In cases when the principal is coming from an untrusted environment we want to make sure the principal can't acquire tickets for critical internal services. There should be a way to define that principal X is allowed to get tickets only for a group of services Y. We need to: 1. Define schema 2. Implement KDB hooks 3. Provide CLI plugin 4. Implement UI. 5. Provide Doc. 6. Provide training. 7. Provide tests.
Related to #4498 and #433
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
This is more possible now due to KDC policy plugin availability https://github.com/freeipa/freeipa/pull/2147
Metadata Update from @rcritten: - Issue close_status updated to: None
How much demand is there for this?
IMO AuthInd and HBAC cover the outlined use case (i.e., limit access to critical hosts/services when user is coming from untrusted network).
Ping @dpal for comment.
Login to comment on this ticket.