[Freeipa-devel] [PATCHES] 0583-0584 Convert DNS default permissions to managed

Wed Jun 18 12:20:29 UTC 2014

On 06/18/2014 02:05 PM, Martin Kosek wrote:
> On 06/16/2014 05:43 PM, Petr Viktorin wrote:
>> On 06/13/2014 05:25 PM, Petr Viktorin wrote:
>>>
>>> With the first patch, old SYSTEM permissions can be replaced. The "Read
>>> DNS Entries" did not have an associated ACI, but was rather rolled into
>>> a single ACI with the managedBy rule used for per-zone access.
>>> (and before that it was part of a deny rule.)
>>> We can't remove this permission in an update file, because we need to
>>> check that it is indeed an old SYSTEM perm and not a new one with the
>>> same name.
>>>
>>>
>>> The second patch converts DNS permissions to managed.
>>>
>>> The ACIs are put directly in $SUFFIX, because the cn=dns subtree does
>>> not exist in all installations.
>>>
>>> I hope to change this for https://fedorahosted.org/freeipa/ticket/4058,
>>> when I've thought more about relationships between plugins, packages,
>>> install options, and the updater.
>>
>> Testing more, I found a benign bug: the updater complained if the cn=dns
>> container was missing. Fixed here.
>>
>> Also, the update_dns_permissions plugin is now now obsolete, the third patch
>> removes it.
>>
>
> 583.2: OK
>
> 584.2:
>
> 1) Typo in description:
> Convewrt the existing default permissions.

Thanks for the catch, I'll fix it before pushing.

>
> 2) What would you like to do with per-zone permissions?
>
> # ipa dnszone-add-permission example.com
> ------------------------------------------------------
> Added system permission "Manage DNS zone example.com."
> ------------------------------------------------------
>    Manage DNS zone example.com.
>
> # ipa permission-show 'Manage DNS zone example.com.'
>    Permission name: Manage DNS zone example.com.
>    Granted to Privilege: test2
>    Indirect Member of roles: test2
>
> Should the command be converted to add V2 permissions? We would have to also
> deal with conversion from old DNS zone permissions to permissionsv2 though.
>
> 3) How difficult would it be to also convert "Add/Read/Remove/Update DNS
> entries in a zone" permissions to managed? It would make their maintenance and
> updates much easier, we would also get rid of more updates in update files.
>
> The only problem I see is how to define 'userattr =
> "parent[0,1].managedby#GROUPDN"' in the managed permission, IMO it could be
> rough at the moment.

I'd like to leave these two cases until after the "regular" default 
permissions are done.
The regular permissions must be converted now because when you "touch" 
them with 4.0 permission-mod, they get converted to V2 and the updater 
will no longer count them as old default permissions. So we need to 
convert all of them right now. The SYSTEM ones can't be modified so they 
could theoretically wait till 4.1+.
There'll be a few more SYSTEM permissions to convert like 'Modify DNA 
Range'.

For the second case, yes, adding more bind rule types will need some 
work (and a new permission flag). I'd like to combine that work with the 
selfservice/delegation, which also need special bind rules.

>
> Otherwise the changes worked fine, thanks!
>
> Martin
>

-- 
Petr³