#5277 [RFE] Add service groups for access control purposes
Opened 8 years ago by adelton. Modified 5 years ago

In complex setups like OpenStack, multiple service identities like glance/, nova/, cinder/, or neutron/ can be used on the server side, having keytabs and authenticating connections on the server side.

The same identities can however also make connections, acting like clients in those cases. It should be possible to control their access / authorization with standard FreeIPA mechanisms like user group memberships or host-based access control.

Options include expanding on user object and be able to mark a user a service user or link it to the service. Maybe we can use managed entry plugin to create and keep two entries in sync and actually point to the same keytab. Alternatively we can add some of the user object classes to the services and let them be members of the groups.


Renaming, for better "discoverability".

Metadata Update from @adelton:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata Update from @cheimes:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5 backlog)
- Issue tagged with: integration, rfe

6 years ago

Service groups are required to provide fine grained ACLs for Custodia's IPACertRequest.

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @rcritten:
- Assignee reset

5 years ago

Services can be members of a role since 4.2.0 which grants RBAC controls.

I don't know a use case for an OpenStack user to need HBAC access (which grants permission to log into a machine using a PAM service) and being a user would mean it has POSIX attributes. I don't think this is something we want.

Login to comment on this ticket.

Metadata