Red Hat Bugzilla – Bug 1004126
[RFE] Allow restricted Service Accounts that can only act on behalf of others
Last modified: 2018-02-05 19:41:31 EST
The initial access policy design includes an implied "Everyone" row that grants permissions to all registered Beaker users.
This includes service accounts, which can cause issues if a system owner needs to get in touch with an actual human to see if they can reclaim the machine (for example).
Rather than creating a distinct category for Service Accounts in access policies, it seems better to create a restricted kind of *User* that can only act on behalf of other users (e.g. through the submission delegates mechanism), and will *always* fail permission checks in their own right.
This way, all running jobs and system reservations will be able to be tracked back to a particular real user.