Bug 1004126

Summary: [RFE] Allow restricted Service Accounts that can only act on behalf of others
Product: [Retired] Beaker Reporter: Nick Coghlan <ncoghlan>
Component: generalAssignee: beaker-dev-list
Status: CLOSED DEFERRED QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 0.14CC: qwan, sgraf, tklohna, tools-bugs
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-02 11:08:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 994984    
Bug Blocks:    

Description Nick Coghlan 2013-09-04 02:43:04 UTC 
The initial access policy design includes an implied "Everyone" row that grants permissions to all registered Beaker users.

This includes service accounts, which can cause issues if a system owner needs to get in touch with an actual human to see if they can reclaim the machine (for example).

Rather than creating a distinct category for Service Accounts in access policies, it seems better to create a restricted kind of *User* that can only act on behalf of other users (e.g. through the submission delegates mechanism), and will *always* fail permission checks in their own right.

This way, all running jobs and system reservations will be able to be tracked back to a particular real user.
Comment 2 Tomas Klohna 🔧 2019-04-02 11:08:00 UTC 
Not a requested feature by any of our users. If you would like to see this implemented, please reopen the ticket.