Hi Fraser, Martin and Alexander,
Thanks for looking into this! For what it's worth, I think for this
particular use case, I'm leaning more towards Alexander when he said:
I don't think you need to group services this way. For managing
services, and this means being able to issue certificates/keytabs for
them, we have hosts. By default a host that a service belongs to is
capable to modify userCertificate attribute of the service already, so
I
would expect it to be able to issue certificates with subject principal
corresponding to the service.
If CAACL would follow the same logic by allowing hosts that manage
services to issue certificates with subject principals corresponding to
these services, that should be enough because, after all, these host
objects already have write permissions and can upload whatever
certificates they like to the service objects.
--
/ Alexander Bokovoy
Personally, I was very surprised when I discovered that, even though a
host principal may manage a service principal, it is currently unable to
request a certificate for that service principal if the service
principal doesn't have specific access to the certificate profile, even
though the host principal may have access to the same certificate
profile. In my mind the CA ACL should be evaluated against the identity
of the requestor, not the issuee. As long as the requestor is allowed to
request on behalf of the issuee (achieved via the managedby attribute),
then it should work. Now, if I used the credentials of the service
principal directly (say, with a service keytab) to make the request
(supposing the service principal wasn't listed in the CA ACL), then
denying the request would be the expected behaviour (imo of course).
Okay, so even though Alexander's suggestion might be more intuitive,
implementing service groups might be more feasible from a technical
standpoint, and I'm fairly sure this use case would also be solved by
implementing service groups. But, it would be painful without automember
regexp rules, so please don't forget this :D
Cheers!
On 2016-03-22 20:50, Fraser Tweedale wrote:
On Tue, Mar 22, 2016 at 09:59:58AM +0100, Martin Kosek wrote:
On 03/22/2016 05:55 AM, Fraser Tweedale wrote:
> On Fri, Mar 18, 2016 at 08:12:44PM +1100, earsdown wrote:
...
> To my fellow FreeIPA developers: are service groups a sensible RFE?
> Is there a reason why they have not been implemented?
It *is* sensible RFE and it was actually already filed!
https://fedorahosted.org/freeipa/ticket/5277
Please feel free to add yourself to CC to receive updates or even help
us with
implementation.
Thanks,
Martin
Good to know... I've added myself to Cc and also filed an RFE for
enhancing CA ACLs with service groups once #5277 is implemented:
https://fedorahosted.org/freeipa/ticket/5753
Cheers,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
