[Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Martin Kosek
mkosek at redhat.com
Tue Feb 1 14:16:18 UTC 2011
On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > 2) In delegation.ldif: ipapermission object class is missing for
> > removeentitlements and modifyentitlements (it has been added for
> > addentitlements though)
>
> This was on purpose, I should have been clearer. Patch 664 makes major
> changes to these and I'm trying to make the merge easier. I'll fix them
> up when 664 gets pushed.
I thought so. I was confused by addentitlements permission which
objectclass was updated. We just have to make sure, that the
entitlements patch includes this new objectClass.
>
> >
> >
> > QUESTION:
> > In this patch you add READONLY flag to Replica permissions. However it
> > is not actually used and stays as just an informative flag. It won't
> > prevent user from modifying/removing READONLY permissions.
> >
> > I guess enhancing permission-mod and permission-del of READONLY check
> > will be a subject of another ticket?
>
> Ok, interesting point. I considered the aci itself to be read-only. The
> only thing a user could do is rename the permission, right? I think that
> would maintain consistency so it shouldn't be a problem. It would
> probably be easy to really make these read-only but that would have a UI
> impact as well, perhaps a problematic one. I suppose if they could
> handle any read-only exceptions we'd raise that would be adequate.
>
> rob
Yes, user could rename or delete permission. In both cases it won't have
any effect to the ACI as ACI plugin does not see it. But I think it
would be nice to prevent modifications to these permissions when we have
this new and shiny READONLY flag. Read-only exception may be a way to
achieve this...
Martin
More information about the Freeipa-devel
mailing list