[Freeipa-devel] Virtual operation ACIs (Was Re: 0578-0579 Convert Host default permissions to managed)
Petr Viktorin
pviktori at redhat.com
Thu Jun 19 10:52:52 UTC 2014
I'll address the other issues separately.
On 06/18/2014 05:46 PM, Martin Kosek wrote:
> 3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
> No such virtual command" error triggered by "cert-show" command.
>
> We will need to add the permission "System: Read Virtual Operations" that Honza
> is creating also to "Host Administrators" to fix that part.
I'm not familiar with Honza's effort, but that seems right.
I'm curious, why don't we just allow reading virtual operations by
anybody? It seems to me they're the same in every IPA installation,
what's there to hide?
Anyway, I poked around in how it works now: for cert-show you need write
access to the objectClass of the "retrieve certificate" virt op entry.
So that right you can actually remove the "ipaVirtualOperation" objectClass.
Aand the new "Anonymous read access to containers" ACI has a
(!(objectclass=ipaVirtualOperation)) filter, so any user privileged for
a virt op can allow everyone see that virt op).
Shouldn't we base the check on some other attribute instead?
And curiously, for cert-find there is no virt op based access check.
--
Petr³
More information about the Freeipa-devel
mailing list