We want users in the admins group to always be able to log into the IPA masters.
We should create a new hostgroup that contains all of the IPA masters in it. This hostgroup would be created on new installs and updated at the same time that cn=masters is updated (so via replication changes and when new masters are added).
A new HBAC rule for the ssh service will be added that allows users in the admins group to machines in the IPA masters hostgroup.
We will not prevent additional hosts to be added to the hostgroup.
A task will be needed to handle upgrades so that any missing IPA masters can be added.
We need to add a read permission for all masters so renewal scripts can work. With this hostgroup it would be straightforward. Moving to Needs triage.
As per jcholast's assessment, this is not strictly needed for 4.0 - moving to 4.1.
Jan, at least ipa masters hostgroup will be needed, right? For Topology plugin and proper remote DNA support (#4026).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1211595
Not required for replica promotion (#2888). As such, it is not required for 4.2, it may be postponed until it is required again.
admins user group and ipaservers host group exist now(4.3). Therefore moving this ticket to 4.3 as fixed.
For the hbac rule part, if anybody wants it, please open a new RFE ticket.
Metadata Update from @rcritten:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.3
to comment on this ticket.