Issue #3659: [RFE] Add policies to define which principals can make specific TGS requests - freeipa

freeipa

#3659 [RFE] Add policies to define which principals can make specific TGS requests

Opened 10 years ago by dpal. Modified 5 years ago

In cases when the principal is coming from an untrusted environment we want to make sure the principal can't acquire tickets for critical internal services. There should be a way to define that principal X is allowed to get tickets only for a group of services Y.
We need to:
1. Define schema
2. Implement KDB hooks
3. Provide CLI plugin
4. Implement UI.
5. Provide Doc.
6. Provide training.
7. Provide tests.

dpal commented 9 years ago

Related to #4498 and #433

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

7 years ago

rcritten commented 5 years ago

This is more possible now due to KDC policy plugin availability https://github.com/freeipa/freeipa/pull/2147

Metadata Update from @rcritten:
- Issue close_status updated to: None

5 years ago

ftweedal commented 5 years ago

How much demand is there for this?

IMO AuthInd and HBAC cover the outlined use case (i.e., limit access to critical hosts/services when user is coming from untrusted network).

Ping @dpal for comment.

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

Ticket Backlog

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#3659 [RFE] Add policies to define which principals can make specific TGS requests Opened 10 years ago by dpal. Modified 5 years ago

Close issue as:

Metadata

#3659 [RFE] Add policies to define which principals can make specific TGS requests

Opened 10 years ago by dpal. Modified 5 years ago