[Freeipa-devel] [PATCH] 697 Add new schema to store information about permissions.
Rob Crittenden
rcritten at redhat.com
Tue Feb 1 21:01:06 UTC 2011
Martin Kosek wrote:
> On Tue, 2011-02-01 at 14:57 -0500, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> 2) In delegation.ldif: ipapermission object class is missing for
>>>>>> removeentitlements and modifyentitlements (it has been added for
>>>>>> addentitlements though)
>>>>>
>>>>> This was on purpose, I should have been clearer. Patch 664 makes major
>>>>> changes to these and I'm trying to make the merge easier. I'll fix them
>>>>> up when 664 gets pushed.
>>>>
>>>> I thought so. I was confused by addentitlements permission which
>>>> objectclass was updated. We just have to make sure, that the
>>>> entitlements patch includes this new objectClass.
>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> QUESTION:
>>>>>> In this patch you add READONLY flag to Replica permissions. However it
>>>>>> is not actually used and stays as just an informative flag. It won't
>>>>>> prevent user from modifying/removing READONLY permissions.
>>>>>>
>>>>>> I guess enhancing permission-mod and permission-del of READONLY check
>>>>>> will be a subject of another ticket?
>>>>>
>>>>> Ok, interesting point. I considered the aci itself to be read-only. The
>>>>> only thing a user could do is rename the permission, right? I think that
>>>>> would maintain consistency so it shouldn't be a problem. It would
>>>>> probably be easy to really make these read-only but that would have a UI
>>>>> impact as well, perhaps a problematic one. I suppose if they could
>>>>> handle any read-only exceptions we'd raise that would be adequate.
>>>>>
>>>>> rob
>>>>
>>>> Yes, user could rename or delete permission. In both cases it won't have
>>>> any effect to the ACI as ACI plugin does not see it. But I think it
>>>> would be nice to prevent modifications to these permissions when we have
>>>> this new and shiny READONLY flag. Read-only exception may be a way to
>>>> achieve this...
>>>>
>>>> Martin
>>>>
>>>
>>> I think I got everything. Simo suggested using SYSTEM instead of
>>> READONLY so I switched to that. I also renamed the attribute to
>>> ipapermissiontype and added enforcement over mod/del.
>>>
>>> rob
>>
>> Martin found a few more problems, here is another patch.
>>
>> rob
>
> ACK, all permission tests are OK.
>
> Good job.
> Martin
>
pushed to master
More information about the Freeipa-devel
mailing list