diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2018-04-26 11:32:19 +0300 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2018-05-08 16:39:22 -0400 |
| commit | e64286571739d27822b118c780fbb8825038ae1c (patch) | |
| tree | d286c886c8f632709d2d15615c8230a8fdc6ab2a /ipaserver/plugins/group.py | |
| parent | 9e8fb94e87339b9908ec05fe5274ca51df3a82cf (diff) | |
| download | freeipa-e64286571739d27822b118c780fbb8825038ae1c.tar.gz freeipa-e64286571739d27822b118c780fbb8825038ae1c.tar.xz freeipa-e64286571739d27822b118c780fbb8825038ae1c.zip | |
group: allow services as members of groups
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaserver/plugins/group.py')
| -rw-r--r-- | ipaserver/plugins/group.py | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index 1b09cf0bd..9e9c047fb 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -62,10 +62,10 @@ if api.env.in_server and api.env.context in ['lite', 'server']: __doc__ = _(""" Groups of users -Manage groups of users. By default, new groups are POSIX groups. You -can add the --nonposix option to the group-add command to mark a new group -as non-POSIX. You can use the --posix argument with the group-mod command -to convert a non-POSIX group into a POSIX group. POSIX groups cannot be +Manage groups of users, groups, or services. By default, new groups are POSIX +groups. You can add the --nonposix option to the group-add command to mark a +new group as non-POSIX. You can use the --posix argument with the group-mod +command to convert a non-POSIX group into a POSIX group. POSIX groups cannot be converted to non-POSIX groups. Every group must have a description. @@ -75,6 +75,10 @@ supported but can have an impact on your file permissions. It is not necessary to supply a GID when creating a group. IPA will generate one automatically if it is not provided. +Groups members can be users, other groups, and Kerberos services. In POSIX +environments only users will be visible as group members, but nested groups and +groups of services can be used for IPA management purposes. + EXAMPLES: Add a new group: @@ -101,6 +105,9 @@ EXAMPLES: Add multiple users to the "localadmins" group: ipa group-add-member --users=test1 --users=test2 localadmins + To add Kerberos services to the "printer admins" group: + ipa group-add-member --services=CUPS/some.host printeradmins + Remove a user from the "localadmins" group: ipa group-remove-member --users=test2 localadmins @@ -171,9 +178,9 @@ class group(LDAPObject): ] uuid_attribute = 'ipauniqueid' attribute_members = { - 'member': ['user', 'group'], + 'member': ['user', 'group', 'service'], 'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], - 'memberindirect': ['user', 'group'], + 'memberindirect': ['user', 'group', 'service'], 'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'], } |