[Freeipa-devel] [PATCH] 472 Let Host Administrators use host-disable command

Simo Sorce ssorce at redhat.com
Mon Jun 30 12:37:40 UTC 2014 

On Mon, 2014-06-30 at 12:19 +0200, Petr Viktorin wrote:
> On 06/30/2014 10:58 AM, Martin Kosek wrote:
> > On 06/30/2014 10:55 AM, Petr Viktorin wrote:
> >> On 06/27/2014 05:18 PM, Martin Kosek wrote:
> >>> On 06/27/2014 05:16 PM, Simo Sorce wrote:
> >>>> On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote:
> >>>>> On 06/27/2014 05:10 PM, Simo Sorce wrote:
> >>>>>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote:
> >>>>>>> Host Administrators could not write to service keytab attribute and
> >>>>>>> thus they could not run the host-disable command.
> >>>>>>>
> >>>>>>> https://fedorahosted.org/freeipa/ticket/4284
> >>>>>>>
> >>>>>>
> >>>>>> Any reason why Host Administrators are not members of the service
> >>>>>> Administrators group/permission by default ?
> >>>>>>
> >>>>>> Simo.
> >>>>>>
> >>>>>
> >>>>> I assume that the original intent was to allow admins to separate this
> >>>>> privileges. I.e. allow service administrators manage services on hosts but do
> >>>>> not allow them delete or disable the hosts.
> >>>>
> >>>> Sure, but I asked the opposite question. I understand you may want to
> >>>> have Service Administrators that cannot manage the host object.
> >>>> But is there ever a case where Host Administrator is not also Service
> >>>> Administrator ?
> >>>>
> >>>>> This patch fixes the reported request for Foreman integration, if you have a
> >>>>> better one fixing it as well, we can go different way.
> >>>>
> >>>> I was wondering if a group membership change wouldn't solve a class of
> >>>> problems, instead of fixing this on per permission basis, that's all.
> >>>>
> >>>> Simo.
> >>>>
> >>>
> >>> Sure, good thinking. I do not think that current framework can make one
> >>> privilege a member of another one, so this would need to be hacked in. CCing
> >>> Petr3 to get his view on this.
> >>
> >> Right, it would need to be hacked in.
> >> At the directory level there's normal membership, so  any
> >> permission/privilege/role/group can be nested in any other, but IPA will
> >> probably give incomplete/confusing output for such memberships, and it won't
> >> let you edit them.
> >
> > Ok. In that case, it seems to me that the lesser evil would be to just add this
> > missing permission (or defer the ticket if nacked).
> >
> > Martin
> 
> I agree. ACK if Simo is OK with it as well.

Sure, no issues here.

Simo.

More information about the Freeipa-devel mailing list