[Freeipa-devel] Fwd: [PATCH] 912 Display the value of memberOf ACIs in permission plugin.
Rob Crittenden
rcritten at redhat.com
Thu Jan 5 18:36:11 UTC 2012
Endi Sukma Dewata wrote:
> On 1/4/2012 3:47 PM, Rob Crittenden wrote:
>> I guess I'm just not convinced this additional complexity would buy us
>> anything.
>>
>> Updated patch attached that fixes the memberof display and updates the
>> tests trivially.
>
> OK, the mod output is fixed. Since the exclusivity rules aren't changed,
> the following combinations are currently possible via CLI:
>
> 1. filter
> 2a. type
> 2b. type + memberof
> 3a. subtree
> 3b. subtree + memberof
> 4a. targetgroup
> 4b. targetgroup + memberof
>
> As discussed previously it doesn't really make sense to use memberof
> with targetgroup, so should we fix the rules to avoid combination #4b?
> If #4b is acceptable then this patch is ACKed as is.
>
> Here's the UI modification that Petr has created in patch #66 (click Add):
>
> http://edewata.fedorapeople.org/freeipa/install/ui/#rolebased=permission&ipaserver=rolebased&navigation=ipaserver
>
>
> To reflect the correct possible combinations, we probably should move
> the 'Member of group' field somewhere below the 'Target' drop-down list
> and show it only when 'Type' or 'Subtree' is selected. If we keep option
> #4b then we should also show it when the 'Target group' is selected.
>
I opened ticket 2222 to disallow memberof and targetgroup.
Pushed to master.
rob
More information about the Freeipa-devel
mailing list