[Freeipa-devel] [PATCH] 612 re-implimit permissions
Rob Crittenden
rcritten at redhat.com
Wed Dec 1 21:01:46 UTC 2010
Simo Sorce wrote:
> On Thu, 18 Nov 2010 23:11:51 -0500
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> Re-implement access control using an updated model.
>>
>> The new model is based on permissions, privileges and roles. Most
>> importantly it corrects the reverse membership that caused problems
>> in the previous implementation. You add permission to privileges and
>> privileges to roles, not the other way around (even though it works
>> that way behind the scenes).
>>
>> A permission object is a combination of a simple group and an aci.
>> The linkage between the aci and the permission is the description of
>> the permission. This shows as the name/description of the aci.
>>
>> ldap:///self and groups granting groups (v1-style) are not supported
>> by this model (it will be provided separately).
>>
>> ticket 445
>>
>> WARNING. The patch is humongous and changes a whole slew of stuff. It
>> patches cleanly against the master right now but it is quite delicate
>> so the sooner this is reviewed (without pushing anything else) the
>> better.
>>
>> The self-tests all pass for me as well as some spot checking.
>>
>> Also note that I currently define a single role and it has no
>> privileges. We will need to fill that in soon.
>
>
> Sorry Rob, but before I can ACK a change of this proportion in the
> Security model I want a wiki page with the model explained clearly and
> in detail.
>
> I am vetoing this patch until we have that.
>
> Note, I am *not* saying the patch is wrong, only that reviewing it w/o
> a reference model is basically impossible and it touches sensitive
> security stuff so I can't just let it pass hoping we got everything
> right.
>
> Simo.
>
Adam found a bug when installing the DNS server. Updated patch attached.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-612-3-permission.patch
Type: text/x-patch
Size: 221822 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101201/aa925f74/attachment.bin>
More information about the Freeipa-devel
mailing list