[Freeipa-devel] [PATCH] 017 ACI plugin supports prefixes

Rob Crittenden rcritten at redhat.com
Wed Jan 26 22:55:53 UTC 2011 

Martin Kosek wrote:
> On Wed, 2011-01-26 at 10:56 -0500, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> Martin Kosek wrote:
>>>> On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote:
>>>>
>>>>> I took a quick look.
>>>>>
>>>>> Rob, I thought that there are different APIs for self and delegation. Is
>>>>> this is the case?
>>>>> ipa permission-... functions should never deal with self service or
>>>>> delegation acis
>>>>> They are just for the permission ACIs connected to the target groups.
>>>>> I do not think this is the right approach.
>>>>> The prefix is need but it should be automatically added if you use this
>>>>> interface.
>>>>>
>>>>
>>>> Well, this patch ensures that permission-* functions will not deal with
>>>> selfservice od delegation ACIs. Each of these plugins has its own prefix
>>>> (e.g. "permission:" or "delegation:") which is added to the underlying
>>>> ACI name.
>>>>
>>>> Because of this, the Permission, Selfservice and Delegation plugins work
>>>> only with ACIs with "their" prefix. Prefix is not visible for user, it
>>>> is passed to ACI functions automatically by Permission, Delegation and
>>>> Selfservice plugins.
>>>>
>>>>
>>>
>>>
>>>     Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
>>> -   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
>>> +   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" --prefix=none add_orange
>>>
>>> This change exposes the prefix on the command line which means you can
>>> manage ACIs with different prefixes.
>>> Do i misread it?
>>
>> The help changes are unneeded. The prefix is not configurable by the user.
>>
>> rob
>
> Ah, now I see the source of confusion. My bad. I fixed help in ACI
> plugin (even though this plugin is not visible for CLI). There were
> examples for using aci-add command and I wanted to add a new mandatory
> parameter here, so that user is not prompted for it.
>
> Unfortunately, I didn't notice there was one permission-add example -
> --prefix attribute is not valid for this command. A patch #2 with fixed
> permission-add example + rebase to current master is attached.
>
> Martin

ack, pushed to master

More information about the Freeipa-devel mailing list