Bug 1004126 - [RFE] Allow restricted Service Accounts that can only act on behalf of others
[RFE] Allow restricted Service Accounts that can only act on behalf of others
Status: NEW
Product: Beaker
Classification: Community
Component: general (Show other bugs)
Unspecified Unspecified
medium Severity unspecified (vote)
: ---
: ---
Assigned To: beaker-dev-list
: FutureFeature, Triaged
Depends On: 994984
  Show dependency treegraph
Reported: 2013-09-03 22:43 EDT by Nick Coghlan
Modified: 2018-02-05 19:41 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nick Coghlan 2013-09-03 22:43:04 EDT
The initial access policy design includes an implied "Everyone" row that grants permissions to all registered Beaker users.

This includes service accounts, which can cause issues if a system owner needs to get in touch with an actual human to see if they can reclaim the machine (for example).

Rather than creating a distinct category for Service Accounts in access policies, it seems better to create a restricted kind of *User* that can only act on behalf of other users (e.g. through the submission delegates mechanism), and will *always* fail permission checks in their own right.

This way, all running jobs and system reservations will be able to be tracked back to a particular real user.

Note You need to log in before you can comment on or make changes to this bug.