AFS-like group management with FreeIPA
From Linux NFS
| (2 intermediate revisions not shown) | |||
| Line 1: | Line 1: | ||
AFS allows any ordinary user amy to create groups named "amy:groupname": https://docs.openafs.org/Reference/1/pts_creategroup.html. AFS has per-user quotas limiting the number of such groups created. | AFS allows any ordinary user amy to create groups named "amy:groupname": https://docs.openafs.org/Reference/1/pts_creategroup.html. AFS has per-user quotas limiting the number of such groups created. | ||
| - | It would be possible to emulate this in FreeIPA by creating a permission, privilege, and role for each individual user, though it's a little cumbersome | + | It would be possible to emulate this in FreeIPA by creating a permission, privilege, and role for each individual user, though it's a little cumbersome. For example: |
ipa-permission-add "create amy groups" --type=group --right=add --filter="(cn=amy-*)" | ipa-permission-add "create amy groups" --type=group --right=add --filter="(cn=amy-*)" | ||
| Line 10: | Line 10: | ||
ipa role-add-privilege --privileges="create amy groups" role-manage-amy-groups | ipa role-add-privilege --privileges="create amy groups" role-manage-amy-groups | ||
| - | FreeIPA permits an administrator | + | FreeIPA permits an administrator to grant a user the right to modify membership of a given group (see the member and membermanager attributes), or delegate the right to create groups to certain users. |
| + | |||
| + | You can view and modify group membership with "ipa group-add-member" and "ipa group-show" | ||
There's no way to enforce quotas. This would require someone writing a new plugin. We're not aware of anyone working on it. | There's no way to enforce quotas. This would require someone writing a new plugin. We're not aware of anyone working on it. | ||
Latest revision as of 18:59, 4 August 2021
AFS allows any ordinary user amy to create groups named "amy:groupname": https://docs.openafs.org/Reference/1/pts_creategroup.html. AFS has per-user quotas limiting the number of such groups created.
It would be possible to emulate this in FreeIPA by creating a permission, privilege, and role for each individual user, though it's a little cumbersome. For example:
ipa-permission-add "create amy groups" --type=group --right=add --filter="(cn=amy-*)" ipa privilege-add "create amy groups" ipa privilege-add-perimssion --permission="create amy groups" "create amy groups" ipa role-add role-manage-amy-groups ipa role-add-member --users=amy role-manage-amy-groups ipa role-add-privilege --privileges="create amy groups" role-manage-amy-groups
FreeIPA permits an administrator to grant a user the right to modify membership of a given group (see the member and membermanager attributes), or delegate the right to create groups to certain users.
You can view and modify group membership with "ipa group-add-member" and "ipa group-show"
There's no way to enforce quotas. This would require someone writing a new plugin. We're not aware of anyone working on it.
