AFS-like group management with FreeIPA

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
AFS allows any ordinary user amy to create groups named "amy:groupname": https://docs.openafs.org/Reference/1/pts_creategroup.html.  AFS has per-user quotas limiting the number of such groups created.
AFS allows any ordinary user amy to create groups named "amy:groupname": https://docs.openafs.org/Reference/1/pts_creategroup.html.  AFS has per-user quotas limiting the number of such groups created.
-
It would be possible to emulate this in FreeIPA by creating a permission, privilege, and role for each individual user, though it's a little cumbersome something like:
+
It would be possible to emulate this in FreeIPA by creating a permission, privilege, and role for each individual user, though it's a little cumbersome.  For example:
   ipa-permission-add "create amy groups" --type=group --right=add --filter="(cn=amy-*)"
   ipa-permission-add "create amy groups" --type=group --right=add --filter="(cn=amy-*)"

Revision as of 23:10, 3 March 2021

AFS allows any ordinary user amy to create groups named "amy:groupname": https://docs.openafs.org/Reference/1/pts_creategroup.html. AFS has per-user quotas limiting the number of such groups created.

It would be possible to emulate this in FreeIPA by creating a permission, privilege, and role for each individual user, though it's a little cumbersome. For example:

 ipa-permission-add "create amy groups" --type=group --right=add --filter="(cn=amy-*)"
 ipa privilege-add "create amy groups"
 ipa privilege-add-perimssion --permission="create amy groups" "create amy groups"
 ipa role-add role-manage-amy-groups
 ipa role-add-member --users=amy role-manage-amy-groups
 ipa role-add-privilege --privileges="create amy groups" role-manage-amy-groups

FreeIPA permits an administrator give a given user the right to modify membership of a given group (see the member and membermanager attributes), or delegate the right to create groups to certain users.

You can view and modify group membership with "ipa group-add-member" and "ipa group-show"

There's no way to enforce quotas. This would require someone writing a new plugin. We're not aware of anyone working on it.

Personal tools