[Freeipa-devel] [PATCHES] 0289-0302 Managed Read permissions

Petr Viktorin pviktori at redhat.com
Tue Oct 1 08:56:57 UTC 2013 

Hello,

These patches implement the framework for 
https://fedorahosted.org/freeipa/ticket/3566

Design is at http://www.freeipa.org/page/V3/Managed_Read_permissions.
As you can see from the TODOs it's not yet complete; I'll need a few 
more discussions about some details and future work.

The patches only add read permissions for User objects, and the global 
anonymous read ACI is not removed. I'll add the other objects after the 
overall structure is ACKed.
To test, remove the ACI (cheatsheet: http://fpaste.org/43296/13806142/) 
and verify that anonymous read is disabled and normal users can't read 
anything but user info.


These depend on some of my earlier patches:
- 0258-0265, 0275 - LDIF-based schema updater
- 0276-0277 - Split large doc strings for translation
- 0288 - user template in tests


I needed to test both server and client plugins. Since we only have one 
API object (#3090) and can't unload plugins, I needed to fix some issues 
when they are loaded at the same time.

Terminology note: currently IPA calls the 
"read"/"search"/"write"/"delete" part of an ACI a "permission", which is 
confusing since our ACI wrapper objects are also "permissions".
Wherever I can, I use the term "rights" for these.
"Rights" is also used in ACI docs: 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#id3349243


/Enter patches.

Act I.

0289: Might as well update to new API since I'll be making extensive 
changes here

0290: My linting tools were complaining heavily about the tabs, so I 
fixed the indentation here.

0291: Fix a crash when ldap2 and a client RPC backend are connected at 
the same time. (This happens in tests that I'll add later)


Act II.

0292: See the "Permission flags" section of the design.

0293: Add schema. (The OIDs aren't registered yet.)

0294: This makes the test in the next patch possible.

0295: See the "MANAGED Permissions" section of the design.

0296: See the "Read rights" section of the design.


Act III.

0297: See "Marking Attributes in Plugins" and "Adding permissions for 
default read permissions"  in the design.

0298: Make the help plugin not fail when server plugins are loaded. This 
will happen in later tests.

0299: Tests for 0297

0300! Fix a TODO from 0295

0301: See "Adding privileges and role for default read permissions" in 
the design

0302: Tests for 0301


-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0289-Update-Permission-plugin-to-decorator-registration-A.patch
Type: text/x-patch
Size: 3533 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0290-Fix-indentation-in-permission-plugin-tests.patch
Type: text/x-patch
Size: 8525 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0291-Fix-invalid-assumption-NSS-initialization-check-in-S.patch
Type: text/x-patch
Size: 1240 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0292-Treat-permissions-with-unknown-flags-as-immutable.patch
Type: text/x-patch
Size: 9601 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0293-Add-schema-for-managed-permissions.patch
Type: text/x-patch
Size: 3377 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0294-Make-it-possible-to-call-custom-functions-in-Declara.patch
Type: text/x-patch
Size: 1798 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0295-Add-support-for-managed-permissions.patch
Type: text/x-patch
Size: 27821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0296-Add-read-search-and-compare-to-the-list-of-permissio.patch
Type: text/x-patch
Size: 5182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0297-Add-Object-metadata-and-update-plugin-for-managed-pe.patch
Type: text/x-patch
Size: 7504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0298-Help-plugin-don-t-fail-if-a-topic-s-module-is-not-fo.patch
Type: text/x-patch
Size: 1651 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0299-Add-tests-for-managed-permission-updater.patch
Type: text/x-patch
Size: 8096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0300-Make-managed-permission-tests-use-the-server-update-.patch
Type: text/x-patch
Size: 5638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0301-Add-Reader-role-and-user-read-privilege.patch
Type: text/x-patch
Size: 2008 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0302-Add-tests-for-the-new-Reader-role.patch
Type: text/x-patch
Size: 7682 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0013.bin>

More information about the Freeipa-devel mailing list