[Freeipa-devel] [PATCH] 227 virtual operations
Rob Crittenden
rcritten at redhat.com
Mon Jun 1 18:49:32 UTC 2009
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.
This is done by attempting a write on the entry. If it would succeed
then permission is granted. If not then denied. The write we attempt is
actually invalid so the write itself will fail but the attempt will fail
first if access is not permitted, so we can distinguish between the two
without polluting the entry.
To use this you subclass from the VirtualCommand class, then make a call
to super() to invoke the ACI enforcement. You also need to create the
virtual entry to test against, and perhaps set set of role and task
groups for delegation purposes.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-227-virtual.patch
Type: application/mbox
Size: 13699 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090601/e6790a3f/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090601/e6790a3f/attachment.bin>
More information about the Freeipa-devel
mailing list