[Freeipa-devel] [PATCH] 695 rename permissions and privileges

Mon Jan 31 11:44:31 UTC 2011

On Fri, 2011-01-28 at 18:48 -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Rename permissions and privileges to more human-readable names. I'm also
> > dropping description from permissions since it seems redundant.
> >
> > Note that the entitlement acis are left untouched here, they are changed
> > in a pending patch (664).
> >
> > ticket 792
> >
> > rob
> 
> I guess I should remove description from the pre-defined permission 
> entries too.
> 
> rob

NACK

I have found some minor inconsistencies in LDIF (except the entitlements
permission/priviledge naming you mentioned in log):

1) A description is still present for several permissions:
Retrieve Certificates from the CA
Request Certificate
Request Certificates from a different host
Get Certificates status from the CA
Revoke Certificate
Certificate Remove Hold

2) Priviledge cn=admins,cn=privileges,cn=pbac,$SUFFIX does not exists. I
know this was not changed by your patch, but I noticed it during the
review and now may be a good opportunity to fix it:

dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: Manage service keytab
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=privileges,cn=pbac,$SUFFIX  <==

permission.py:

1) This uncommon number order may rise questions :-)

1. The name of the permission.
3. The target of the permission.
4. The permissions granted by the permission.

2) I would change default permission-add examples to follow our new
permission-naming format (more verbose one), i.e. instead of

 Add a permission that grants the creation of users:
   ipa permission-add --type=user --permissions=add adduser

I would like something like this:

 Add a permission that grants the creation of users:
   ipa permission-add --type=user --permissions=add "Add Users"

Other changes seems OK.

Martin