[Freeipa-devel] [PATCH] 637 group to group delegation
Rob Crittenden
rcritten at redhat.com
Fri Dec 10 18:36:23 UTC 2010
Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Round out our trio of access control plugins. This adds group to group
>> delegation where you can grant group A the ability to write a set of
>> attributes of group B (v1-style delegation).
>>
>> rob
>
> I'm withdrawing this patch, needs more work.
>
> rob
Here is the replacement patch along with some testing instructions:
$ kinit admin
$ ipa delegation-add --attrs=street --membergroup=admins --group=editors
'editors edit admins street'
$ ipa user-add --first=tim --last=user tuser1 --password
$ ipa group-add --users=tuser1 editors
$ ipa user-add --first=jim --last=admin jadmin
$ ipa group-add-member --users=jadmin admins
$ kinit tuser1
$ ipa user-mod --street='123 main' jadmin (should succeed)
$ ipa user-mod --first=Jimmy jadmin (should fail)
So basically we create a couple of users. One we add to editors and the
other to admins.
We create an aci that grants users in editors to manage the street
address of users in admins, then we try it out
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-637-2-delegation.patch
Type: text/x-patch
Size: 17699 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101210/5d13c498/attachment.bin>
More information about the Freeipa-devel
mailing list