1 files changed, 41 insertions, 12 deletions

diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7b0832b23..417be0011 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -422,6 +422,13 @@ class service(LDAPObject):
             ],
             'default_privileges': {'Service Administrators'},
         },
+        'System: Manage Service Principals': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'},
+            'default_privileges': {
+                'Service Administrators',
+            },
+        },
         'System: Remove Services': {
             'ipapermright': {'delete'},
             'replaces': [
@@ -439,12 +446,22 @@ class service(LDAPObject):
             'krbcanonicalname',
             validate_realm,
             cli_name='canonical_principal',
-            label=_('Principal'),
+            label=_('Principal name'),
             doc=_('Service principal'),
             primary_key=True,
             normalizer=normalize_principal,
             require_service=True
         ),
+        Principal(
+            'krbprincipalname*',
+            validate_realm,
+            cli_name='principal',
+            label=_('Principal alias'),
+            doc=_('Service principal alias'),
+            normalizer=normalize_principal,
+            require_service=True,
+            flags={'no_create'}
+        ),
         Bytes('usercertificate*', validate_certificate,
             cli_name='certificate',
             label=_('Certificate'),
@@ -503,16 +520,6 @@ class service(LDAPObject):
                   " Use 'radius' to allow RADIUS-based 2FA authentications."
                   " Other values may be used for custom configurations."),
         ),
-        Principal(
-            'krbprincipalname',
-            validate_realm,
-            cli_name='principal',
-            label=_('Principal Alias'),
-            doc=_('Service principal alias'),
-            normalizer=normalize_principal,
-            require_service=True,
-            flags={'no_create', 'no_update'}
-        ),
     ) + ticket_flags_params
 
     def validate_ipakrbauthzdata(self, entry):
@@ -819,7 +826,6 @@ class service_show(LDAPRetrieve):
 
         return dn
 
-
 @register()
 class service_add_host(LDAPAddMember):
     __doc__ = _('Add hosts that can manage this service.')
@@ -978,3 +984,26 @@ class service_remove_cert(LDAPRemoveAttributeViaOption):
             revoke_certs(options['usercertificate'], self.log)
 
         return dn
+
+
+@register()
+class service_add_principal(LDAPAddAttribute):
+    __doc__ = _('Add new principal alias to a service')
+    msg_summary = _('Added new aliases to the service principal "%(value)s"')
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        util.check_principal_realm_in_trust_namespace(self.api, *keys)
+        util.ensure_krbcanonicalname_set(ldap, entry_attrs)
+        return dn
+
+
+@register()
+class service_remove_principal(LDAPRemoveAttribute):
+    __doc__ = _('Remove principal alias from a service')
+    msg_summary = _('Removed aliases to the service principal "%(value)s"')
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        util.ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
+        return dn