[Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Rob Crittenden
rcritten at redhat.com
Tue Feb 1 19:57:47 UTC 2011
Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> 2) In delegation.ldif: ipapermission object class is missing for
>>>> removeentitlements and modifyentitlements (it has been added for
>>>> addentitlements though)
>>>
>>> This was on purpose, I should have been clearer. Patch 664 makes major
>>> changes to these and I'm trying to make the merge easier. I'll fix them
>>> up when 664 gets pushed.
>>
>> I thought so. I was confused by addentitlements permission which
>> objectclass was updated. We just have to make sure, that the
>> entitlements patch includes this new objectClass.
>>
>>>
>>>>
>>>>
>>>> QUESTION:
>>>> In this patch you add READONLY flag to Replica permissions. However it
>>>> is not actually used and stays as just an informative flag. It won't
>>>> prevent user from modifying/removing READONLY permissions.
>>>>
>>>> I guess enhancing permission-mod and permission-del of READONLY check
>>>> will be a subject of another ticket?
>>>
>>> Ok, interesting point. I considered the aci itself to be read-only. The
>>> only thing a user could do is rename the permission, right? I think that
>>> would maintain consistency so it shouldn't be a problem. It would
>>> probably be easy to really make these read-only but that would have a UI
>>> impact as well, perhaps a problematic one. I suppose if they could
>>> handle any read-only exceptions we'd raise that would be adequate.
>>>
>>> rob
>>
>> Yes, user could rename or delete permission. In both cases it won't have
>> any effect to the ACI as ACI plugin does not see it. But I think it
>> would be nice to prevent modifications to these permissions when we have
>> this new and shiny READONLY flag. Read-only exception may be a way to
>> achieve this...
>>
>> Martin
>>
>
> I think I got everything. Simo suggested using SYSTEM instead of
> READONLY so I switched to that. I also renamed the attribute to
> ipapermissiontype and added enforcement over mod/del.
>
> rob
Martin found a few more problems, here is another patch.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-697-4-permissions.patch
Type: text/x-patch
Size: 20036 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110201/cefadd60/attachment.bin>
More information about the Freeipa-devel
mailing list