[Freeipa-devel] [PATCHES] 0289-0302 Managed Read permissions
Petr Viktorin
pviktori at redhat.com
Tue Oct 1 08:56:57 UTC 2013
Hello,
These patches implement the framework for
https://fedorahosted.org/freeipa/ticket/3566
Design is at http://www.freeipa.org/page/V3/Managed_Read_permissions.
As you can see from the TODOs it's not yet complete; I'll need a few
more discussions about some details and future work.
The patches only add read permissions for User objects, and the global
anonymous read ACI is not removed. I'll add the other objects after the
overall structure is ACKed.
To test, remove the ACI (cheatsheet: http://fpaste.org/43296/13806142/)
and verify that anonymous read is disabled and normal users can't read
anything but user info.
These depend on some of my earlier patches:
- 0258-0265, 0275 - LDIF-based schema updater
- 0276-0277 - Split large doc strings for translation
- 0288 - user template in tests
I needed to test both server and client plugins. Since we only have one
API object (#3090) and can't unload plugins, I needed to fix some issues
when they are loaded at the same time.
Terminology note: currently IPA calls the
"read"/"search"/"write"/"delete" part of an ACI a "permission", which is
confusing since our ACI wrapper objects are also "permissions".
Wherever I can, I use the term "rights" for these.
"Rights" is also used in ACI docs:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#id3349243
/Enter patches.
Act I.
0289: Might as well update to new API since I'll be making extensive
changes here
0290: My linting tools were complaining heavily about the tabs, so I
fixed the indentation here.
0291: Fix a crash when ldap2 and a client RPC backend are connected at
the same time. (This happens in tests that I'll add later)
Act II.
0292: See the "Permission flags" section of the design.
0293: Add schema. (The OIDs aren't registered yet.)
0294: This makes the test in the next patch possible.
0295: See the "MANAGED Permissions" section of the design.
0296: See the "Read rights" section of the design.
Act III.
0297: See "Marking Attributes in Plugins" and "Adding permissions for
default read permissions" in the design.
0298: Make the help plugin not fail when server plugins are loaded. This
will happen in later tests.
0299: Tests for 0297
0300! Fix a TODO from 0295
0301: See "Adding privileges and role for default read permissions" in
the design
0302: Tests for 0301
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0289-Update-Permission-plugin-to-decorator-registration-A.patch
Type: text/x-patch
Size: 3533 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0290-Fix-indentation-in-permission-plugin-tests.patch
Type: text/x-patch
Size: 8525 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0291-Fix-invalid-assumption-NSS-initialization-check-in-S.patch
Type: text/x-patch
Size: 1240 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0292-Treat-permissions-with-unknown-flags-as-immutable.patch
Type: text/x-patch
Size: 9601 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0293-Add-schema-for-managed-permissions.patch
Type: text/x-patch
Size: 3377 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0294-Make-it-possible-to-call-custom-functions-in-Declara.patch
Type: text/x-patch
Size: 1798 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0295-Add-support-for-managed-permissions.patch
Type: text/x-patch
Size: 27821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0296-Add-read-search-and-compare-to-the-list-of-permissio.patch
Type: text/x-patch
Size: 5182 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0297-Add-Object-metadata-and-update-plugin-for-managed-pe.patch
Type: text/x-patch
Size: 7504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0298-Help-plugin-don-t-fail-if-a-topic-s-module-is-not-fo.patch
Type: text/x-patch
Size: 1651 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0299-Add-tests-for-managed-permission-updater.patch
Type: text/x-patch
Size: 8096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0300-Make-managed-permission-tests-use-the-server-update-.patch
Type: text/x-patch
Size: 5638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0301-Add-Reader-role-and-user-read-privilege.patch
Type: text/x-patch
Size: 2008 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0302-Add-tests-for-the-new-Reader-role.patch
Type: text/x-patch
Size: 7682 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/e2418859/attachment-0013.bin>
More information about the Freeipa-devel
mailing list