On 26.8.2015 13:22, Petr Vobornik wrote:
On 08/25/2015 08:04 PM, Petr Vobornik wrote:
adds commands:
* vaultcontainer-show [--service <service>|--user <user> ]
* vaultcontainer-add-owner
      [--service <service>|--user <user> ]
      [--users <users>]  [--groups <groups>] [--services <services>]
* vaultcontainer-remove-owner
      [--service <service>|--user <user> ]
      [--users <users>]  [--groups <groups>] [--services <services>]


Use cases:
1. When user/service is deleted, associated vault container looses
owner. There was no API command to set the owner.
2. Change owner of container by admin to manage access.

Show command was added to show current owners.

Find command was not added, should it be?

There is also a design for vault container ownership handling created by
Endi - it's for future Vault 2.0.


This patch has a different API than the proposed - different way of
specifying the container. The design page uses path e.g. /users/foobar.
This patch uses the same way as vaults e.g. --user=foobar. This means
that the implementation in this patch cannot manage ownership of parent
vault containers e.g. cn=users,cn=vaults,cn=kra,$SUFFIX.

Do we want to go with this approach in 4.2?

Attaching also new path which removes setting of owner which doesn't
exist so that integrity is OK and that it is consistent with removing of

Updated patch attached - output fix.

We had a long discussion about this with Petr and we think the best approach is as follows:

* Add new "Vault administrators" privilege. Vault administrators will have unrestricted access to vaults and vault containers, including the power to add/remove owners of vaults and vault containers.

* Remove the ability of vault owners to add/remove other vault owners. If vault owner needs to be changed, vault administrator has to do it. Note that vault owners will still have the ability to add/remove vault members.

* When adding new vault container, set owner to the current user. If vault container owner needs to be changed, vault administrator has to do it.

* Allow adding vaults and vault containers only if the owner is set to the current user.

* Introduce commands to modify vault container owner and to delete vault container, so the administrator has a choice between assigning ownership or deleting an unowned container.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to