1004126 – [RFE] Allow restricted Service Accounts that can only act on behalf of others

Bug 1004126 - [RFE] Allow restricted Service Accounts that can only act on behalf of others

Summary: [RFE] Allow restricted Service Accounts that can only act on behalf of others

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Beaker
Classification:	Retired
Component:	general
Sub Component:
Version:	0.14
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	beaker-dev-list
QA Contact:	tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	994984
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-04 02:43 UTC by Nick Coghlan
Modified:	2019-04-02 11:09 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-04-02 11:08:00 UTC
Embargoed:

Attachments	(Terms of Use)

Description Nick Coghlan 2013-09-04 02:43:04 UTC

The initial access policy design includes an implied "Everyone" row that grants permissions to all registered Beaker users.

This includes service accounts, which can cause issues if a system owner needs to get in touch with an actual human to see if they can reclaim the machine (for example).

Rather than creating a distinct category for Service Accounts in access policies, it seems better to create a restricted kind of *User* that can only act on behalf of other users (e.g. through the submission delegates mechanism), and will *always* fail permission checks in their own right.

This way, all running jobs and system reservations will be able to be tracked back to a particular real user.

Comment 2 Tomas Klohna 🔧 2019-04-02 11:08:00 UTC

Not a requested feature by any of our users. If you would like to see this implemented, please reopen the ticket.

Note You need to log in before you can comment on or make changes to this bug.