[Freeipa-devel] [PATCHES] [RFC] New getkeytab operation

[Simo Sorce]

Hello,
this is a patchset I have been brewing for quite some time.

It addresses primarily ticket #3859 however the implementation
implicitly also addresses tickets #232 (effective only if we change
permissions and break the old interface so only potentially but not
immediately) and #233.

The patchset is marked [RFC] because it involves the clever use of ACIs
to introduce a new ipaPermittedOperations attribute that is used to
allow to define a 'virtual' operation as a subtype. This clever use of
ACIs is also what stalled this patchset because of 389DS bugs #47569 and
#47571 which have since been fixed and I was finally able to verify.

Also another blocker for this patchset is that we need to wait for 4.0
when we change the Permission model and stop allowing anyone to read all
attributes.

Another reason this is still RFC is that the admin user apparently is
allowed to retrieve any keytab with the current code and default ACIs as
augmented by the 3rd patch. It is not entirely clear to me why that
happens, I think it maybe due to the broad permissions granted to the
admins group. This is *not* something we want to allow in the default
case so help to figure out how to avoid it will go a great way into
allowing this patchset to be acceptable.

However due to the various changes I want to post it to the list for
feedback, to see if someone can poke holes in the general architecture
of the patches.

Thanks for reading this far :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-508-1-keytabs-Modularize-setkeytab-operation.patch
Type: text/x-patch
Size: 16797 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/3aa5fe5b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-509-1-keytabs-Expose-and-modify-key-encoding-function.patch
Type: text/x-patch
Size: 5300 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/3aa5fe5b/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-510-1-keytab-Add-new-extended-operation-to-get-a-keytab.patch
Type: text/x-patch
Size: 23046 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/3aa5fe5b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-511-1-ipa-getkeytab-Modularize-ldap_set_keytab-function.patch
Type: text/x-patch
Size: 11208 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/3aa5fe5b/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-512-1-ipa-getkeytab-Add-support-for-get_keytab-extop.patch
Type: text/x-patch
Size: 15882 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/3aa5fe5b/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-513-1-man-Add-r-option-to-ipa-getkeytab.1.patch
Type: text/x-patch
Size: 2019 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/3aa5fe5b/attachment-0005.bin>