[Freeipa-devel] [PATCHES] 0464-0466 Multivalued targetfilter
Martin Kosek
mkosek at redhat.com
Tue Feb 18 08:42:02 UTC 2014
On 02/13/2014 01:12 PM, Petr Viktorin wrote:
> Hello,
> These patches fix https://fedorahosted.org/freeipa/ticket/4074
> Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
>
>
> Since --type, affects only targetfilter values in the form "(objectclass=...)"
> and leaves others alone, and in the -mod command we don't fetch the existing
> entry until the pre_callback, I had to put the adds/removes in the context. I
> don't think the approach is too terrible given the limitations.
464:
1) Internal Error:
# ipa permission-mod can_write2 --filter='foo=bar'
ipa: ERROR: an internal error has occurred
2) ACI target filter
I would relabel targetfilter from "ACI target filter" to "Target filter" to
make it consistent with other ACI attributes. We are sort of hiding there are
any underlying ACIs anyway...
3) I am now thinking about the behavior of --memberof and --filter options and
how they interact. It looks OK except for the case when I set filter to None:
# ipa permission-mod can_write2 --memberof=bar
--------------------------------
Modified permission "can_write2"
--------------------------------
Permission name: can_write2
Permissions: write
Effective attributes: description
Bind rule type: permission
Subtree: dc=example,dc=com
ACI target filter: (foo=bar),
(memberOf=cn=bar,cn=groups,cn=accounts,dc=example,dc=com)
Member of group: bar
# ipa permission-mod can_write2 --filter=
--------------------------------
Modified permission "can_write2"
--------------------------------
Permission name: can_write2
Permissions: write
Effective attributes: description
Bind rule type: permission
Subtree: dc=example,dc=com
Then both memberOf and filter is erased. Are we ok with that? Shouldn't we keep
memberOf part until that is set to None? I am not insisting, just trying to
discuss the best behavior.
465: I know this was already discussed previously, but I am now having second
thoughts - should we use posixAccount as THE objectclass for user targetfilter?
# ipa permission-add can_write --permissions write --attrs=description --type=user
----------------------------
Added permission "can_write"
----------------------------
Permission name: can_write
Permissions: write
Effective attributes: description
Bind rule type: permission
Subtree: cn=users,cn=accounts,dc=example,dc=com
ACI target filter: (objectclass=posixaccount)
Type: user
What if we add system users at some point which would miss the posixaccount
objectclass? Wouldn't it be better to use the inetOrgPerson structural
objectclass instead of posixAccount? Simo or Ludwig, any opinion on this?
Otherwise the patches worked fine for me.
Martin
More information about the Freeipa-devel
mailing list