#7915 RFE: A master should be able to read the roles of masters
Opened a year ago by rcritten. Modified a year ago

Request for enhancement

As an IPA master, I want to be able to see the server roles I have so that use that in ipa-healthcheck.

The host principal of an IPA master is not allowed to read server roles.

KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa server-show hostname will succeed but will not include enabled_role_servrole.

This is a nice-to-have that would eliminate a direct LDAP search. It is better to not rely on IPA internals in general.

I think a new permission will be required to grant read access. The ipaservers hostgroup could be a default direct member of this, or we can do a role.

Login to comment on this ticket.