subject:"Re\: \[Freeipa\-devel\] \[WIP\]\[PATCH\] 120 Add Kerberos ticket flags management to service and host plugins"

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-29 Thread Martin Kosek

On 03/29/2013 01:48 PM, Jan Cholasta wrote:
> On 29.3.2013 12:46, Martin Kosek wrote:
>> 1) This causes an error in the test suite:
>>
>> ==
>> FAIL: test_service[23]: service_mod: Enable
>> u'HTTP/testhost1.idm.lab.bos.redhat@idm.lab.bos.redhat.com' 
>> OK_AS_DELEGATE
>> Kerberos ticket flag
>> --
>> Traceback (most recent call last):
>>File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
>>  self.test(*self.arg)
>>File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 267, in
>> 
>>  func = lambda: self.check(nice, **test)
>>File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 285, in
>> check
>>  self.check_output(nice, cmd, args, options, expected, extra_check)
>>File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 323, in
>> check_output
>>  assert_deepequal(expected, got, nice)
>>File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
>>  assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>>File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
>>  assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>>File "/root/freeipa-master/tests/util.py", line 323, in assert_deepequal
>>  assert_deepequal(e_sub, g_sub, doc, stack + (i,))
>>File "/root/freeipa-master/tests/util.py", line 343, in assert_deepequal
>>  VALUE % (doc, expected, got, stack)
>> AssertionError: assert_deepequal: expected != got.
>>test_service[23]: service_mod: Enable
>> u'HTTP/testhost1.idm.lab.bos.redhat@idm.lab.bos.redhat.com' 
>> OK_AS_DELEGATE
>> Kerberos ticket flag
>>expected = u'1048576'
>>got = u'1048704'
>>path = ('result', 'krbticketflags', 0)
>>
> 
> Fixed.
> 
>> --
>>
>> 2) Since we add REQUIRES_PRE_AUTH flag by default, shouldn't we then also add
>> --requires-pre-auth flag as I wrote above so that admin can get rid of this
>> flag if he chooses to?
> 
> Added.
> 
> Updated patch attached.
> 
> Honza
> 

I discussed this approach also with Simo and current state should be OK since
we manipulate krbticketflags only for hosts and services. When we add these
options also for users, we need to add big fat warning that pre_auth flag is
required for users in order work correctly.

ACK. Pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-29 Thread Jan Cholasta


On 29.3.2013 12:46, Martin Kosek wrote:

1) This causes an error in the test suite:

==
FAIL: test_service[23]: service_mod: Enable
u'HTTP/testhost1.idm.lab.bos.redhat@idm.lab.bos.redhat.com' OK_AS_DELEGATE
Kerberos ticket flag
--
Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
 self.test(*self.arg)
   File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 267, in

 func = lambda: self.check(nice, **test)
   File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 285, in 
check
 self.check_output(nice, cmd, args, options, expected, extra_check)
   File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 323, in
check_output
 assert_deepequal(expected, got, nice)
   File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
 assert_deepequal(e_sub, g_sub, doc, stack + (key,))
   File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
 assert_deepequal(e_sub, g_sub, doc, stack + (key,))
   File "/root/freeipa-master/tests/util.py", line 323, in assert_deepequal
 assert_deepequal(e_sub, g_sub, doc, stack + (i,))
   File "/root/freeipa-master/tests/util.py", line 343, in assert_deepequal
 VALUE % (doc, expected, got, stack)
AssertionError: assert_deepequal: expected != got.
   test_service[23]: service_mod: Enable
u'HTTP/testhost1.idm.lab.bos.redhat@idm.lab.bos.redhat.com' OK_AS_DELEGATE
Kerberos ticket flag
   expected = u'1048576'
   got = u'1048704'
   path = ('result', 'krbticketflags', 0)



Fixed.


--

2) Since we add REQUIRES_PRE_AUTH flag by default, shouldn't we then also add
--requires-pre-auth flag as I wrote above so that admin can get rid of this
flag if he chooses to?


Added.

Updated patch attached.

Honza

--
Jan Cholasta
From d376fe4b2d3f7226a56f7872d4c98cc080b907b3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 18 Mar 2013 12:31:23 +0100
Subject: [PATCH] Add Kerberos ticket flags management to service and host
 plugins.

https://fedorahosted.org/freeipa/ticket/3329
---
 API.txt  | 16 --
 VERSION  |  2 +-
 install/share/default-aci.ldif   |  2 +-
 install/updates/60-trusts.update |  4 +-
 ipalib/plugins/host.py   | 25 +++--
 ipalib/plugins/service.py| 89 ++--
 tests/test_xmlrpc/test_service_plugin.py | 84 +-
 7 files changed, 207 insertions(+), 15 deletions(-)

diff --git a/API.txt b/API.txt
index 734f99e..81a1f61 100644
--- a/API.txt
+++ b/API.txt
@@ -1716,13 +1716,15 @@ output: Output('summary', (, ), None)
 output: Output('value', , None)
 output: Output('warning', (, , ), None)
 command: host_add
-args: 1,18,3
+args: 1,20,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
+option: Bool('ipakrbokasdelegate', attribute=False, cli_name='ok_as_delegate', multivalue=False, required=False)
+option: Bool('ipakrbrequirespreauth', attribute=False, cli_name='requires_pre_auth', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('l', attribute=True, cli_name='locality', multivalue=False, required=False)
 option: Str('macaddress', attribute=True, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', required=False)
@@ -1803,12 +1805,14 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: host_mod
-args: 1,19,3
+args: 1,21,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
+option: Bool('ipakrbokasdelegate', attribute=False, autofill=False, cli_name='ok_as_delegate', multivalue=False, required=False)
+option: Bool('ipakrbrequirespreauth', attribute=False, autofill=False, cli_name='requires_pre_auth', multivalue=False, required=False)
 option: Str('ipasshpubk

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-29 Thread Martin Kosek

On 03/29/2013 11:28 AM, Jan Cholasta wrote:
> On 29.3.2013 10:55, Martin Kosek wrote:
>> This looks much better, thanks for catching more errors and the unit test. I
>> have few more:
>>
>> 1) API minor number in VERSION file needs a bump
> 
> Whoops, fixed.
> 
>>
>> 2) I did some functional testing and found strange behavior with services.
>> Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
>> like REQUIRES_PRE_AUTH.
>>
>> Example:
>>
>> # ipa host-add foo.example.com --force
>> 
>> Added host "foo.example.com"
>> 
>>Host name: foo.example.com
>>Principal name: host/foo.example@idm.lab.bos.redhat.com
>>Password: False
>>Keytab: False
>>Managed by: foo.example.com
>>
>> # ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
>> Keytab successfully retrieved and stored in: foo.keytab
>>
>> # kinit -kt foo.keytab host/foo.example.com
>>
>> # kadmin.local -q "getprinc host/foo.example@idm.lab.bos.redhat.com"
>> ...
>> Attributes: REQUIRES_PRE_AUTH
>> Policy: [none]
>>
>>
>> krb5kdc.log correctly shows that preauth is needed:
>>
>> Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
>> etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
>> host/foo.example@idm.lab.bos.redhat.com for
>> krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com, Additional
>> pre-authentication required
>> Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
>> etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
>> tkt=18 ses=18}, host/foo.example@idm.lab.bos.redhat.com for
>> krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com
>>
>>
>> However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
>> # ipa host-mod foo.example.com --ok-as-delegate=1
>> ---
>> Modified host "foo.example.com"
>> ---
>>Host name: foo.example.com
>>Principal name: host/foo.example@idm.lab.bos.redhat.com
>>Trusted for delegation: True
>>Password: False
>>Keytab: True
>>Managed by: foo.example.com
>>
>> # ipa service-mod HTTP/foo.example@idm.lab.bos.redhat.com 
>> --ok-as-delegate=1
>> --
>> Modified service "HTTP/foo.example@idm.lab.bos.redhat.com"
>> --
>>Principal: HTTP/foo.example@idm.lab.bos.redhat.com
>>Trusted for delegation: True
>>Managed by: foo.example.com
>>
>> # kadmin.local -q "getprinc host/foo.example@idm.lab.bos.redhat.com"
>> ...
>> Attributes: OK_AS_DELEGATE
>> Policy: [none]
>>
>>
>> Is this intentional?
>>
>> Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
>> "krbticketflags" with this flag (0x0080) on instead of adding it silently
>> in ipa-kdb? (adding Simo to CC to help us with that).
>>
>> If no, shouldn't we at least add means to set this flag in host-mod or
>> service-mod so that admins can set it? I.e. option like --requires-pre-auth=1
> 
> I assumed the default value is 0. I changed it to 0x0080.
> 
> Updated patch attached.
> 
> Honza
> 

1) This causes an error in the test suite:

==
FAIL: test_service[23]: service_mod: Enable
u'HTTP/testhost1.idm.lab.bos.redhat@idm.lab.bos.redhat.com' OK_AS_DELEGATE
Kerberos ticket flag
--
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 267, in

func = lambda: self.check(nice, **test)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 285, in 
check
self.check_output(nice, cmd, args, options, expected, extra_check)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 323, in
check_output
assert_deepequal(expected, got, nice)
  File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
  File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
  File "/root/freeipa-master/tests/util.py", line 323, in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (i,))
  File "/root/freeipa-master/tests/util.py", line 343, in assert_deepequal
VALUE % (doc, expected, got, stack)
AssertionError: assert_deepequal: expected != got.
  test_service[23]: service_mod: Enable
u'HTTP/testhost1.idm.lab.bos.redhat@idm.lab.bos.redhat.com' OK_AS_DELEGATE
Kerberos ticket flag
  expected = u'1048576'
  got = u'1048704'
  path = ('result', 'krbticketflags', 0)

--

2) Since we add REQUIRES_PR

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-29 Thread Jan Cholasta


On 29.3.2013 10:55, Martin Kosek wrote:

This looks much better, thanks for catching more errors and the unit test. I
have few more:

1) API minor number in VERSION file needs a bump


Whoops, fixed.



2) I did some functional testing and found strange behavior with services.
Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
like REQUIRES_PRE_AUTH.

Example:

# ipa host-add foo.example.com --force

Added host "foo.example.com"

   Host name: foo.example.com
   Principal name: host/foo.example@idm.lab.bos.redhat.com
   Password: False
   Keytab: False
   Managed by: foo.example.com

# ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
Keytab successfully retrieved and stored in: foo.keytab

# kinit -kt foo.keytab host/foo.example.com

# kadmin.local -q "getprinc host/foo.example@idm.lab.bos.redhat.com"
...
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


krb5kdc.log correctly shows that preauth is needed:

Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
host/foo.example@idm.lab.bos.redhat.com for
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com, Additional
pre-authentication required
Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
tkt=18 ses=18}, host/foo.example@idm.lab.bos.redhat.com for
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com


However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
# ipa host-mod foo.example.com --ok-as-delegate=1
---
Modified host "foo.example.com"
---
   Host name: foo.example.com
   Principal name: host/foo.example@idm.lab.bos.redhat.com
   Trusted for delegation: True
   Password: False
   Keytab: True
   Managed by: foo.example.com

# ipa service-mod HTTP/foo.example@idm.lab.bos.redhat.com --ok-as-delegate=1
--
Modified service "HTTP/foo.example@idm.lab.bos.redhat.com"
--
   Principal: HTTP/foo.example@idm.lab.bos.redhat.com
   Trusted for delegation: True
   Managed by: foo.example.com

# kadmin.local -q "getprinc host/foo.example@idm.lab.bos.redhat.com"
...
Attributes: OK_AS_DELEGATE
Policy: [none]


Is this intentional?

Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
"krbticketflags" with this flag (0x0080) on instead of adding it silently
in ipa-kdb? (adding Simo to CC to help us with that).

If no, shouldn't we at least add means to set this flag in host-mod or
service-mod so that admins can set it? I.e. option like --requires-pre-auth=1


I assumed the default value is 0. I changed it to 0x0080.

Updated patch attached.

Honza

--
Jan Cholasta
From 9879dcf9487387111daf8b832d67e213a4c87ff0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 18 Mar 2013 12:31:23 +0100
Subject: [PATCH] Add Kerberos ticket flags management to service and host
 plugins.

https://fedorahosted.org/freeipa/ticket/3329
---
 API.txt  | 12 +++--
 VERSION  |  2 +-
 install/share/default-aci.ldif   |  2 +-
 install/updates/60-trusts.update |  4 +-
 ipalib/plugins/host.py   | 25 --
 ipalib/plugins/service.py| 80 +--
 tests/test_xmlrpc/test_service_plugin.py | 82 +++-
 7 files changed, 192 insertions(+), 15 deletions(-)

diff --git a/API.txt b/API.txt
index 734f99e..a370e88 100644
--- a/API.txt
+++ b/API.txt
@@ -1716,13 +1716,14 @@ output: Output('summary', (, ), None)
 output: Output('value', , None)
 output: Output('warning', (, , ), None)
 command: host_add
-args: 1,18,3
+args: 1,19,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
+option: Bool('ipakrbokasdelegate', attribute=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('l', attribute=True, cli_name='locality', multivalue=False, required=False)
 option: Str('macaddress', attribute=True, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', required=False)
@@ -1803,12 +1804,13 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), N

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-29 Thread Martin Kosek

On 03/28/2013 04:56 PM, Jan Cholasta wrote:
> On 27.3.2013 14:51, Martin Kosek wrote:
>> This looks OK. Please just also add unit tests exercising this new feature.
>>
>> Thanks,
>> Martin
>>
> 
> Tests added.
> 
> I have also made some additional changes:
> 
>   * renamed the virtual attribute from ipakrbflagokasdelegate to
> ipakrbokasdelegate
>   * fixed internal error when krbticketflags has more than one value
>   * fixed updates overwriting krbticketflags instead of updating it
>   * allow krbticketflags to be overwritten when it has non-integer value
>   * do not hide krbticketflags in command output
> 
> Honza
> 

This looks much better, thanks for catching more errors and the unit test. I
have few more:

1) API minor number in VERSION file needs a bump

2) I did some functional testing and found strange behavior with services.
Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
like REQUIRES_PRE_AUTH.

Example:

# ipa host-add foo.example.com --force

Added host "foo.example.com"

  Host name: foo.example.com
  Principal name: host/foo.example@idm.lab.bos.redhat.com
  Password: False
  Keytab: False
  Managed by: foo.example.com

# ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
Keytab successfully retrieved and stored in: foo.keytab

# kinit -kt foo.keytab host/foo.example.com

# kadmin.local -q "getprinc host/foo.example@idm.lab.bos.redhat.com"
...
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


krb5kdc.log correctly shows that preauth is needed:

Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
host/foo.example@idm.lab.bos.redhat.com for
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com, Additional
pre-authentication required
Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
tkt=18 ses=18}, host/foo.example@idm.lab.bos.redhat.com for
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com


However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
# ipa host-mod foo.example.com --ok-as-delegate=1
---
Modified host "foo.example.com"
---
  Host name: foo.example.com
  Principal name: host/foo.example@idm.lab.bos.redhat.com
  Trusted for delegation: True
  Password: False
  Keytab: True
  Managed by: foo.example.com

# ipa service-mod HTTP/foo.example@idm.lab.bos.redhat.com --ok-as-delegate=1
--
Modified service "HTTP/foo.example@idm.lab.bos.redhat.com"
--
  Principal: HTTP/foo.example@idm.lab.bos.redhat.com
  Trusted for delegation: True
  Managed by: foo.example.com

# kadmin.local -q "getprinc host/foo.example@idm.lab.bos.redhat.com"
...
Attributes: OK_AS_DELEGATE
Policy: [none]


Is this intentional?

Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
"krbticketflags" with this flag (0x0080) on instead of adding it silently
in ipa-kdb? (adding Simo to CC to help us with that).

If no, shouldn't we at least add means to set this flag in host-mod or
service-mod so that admins can set it? I.e. option like --requires-pre-auth=1

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-28 Thread Jan Cholasta


On 27.3.2013 14:51, Martin Kosek wrote:

This looks OK. Please just also add unit tests exercising this new feature.

Thanks,
Martin



Tests added.

I have also made some additional changes:

  * renamed the virtual attribute from ipakrbflagokasdelegate to 
ipakrbokasdelegate

  * fixed internal error when krbticketflags has more than one value
  * fixed updates overwriting krbticketflags instead of updating it
  * allow krbticketflags to be overwritten when it has non-integer value
  * do not hide krbticketflags in command output

Honza

--
Jan Cholasta
From 3cd4bcf1022bb74e1588eba10ec1165c3c9e5742 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 18 Mar 2013 12:31:23 +0100
Subject: [PATCH] Add Kerberos ticket flags management to service and host
 plugins.

https://fedorahosted.org/freeipa/ticket/3329
---
 API.txt  | 12 +++--
 install/share/default-aci.ldif   |  2 +-
 install/updates/60-trusts.update |  4 +-
 ipalib/plugins/host.py   | 25 --
 ipalib/plugins/service.py| 79 --
 tests/test_xmlrpc/test_service_plugin.py | 82 +++-
 6 files changed, 190 insertions(+), 14 deletions(-)

diff --git a/API.txt b/API.txt
index 734f99e..a370e88 100644
--- a/API.txt
+++ b/API.txt
@@ -1716,13 +1716,14 @@ output: Output('summary', (, ), None)
 output: Output('value', , None)
 output: Output('warning', (, , ), None)
 command: host_add
-args: 1,18,3
+args: 1,19,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
+option: Bool('ipakrbokasdelegate', attribute=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('l', attribute=True, cli_name='locality', multivalue=False, required=False)
 option: Str('macaddress', attribute=True, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', required=False)
@@ -1803,12 +1804,13 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: host_mod
-args: 1,19,3
+args: 1,20,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
+option: Bool('ipakrbokasdelegate', attribute=False, autofill=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('krbprincipalname?', attribute=True, cli_name='principalname')
 option: Str('l', attribute=True, autofill=False, cli_name='locality', multivalue=False, required=False)
@@ -2840,12 +2842,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: Output('value', , None)
 command: service_add
-args: 1,8,3
+args: 1,9,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD', u'NONE'))
+option: Bool('ipakrbokasdelegate', attribute=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False)
@@ -2896,12 +2899,13 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: service_mod
-args: 1,9,3
+args: 1,10,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all',

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-27 Thread Martin Kosek

On 03/26/2013 03:05 PM, Jan Cholasta wrote:
> On 25.3.2013 16:21, Martin Kosek wrote:
>> On 03/25/2013 02:41 PM, Martin Kosek wrote:
>>> I checked what you have already and this is what I found:
>>>
>>> 1) Internal error if I try to remove krbticketflags via *attr functions:
>>>
>>> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
>>> ipa: ERROR: an internal error has occurred
>>> # ipa service-add foo/`hostname`
>>> 
>>> Added service "foo/vm-037.idm.lab.bos.redhat@idm.lab.bos.redhat.com"
>>> 
>>> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
>>> ipa: ERROR: an internal error has occurred
> 
> Fixed.
> 
>>>
>>>
>>> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, 
>>> the
>>> only thing that's left to be decided is the granularity of the ACIs used to
>>> control this flag.
> 
> RFE page updated.
> 
>>
>> I read this part of design proposal discussion wrong, this is already 
>> decided -
>> we do not want to have a fine grain granularity, these are too powerful flags
>> to be delegated per-flag to lower admins.
>>
>> So I think that you current approach is sufficient, I do not think we need to
>> add this attribute to some host/service related permission to avoid allowing
>> this sensitive attribute for lower level admins automatically. If someone 
>> wants
>> it, he can add and assign an appropriate permission.
> 
> Correct, this has been already decided.
> 
> Updated patch attached.
> 
> Honza
> 

This looks OK. Please just also add unit tests exercising this new feature.

Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-26 Thread Jan Cholasta


On 25.3.2013 16:21, Martin Kosek wrote:

On 03/25/2013 02:41 PM, Martin Kosek wrote:

I checked what you have already and this is what I found:

1) Internal error if I try to remove krbticketflags via *attr functions:

# ipa service-add foo/`hostname` --setattr=krbticketflags=None
ipa: ERROR: an internal error has occurred
# ipa service-add foo/`hostname`

Added service "foo/vm-037.idm.lab.bos.redhat@idm.lab.bos.redhat.com"

# ipa service-mod foo/`hostname` --setattr=krbticketflags=None
ipa: ERROR: an internal error has occurred


Fixed.




2) The RFE page needs updating, it does not reflect current reality. AFAIU, the
only thing that's left to be decided is the granularity of the ACIs used to
control this flag.


RFE page updated.



I read this part of design proposal discussion wrong, this is already decided -
we do not want to have a fine grain granularity, these are too powerful flags
to be delegated per-flag to lower admins.

So I think that you current approach is sufficient, I do not think we need to
add this attribute to some host/service related permission to avoid allowing
this sensitive attribute for lower level admins automatically. If someone wants
it, he can add and assign an appropriate permission.


Correct, this has been already decided.

Updated patch attached.

Honza

--
Jan Cholasta

From afbad97995bfe71d60b541d00eeb132a6436 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 18 Mar 2013 12:31:23 +0100
Subject: [PATCH] Add Kerberos ticket flags management to service and host
 plugins.

https://fedorahosted.org/freeipa/ticket/3329
---
 API.txt  | 12 ---
 install/share/default-aci.ldif   |  2 +-
 install/updates/60-trusts.update |  4 ++-
 ipalib/plugins/host.py   | 25 ++---
 ipalib/plugins/service.py| 76 ++--
 5 files changed, 106 insertions(+), 13 deletions(-)

diff --git a/API.txt b/API.txt
index 734f99e..c1719ee 100644
--- a/API.txt
+++ b/API.txt
@@ -1716,13 +1716,14 @@ output: Output('summary', (, ), None)
 output: Output('value', , None)
 output: Output('warning', (, , ), None)
 command: host_add
-args: 1,18,3
+args: 1,19,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
+option: Bool('ipakrbflagokasdelegate', attribute=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('l', attribute=True, cli_name='locality', multivalue=False, required=False)
 option: Str('macaddress', attribute=True, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', required=False)
@@ -1803,12 +1804,13 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: host_mod
-args: 1,19,3
+args: 1,20,3
 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
+option: Bool('ipakrbflagokasdelegate', attribute=False, autofill=False, cli_name='ok_as_delegate', multivalue=False, required=False)
 option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('krbprincipalname?', attribute=True, cli_name='principalname')
 option: Str('l', attribute=True, autofill=False, cli_name='locality', multivalue=False, required=False)
@@ -2840,12 +2842,13 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: Output('value', , None)
 command: service_add
-args: 1,8,3
+args: 1,9,3
 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD', u'NONE')

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-25 Thread Martin Kosek

On 03/25/2013 02:41 PM, Martin Kosek wrote:
> On 03/18/2013 12:38 PM, Jan Cholasta wrote:
>> Hi,
>>
>> this patch implements .
>>
>> Because the design is not finished yet, this is a minimal implementation - it
>> uses the krbTicketFlags attribute directly (which means no delegation of 
>> rights
>> to modify specific flags to specific admins) and there is no support for
>> per-service type default values.
>>
>> Honza
>>
>>
> 
> I checked what you have already and this is what I found:
> 
> 1) Internal error if I try to remove krbticketflags via *attr functions:
> 
> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> # ipa service-add foo/`hostname`
> 
> Added service "foo/vm-037.idm.lab.bos.redhat@idm.lab.bos.redhat.com"
> 
> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
> ipa: ERROR: an internal error has occurred
> 
> 
> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, 
> the
> only thing that's left to be decided is the granularity of the ACIs used to
> control this flag.

I read this part of design proposal discussion wrong, this is already decided -
we do not want to have a fine grain granularity, these are too powerful flags
to be delegated per-flag to lower admins.

So I think that you current approach is sufficient, I do not think we need to
add this attribute to some host/service related permission to avoid allowing
this sensitive attribute for lower level admins automatically. If someone wants
it, he can add and assign an appropriate permission.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

2013-03-25 Thread Martin Kosek

On 03/18/2013 12:38 PM, Jan Cholasta wrote:
> Hi,
> 
> this patch implements .
> 
> Because the design is not finished yet, this is a minimal implementation - it
> uses the krbTicketFlags attribute directly (which means no delegation of 
> rights
> to modify specific flags to specific admins) and there is no support for
> per-service type default values.
> 
> Honza
> 
> 

I checked what you have already and this is what I found:

1) Internal error if I try to remove krbticketflags via *attr functions:

# ipa service-add foo/`hostname` --setattr=krbticketflags=None
ipa: ERROR: an internal error has occurred
# ipa service-add foo/`hostname`

Added service "foo/vm-037.idm.lab.bos.redhat@idm.lab.bos.redhat.com"

# ipa service-mod foo/`hostname` --setattr=krbticketflags=None
ipa: ERROR: an internal error has occurred


2) The RFE page needs updating, it does not reflect current reality. AFAIU, the
only thing that's left to be decided is the granularity of the ACIs used to
control this flag.

Otherwise, the patch works fine.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Re: [Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

10 matches

Site Navigation

Mail list logo

Footer information