[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins
Martin Kosek
mkosek at redhat.com
Wed Mar 27 13:51:05 UTC 2013
On 03/26/2013 03:05 PM, Jan Cholasta wrote:
> On 25.3.2013 16:21, Martin Kosek wrote:
>> On 03/25/2013 02:41 PM, Martin Kosek wrote:
>>> I checked what you have already and this is what I found:
>>>
>>> 1) Internal error if I try to remove krbticketflags via *attr functions:
>>>
>>> # ipa service-add foo/`hostname` --setattr=krbticketflags=None
>>> ipa: ERROR: an internal error has occurred
>>> # ipa service-add foo/`hostname`
>>> ------------------------------------------------------------------------
>>> Added service "foo/vm-037.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM"
>>> ------------------------------------------------------------------------
>>> # ipa service-mod foo/`hostname` --setattr=krbticketflags=None
>>> ipa: ERROR: an internal error has occurred
>
> Fixed.
>
>>>
>>>
>>> 2) The RFE page needs updating, it does not reflect current reality. AFAIU, the
>>> only thing that's left to be decided is the granularity of the ACIs used to
>>> control this flag.
>
> RFE page updated.
>
>>
>> I read this part of design proposal discussion wrong, this is already decided -
>> we do not want to have a fine grain granularity, these are too powerful flags
>> to be delegated per-flag to lower admins.
>>
>> So I think that you current approach is sufficient, I do not think we need to
>> add this attribute to some host/service related permission to avoid allowing
>> this sensitive attribute for lower level admins automatically. If someone wants
>> it, he can add and assign an appropriate permission.
>
> Correct, this has been already decided.
>
> Updated patch attached.
>
> Honza
>
This looks OK. Please just also add unit tests exercising this new feature.
Thanks,
Martin
More information about the Freeipa-devel
mailing list