6 +1638,8 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -1590,6 +1649,8 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1604,6 +1665,8 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
@@ -1613,6 +1676,8 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1623,22 +1688,29 @@ class test_host_allowed_to(Declarative):
             desc='Allow %r, %r to a create keytab of %r' % (
                 group1, user1, fqdn1),
             command=('host_allow_create_keytab', [fqdn1],
-                     dict(group=[group1, group2], user=[user1])),
+                     dict(group=[group1, group2], user=[user1], host=[fqdn3],
+                          hostgroup=[hostgroup1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
-                completed=3,
+                completed=5,
                 result=dict(
                     dn=dn1,
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn3],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1648,12 +1720,15 @@ class test_host_allowed_to(Declarative):
         dict(
             desc='Duplicate add: %r, %r' % (user1, group1),
             command=('host_allow_create_keytab', [fqdn1],
-                     dict(group=[group1], user=[user1])),
+                     dict(group=[group1], user=[user1], host=[fqdn3],
+                          hostgroup=[hostgroup1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[[group1, u'This entry is already a member']],
+                        host=[[fqdn3, u'This entry is already a member']],
                         user=[[user1, u'This entry is already a member']],
+                        hostgroup=[[hostgroup1, u'This entry is already a member']],
                     ),
                 ),
                 completed=0,
@@ -1662,8 +1737,12 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn3],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1678,6 +1757,8 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -1687,8 +1768,12 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn3],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1703,6 +1788,8 @@ class test_host_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
@@ -1712,8 +1799,12 @@ class test_host_allowed_to(Declarative):
                     fqdn=[fqdn1],
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn3],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1733,8 +1824,12 @@ class test_host_allowed_to(Declarative):
                     has_password=False,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn3],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
@@ -1756,8 +1851,12 @@ class test_host_allowed_to(Declarative):
                     has_password=False,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn3],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn3],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
                     managedby_host=[fqdn1],
                 ),
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 927ce73f86a0025b8384cf0126ef00be3598975a..946dc572b0d0e5b3f26cd7bfd6ad8128f113493f 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -54,6 +54,9 @@ group1 = u'group1'
 group1_dn = get_group_dn(group1)
 group2 = u'group2'
 group2_dn = get_group_dn(group2)
+hostgroup1 = u'testhostgroup1'
+hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
+                    api.env.basedn)
 
 class test_service(Declarative):
 
@@ -770,6 +773,7 @@ class test_service_allowed_to(Declarative):
         ('group_del', [group2], {}),
         ('host_del', [fqdn1], {}),
         ('service_del', [service1], {}),
+        ('hostgroup_del', [hostgroup1], {}),
     ]
 
     tests = [
@@ -858,6 +862,25 @@ class test_service_allowed_to(Declarative):
             ),
         ),
         dict(
+            desc='Create %r' % hostgroup1,
+            command=('hostgroup_add', [hostgroup1],
+                dict(description=u'Test hostgroup 1')
+            ),
+            expected=dict(
+                value=hostgroup1,
+                summary=u'Added hostgroup "testhostgroup1"',
+                result=dict(
+                    dn=hostgroup1_dn,
+                    cn=[hostgroup1],
+                    objectclass=objectclasses.hostgroup,
+                    description=[u'Test hostgroup 1'],
+                    ipauniqueid=[fuzzy_uuid],
+                    mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'),
+                                        api.env.basedn)],
+                ),
+            ),
+        ),
+        dict(
             desc='Create %r' % service1,
             command=('service_add', [service1_no_realm], dict(force=True)),
             expected=dict(
@@ -882,6 +905,8 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
@@ -903,6 +928,8 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[[user1, u'This entry is already a member']],
                     ),
                 ),
@@ -917,22 +944,27 @@ class test_service_allowed_to(Declarative):
         ),
 
         dict(
-            desc='Allow %r, %r to a retrieve keytab of %r' % (
-                group1, group2, service1),
+            desc='Allow %r, %r, %r to a retrieve keytab of %r' % (
+                group1, group2, fqdn1, service1),
             command=('service_allow_retrieve_keytab', [service1],
-                     dict(group=[group1, group2])),
+                     dict(group=[group1, group2], host=[fqdn1],
+                          hostgroup=[hostgroup1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
-                completed=2,
+                completed=4,
                 result=dict(
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -947,6 +979,8 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -955,6 +989,8 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1, group2],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -969,6 +1005,8 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_read_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
@@ -977,6 +1015,8 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -984,24 +1024,31 @@ class test_service_allowed_to(Declarative):
         ),
 
         dict(
-            desc='Allow %r, %r to a create keytab of %r' % (
-                group1, user1, service1),
+            desc='Allow %r, %r, %r to a create keytab of %r' % (
+                group1, user1, fqdn1, service1),
             command=('service_allow_create_keytab', [service1],
-                     dict(group=[group1, group2], user=[user1])),
+                     dict(group=[group1, group2], user=[user1], host=[fqdn1],
+                          hostgroup=[hostgroup1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
-                completed=3,
+                completed=5,
                 result=dict(
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1011,12 +1058,15 @@ class test_service_allowed_to(Declarative):
         dict(
             desc='Duplicate add: %r, %r' % (user1, group1),
             command=('service_allow_create_keytab', [service1],
-                     dict(group=[group1], user=[user1])),
+                     dict(group=[group1], user=[user1], host=[fqdn1],
+                          hostgroup=[hostgroup1])),
             expected=dict(
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[[group1, u'This entry is already a member']],
+                        host=[[fqdn1, u'This entry is already a member']],
                         user=[[user1, u'This entry is already a member']],
+                        hostgroup=[[hostgroup1, u'This entry is already a member']],
                     ),
                 ),
                 completed=0,
@@ -1024,8 +1074,12 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1040,6 +1094,8 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[[user2, u'This entry is not a member']],
                     ),
                 ),
@@ -1048,8 +1104,12 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1, group2],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1064,6 +1124,8 @@ class test_service_allowed_to(Declarative):
                 failed=dict(
                     ipaallowedtoperform_write_keys=dict(
                         group=[],
+                        host=[],
+                        hostgroup=[],
                         user=[],
                     ),
                 ),
@@ -1072,8 +1134,12 @@ class test_service_allowed_to(Declarative):
                     dn=service1dn,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1091,8 +1157,12 @@ class test_service_allowed_to(Declarative):
                     has_keytab=False,
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     krbprincipalname=[service1],
                     managedby_host=[fqdn1],
                 ),
@@ -1110,8 +1180,12 @@ class test_service_allowed_to(Declarative):
                 result=dict(
                     ipaallowedtoperform_read_keys_user=[user1],
                     ipaallowedtoperform_read_keys_group=[group1],
+                    ipaallowedtoperform_read_keys_host=[fqdn1],
+                    ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
                     ipaallowedtoperform_write_keys_user=[user1],
                     ipaallowedtoperform_write_keys_group=[group1],
+                    ipaallowedtoperform_write_keys_host=[fqdn1],
+                    ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
                     ipakrbokasdelegate=True,
                     krbprincipalname=[service1],
                     krbticketflags=[u'1048704'],
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to