#5250 ipa vault: set owner of vault container
Closed: Fixed None Opened 8 years ago by pvoborni.

make it possible to set/unset/change an owner of vault container. e.g. with a new command.

Reasons:

  • vault container looses an owner when user/service is removed. Admin should be able to set it back after a user/service is re-added.
  • make it possible to remove an owner and thus prevent the user from accessing his vaults, e.g. vault-takeownership --user someuser --targetuser=""

FreeIPA 4.2.1 was released, moving to 4.2.2.

master:

  • 2964b01 baseldap: make subtree deletion optional in LDAPDelete
  • d396913 vault: add vault container commands
  • 5cf46b8 vault: set owner to current user on container creation
  • d350304 vault: update access control
  • 0dfcf1d vault: add permissions and administrator privilege
  • 5137478 install: support KRA update

ipa-4-2:

  • b393205 baseldap: make subtree deletion optional in LDAPDelete
  • ad7325d vault: add vault container commands
  • 78f8906 vault: set owner to current user on container creation
  • b9615c8 vault: update access control
  • 500e0d1 vault: add permissions and administrator privilege
  • b1587bf install: support KRA update

Vault container ownership can be managed by new commands:

 vaultcontainer-show [--service <service>|--user <user>|--shared ]
 vaultcontainer-del [--service <service>|--user <user>|--shared ]
 vaultcontainer-add-owner
         [--service <service>|--user <user>|--shared ]
         [--users <users>]  [--groups <groups>] [--services <services>]
 vaultcontainer-remove-owner
         [--service <service>|--user <user>|--shared ]
         [--users <users>]  [--groups <groups>] [--services <services>]

Permissions works in a way as follows:

- Add new "Vault administrators" privilege. Vault administrators will have unrestricted access to vaults and vault containers, including the power to add/remove owners of vaults and vault containers.

- Remove the ability of vault owners to add/remove other vault owners. If vault owner needs to be changed, vault administrator has to do it. Note that vault owners will still have the ability to add/remove vault members.

- When adding new vault container, set owner to the current user. If vault container owner needs to be changed, vault administrator has to do it.

- Allow adding vaults and vault containers only if the owner is set to the current user.

Metadata Update from @pvoborni:
- Issue assigned to pvoborni
- Issue set to the milestone: FreeIPA 4.2.2

7 years ago

Login to comment on this ticket.

Metadata