[Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes
Rob Crittenden
rcritten at redhat.com
Wed Jan 26 15:56:35 UTC 2011
Dmitri Pal wrote:
> Martin Kosek wrote:
>> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote:
>>
>>> I took a quick look.
>>>
>>> Rob, I thought that there are different APIs for self and delegation. Is
>>> this is the case?
>>> ipa permission-... functions should never deal with self service or
>>> delegation acis
>>> They are just for the permission ACIs connected to the target groups.
>>> I do not think this is the right approach.
>>> The prefix is need but it should be automatically added if you use this
>>> interface.
>>>
>>
>> Well, this patch ensures that permission-* functions will not deal with
>> selfservice od delegation ACIs. Each of these plugins has its own prefix
>> (e.g. "permission:" or "delegation:") which is added to the underlying
>> ACI name.
>>
>> Because of this, the Permission, Selfservice and Delegation plugins work
>> only with ACIs with "their" prefix. Prefix is not visible for user, it
>> is passed to ACI functions automatically by Permission, Delegation and
>> Selfservice plugins.
>>
>>
>
>
> Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
> - ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
> + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange
>
> This change exposes the prefix on the command line which means you can
> manage ACIs with different prefixes.
> Do i misread it?
The help changes are unneeded. The prefix is not configurable by the user.
rob
More information about the Freeipa-devel
mailing list