[Freeipa-devel] [PATCHES] 0464-0466 Multivalued targetfilter

Martin Kosek mkosek at redhat.com
Thu Feb 20 12:06:46 UTC 2014 

On 02/20/2014 12:57 PM, Petr Viktorin wrote:
> On 02/19/2014 05:32 PM, Martin Kosek wrote:
>> On 02/19/2014 10:44 AM, Petr Viktorin wrote:
>>> On 02/18/2014 08:02 PM, Petr Viktorin wrote:
>>>> On 02/18/2014 09:42 AM, Martin Kosek wrote:
>>>>> On 02/13/2014 01:12 PM, Petr Viktorin wrote:
>>>>>> Hello,
>>>>>> These patches fix https://fedorahosted.org/freeipa/ticket/4074
>>>>>> Design:
>>>>>> http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
>>>>>>
>>>>>>
>>>>>> Since --type, affects only targetfilter values in the form
>>>>>> "(objectclass=...)"
>>>>>> and leaves others alone, and in the -mod command we don't fetch the
>>>>>> existing
>>>>>> entry until the pre_callback, I had to put the adds/removes in the
>>>>>> context. I
>>>>>> don't think the approach is too terrible given the limitations.
>>>>>
>>>>> 464:
>>>>>
>>>>> 1) Internal Error:
>>>>>
>>>>> # ipa permission-mod can_write2 --filter='foo=bar'
>>>>> ipa: ERROR: an internal error has occurred
>>>>
>>>> Thanks for the catch! Fixed & added to tests.
>>>>
>>>>> 2) ACI target filter
>>>>>
>>>>> I would relabel targetfilter from "ACI target filter" to "Target
>>>>> filter" to
>>>>> make it consistent with other ACI attributes. We are sort of hiding
>>>>> there are
>>>>> any underlying ACIs anyway...
>>>>
>>>> Fixed.
>>>>
>>>>> 3) I am now thinking about the behavior of --memberof and --filter
>>>>> options and
>>>>> how they interact. It looks OK except for the case when I set filter
>>>>> to None:
>>>>
>>>> The same would happen when setting --filter to any other value(s) that
>>>> don't include existing memberOf filters.
>>>>
>>>>> # ipa permission-mod can_write2 --memberof=bar
>>>>> --------------------------------
>>>>> Modified permission "can_write2"
>>>>> --------------------------------
>>>>>     Permission name: can_write2
>>>>>     Permissions: write
>>>>>     Effective attributes: description
>>>>>     Bind rule type: permission
>>>>>     Subtree: dc=example,dc=com
>>>>>     ACI target filter: (foo=bar),
>>>>>
>>>>> (memberOf=cn=bar,cn=groups,cn=accounts,dc=example,dc=com)
>>>>>     Member of group: bar
>>>>> # ipa permission-mod can_write2 --filter=
>>>>> --------------------------------
>>>>> Modified permission "can_write2"
>>>>> --------------------------------
>>>>>     Permission name: can_write2
>>>>>     Permissions: write
>>>>>     Effective attributes: description
>>>>>     Bind rule type: permission
>>>>>     Subtree: dc=example,dc=com
>>>>>
>>>>> Then both memberOf and filter is erased. Are we ok with that?
>>>>> Shouldn't we keep
>>>>> memberOf part until that is set to None? I am not insisting, just
>>>>> trying to
>>>>> discuss the best behavior.
>>>>
>>>> Memberof affects the filter; this is even pointed out in --help output.
>>>> The alternative would be to make --filter= exclude filters affected by
>>>> other options, which I think would be even more confusing.
>>>> Keep in mind --type sets (objectclass=...) filters in exactly the same
>>>> way as --memberof works for (memberof=...).
>>>> The --memberof, --targetgroup, --type options are just shortcuts for
>>>> setting other permission attributes. I'm hoping we can get this message
>>>> across, in --help, and in the docs, well enough to reduce the confusion.
>>>>
>>>>> 465: I know this was already discussed previously, but I am now having
>>>>> second
>>>>> thoughts - should we use posixAccount as THE objectclass for user
>>>>> targetfilter?
>>>>>
>>>>> # ipa permission-add can_write --permissions write --attrs=description
>>>>> --type=user
>>>>> ----------------------------
>>>>> Added permission "can_write"
>>>>> ----------------------------
>>>>>     Permission name: can_write
>>>>>     Permissions: write
>>>>>     Effective attributes: description
>>>>>     Bind rule type: permission
>>>>>     Subtree: cn=users,cn=accounts,dc=example,dc=com
>>>>>     ACI target filter: (objectclass=posixaccount)
>>>>>     Type: user
>>>>>
>>>>> What if we add system users at some point which would miss the
>>>>> posixaccount
>>>>> objectclass? Wouldn't it be better to use the inetOrgPerson structural
>>>>> objectclass instead of posixAccount? Simo or Ludwig, any opinion on this?
>>>>
>>>> I'm not opposed.
>>>> (I don't think it should block this patchset though. We'll have to add
>>>> canonical objectclasses to all the types that don't currently have them.
>>>> Deciding it for `user` can be a part of that effort.)
>>>
>>> Apologies, I've sent a slightly wrong version of the tests. Here's the fixed
>>> patchset.
>>>
>>
>> Thanks. New check works fine, but the attribute name in the error message seems
>> inconsistent:
>>
>> # ipa permission-mod can_write --filter=foo=bar
>> ipa: ERROR: invalid 'filter': must be enclosed in parentheses
>>
>> # ipa permission-mod can_write --filter="(foo=bar))"
>> ipa: ERROR: invalid 'ipapermtargetfilter': Bad search filter
>>
>> If you fix that, it's ACK for all.
>>
>> Martin
>>
> 
> It turns out this is a deeper issue; for the time being I'd rather defer it for
> more discussion & refactoring than hack around it.
> 
> https://fedorahosted.org/freeipa/ticket/4183
> 

Ok, agreed. ACK to the original patches then.

Martin

More information about the Freeipa-devel mailing list