[Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden
rcritten at redhat.com
Mon Feb 14 16:32:22 UTC 2011
Jan Zelený wrote:
> Rob Crittenden<rcritten at redhat.com> wrote:
>> Jan Zelený wrote:
>>> Jan Zelený<jzeleny at redhat.com> wrote:
>>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>>> Jan Zelený wrote:
>>>>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>>>>> Jan Zelený wrote:
>>>>>>>> Recent change of DNS module to version caused that dns object type
>>>>>>>> was replaced by dnszone and dnsrecord. This patch corrects dns types
>>>>>>>> in permissions class.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/646
>>>>>>>
>>>>>>> Nack. These values need to be added as valid types to the aci plugin
>>>>>>> and the _type_map needs to be updated.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> I'm sending an updated patch.
>>>>>>
>>>>>> Jan
>>>>>
>>>>> Since dnszone and dnsrecord point to the same kind of entry what is the
>>>>> point of having two separate names for them? When we read the entry we
>>>>> aren't going to be able to differentiate between the two.
>>>>
>>>> I didn't take a look how the type thing works, so I'm kinda guessing
>>>> here (please ignore the comment if it is wrong):
>>>> Sure, object with idnszone class is always also in dnsrecord class, but
>>>> that's not the case backwards (idnsrecord object isn't always idnszone)
>>>> - so I think it is possible to set different ACIs for these two types.
>>>>
>>>>> Can the type be made more specific?
>>>>
>>>> If the mapping doesn't distinguish object classes and it can, maybe
>>>> that's the answer. Will investagate further. But if not, I still think
>>>> this is the way to go considering the underline issue which we tried to
>>>> solve by this change.
>>>>
>>> From what I found I think that making changes necessary to distinguish
>>>
>>> dnsrecord and dnszone are not worth it, especially that user can use
>>> "filter" for that purpose. Since having both of them doesn't have any
>>> additional value, I'm sending new version of the patch, which is only
>>> adding dnsrecord type.
>>>
>>> Jan
>>
>> Ack but this patch needs a rebase.
>>
>> rob
>
> Rebased patch in attachment
>
> Jan
pushed to master
More information about the Freeipa-devel
mailing list