[Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Martin Kosek
mkosek at redhat.com
Tue Feb 1 20:58:36 UTC 2011
On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> 2) In delegation.ldif: ipapermission object class is missing for
> >>>> removeentitlements and modifyentitlements (it has been added for
> >>>> addentitlements though)
> >>>
> >>> This was on purpose, I should have been clearer. Patch 664 makes major
> >>> changes to these and I'm trying to make the merge easier. I'll fix them
> >>> up when 664 gets pushed.
> >>
> >> I thought so. I was confused by addentitlements permission which
> >> objectclass was updated. We just have to make sure, that the
> >> entitlements patch includes this new objectClass.
> >>
> >>>
> >>>>
> >>>>
> >>>> QUESTION:
> >>>> In this patch you add READONLY flag to Replica permissions. However it
> >>>> is not actually used and stays as just an informative flag. It won't
> >>>> prevent user from modifying/removing READONLY permissions.
> >>>>
> >>>> I guess enhancing permission-mod and permission-del of READONLY check
> >>>> will be a subject of another ticket?
> >>>
> >>> Ok, interesting point. I considered the aci itself to be read-only. The
> >>> only thing a user could do is rename the permission, right? I think that
> >>> would maintain consistency so it shouldn't be a problem. It would
> >>> probably be easy to really make these read-only but that would have a UI
> >>> impact as well, perhaps a problematic one. I suppose if they could
> >>> handle any read-only exceptions we'd raise that would be adequate.
> >>>
> >>> rob
> >>
> >> Yes, user could rename or delete permission. In both cases it won't have
> >> any effect to the ACI as ACI plugin does not see it. But I think it
> >> would be nice to prevent modifications to these permissions when we have
> >> this new and shiny READONLY flag. Read-only exception may be a way to
> >> achieve this...
> >>
> >> Martin
> >>
> >
> > I think I got everything. Simo suggested using SYSTEM instead of
> > READONLY so I switched to that. I also renamed the attribute to
> > ipapermissiontype and added enforcement over mod/del.
> >
> > rob
>
> Martin found a few more problems, here is another patch.
>
> rob
ACK, all permission tests are OK.
Good job.
Martin
More information about the Freeipa-devel
mailing list