[Freeipa-devel] [PATCHES] 0594-0606 Convert default permissions to managed
Petr Viktorin
pviktori at redhat.com
Tue Jun 24 10:27:25 UTC 2014
On 06/23/2014 05:51 PM, Martin Kosek wrote:
> On 06/23/2014 02:59 PM, Petr Viktorin wrote:
>> On 06/23/2014 10:07 AM, Martin Kosek wrote:
>>> On 06/20/2014 11:17 PM, Martin Kosek wrote:
>>>> On 06/20/2014 05:06 PM, Petr Viktorin wrote:
>>>>> All these should be independent, except for conflicts in ACI.txt that are
>>>>> easily solved by running makeaci.
>>>>
>>>> Umh, now the fun begins as I see :) There will probably need to be some rebase,
>>>> it clashed with some other ACI patches in my tree (namely Hosts which I acked).
>>
>> Rebased on top of my patch 0607, please apply that first.
>>
>> Added a new patch, 0608, which adds missing write permissions.
>>
>>
>>>> 594: we miss permissions for Automount Locations. Permissions for keys&maps
>>>> look ok.
>>
>> Added in 0608.
>>
>>>>
>>>> 595: "System: Modify Group Membership" is probably waiting for the group
>>>> objectclass fix - the filter is different. Otherwise it looks ok.
>>
>> Right; rebased.
>>
>>>> 596-598: HBAC is ok
>>>>
>>>> 599: hostgroup is OK
>>>>
>>>> 600: there must have been some DS problem on my side as my regular user could
>>>> not see any netgroup
>>
>> The problem is a bit closer to home this time.
>> Fixed in patch 0607.
>>
>>>> 601: privileges - we miss CRUD ACIs
>>
>> Added in 0608.
>>
>> We also miss CRUD permissions on permissions, but since currently these need
>> pretty much unlimited access to ACIs, it's better to keep them admin-only.
>>
>>>> 602: roles were ok
>>>>
>>>> 603: ok
>>>>
>>>> I got this far today, the rest will need to wait for the next week.
>>>
>>> 604: ok, I was able to create a service, get a keytab
>>>
>>> 605: Should we case the permissions as "Sudo Command instead of "Sudo command"?
>>
>> Yes, fixed
>>
>>> 606: we also miss Modify Sudo Command permission so that people can modify
>>> description. Otherwise ok.
>>
>> Added in 0608.
>>
>>
>
> 1) # ipa-server-install:
> ...
> Applying LDAP updates
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure missing
> required attribute "objectclass"
> ...
>
> There is a problem in this pending update:
>
> dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
> add:member: 'cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX'
>
> You apparently also need to make this permission also a member of "Modify Group
> membership" privilege.
Fixed, thank you.
> 2) We may not need "System: Modify Automount Locations" as there is just the CN
> and we do not support renames in automountlocation API. I am not insisting.
Removed.
> When these 2 issues are resolved, we can push.
I've also added a patch that fixes a permission-find test which assumed
there are many old permissions.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0594.3-Convert-Automount-default-permissions-to-managed.patch
Type: text/x-patch
Size: 16366 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0595.3-Convert-Group-default-permissions-to-managed.patch
Type: text/x-patch
Size: 12821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0596.3-Convert-HBAC-Rule-default-permissions-to-managed.patch
Type: text/x-patch
Size: 9552 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0597.3-Convert-HBAC-Service-default-permissions-to-managed.patch
Type: text/x-patch
Size: 6264 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0598.3-Convert-HBAC-Service-Group-default-permissions-to-ma.patch
Type: text/x-patch
Size: 6703 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0599.3-Convert-Hostgroup-default-permissions-to-managed.patch
Type: text/x-patch
Size: 8847 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0600.3-Convert-Netgroup-default-permissions-to-managed.patch
Type: text/x-patch
Size: 9239 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0601.3-Convert-the-Modify-privilege-membership-permission-t.patch
Type: text/x-patch
Size: 4658 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0602.3-Convert-Role-default-permissions-to-managed.patch
Type: text/x-patch
Size: 8689 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0603.3-Convert-SELinux-User-Map-default-permissions-to-mana.patch
Type: text/x-patch
Size: 7888 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0604.3-Convert-Service-default-permissions-to-managed.patch
Type: text/x-patch
Size: 8890 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0605.3-Convert-Sudo-Command-default-permissions-to-managed.patch
Type: text/x-patch
Size: 8615 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0606.3-Convert-Sudo-Command-Group-default-permissions-to-ma.patch
Type: text/x-patch
Size: 6719 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0608.3-Add-several-CRUD-default-permissions.patch
Type: text/x-patch
Size: 9937 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0609.3-test_permission_plugin-Fix-permission_find-test-for-.patch
Type: text/x-patch
Size: 1227 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140624/325a056f/attachment-0014.bin>
More information about the Freeipa-devel
mailing list