[Freeipa-devel] [PATCHES] 0489-0495 Add the extratargetfilter virtual attribute to permissions

Petr Viktorin pviktori at redhat.com
Fri Mar 7 18:57:03 UTC 2014 

Hello,
This implements https://fedorahosted.org/freeipa/ticket/4216

It feels like permissions have gone full circle, from being managed by 
virtual attributes, to storing all data in LDAP and exposing that, to 
exposing mainly virtual attributes after all. The good part is that the 
virtual attributes are now just a layer on top of well-structured LDAP 
entries.


To the point: extratargetfilter lists all target filters that are not 
implied by --memberof or --user. The list is writable; changing it will 
preserve the implied filters. By default the full underlying list is not 
shown, you can use --all or --raw for that.
In CLI, extratargetfilter is now named simply --filter, and the 
underlying ipapermtargetfilter is named --rawfilter.

There are still some cases where the illusion is not complete:

- When searching, extratargetfilter and ipapermtargetfilter behave the 
same, they search the full list.

- When adding a filter that matches the requirements for --memberof or 
--type, the filter will be "used" for that option instead:

$ ipa permission-add testperm --type user --perm write 
--filter='(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)'
---------------------------
Added permission "testperm"
---------------------------
   Permission name: testperm
   Permissions: write
   Bind rule type: permission
   Subtree: cn=users,cn=accounts,$SUFFIX
   Member of group: admins
   Type: user



Patches:

0489 - Outputting extratargetfilter
0490 - Writing extratargetfilter
0491 - CLI names for the options
0492 - Tests for the above
0493 - Searching by extratargetfilter
0494 - Fix an existing bug in --memberof
0495 - This uses the information made available in the previous patches 
to polish a rough edge of the --memberof/--user options.

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0489-permission-plugin-Output-the-extratargetfilter-virtu.patch
Type: text/x-patch
Size: 45422 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0490-permission-plugin-Write-support-for-extratargetfilte.patch
Type: text/x-patch
Size: 9258 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0491-permission-CLI-Rename-filter-to-rawfilter-extratarge.patch
Type: text/x-patch
Size: 8507 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0492-permission-plugin-Add-tests-for-extratargetfilter.patch
Type: text/x-patch
Size: 13571 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0493-permission-plugin-Support-searching-by-extratargetfi.patch
Type: text/x-patch
Size: 3552 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0494-permission-plugin-Do-not-fail-on-non-DN-memberof-fil.patch
Type: text/x-patch
Size: 1424 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0495-permission-plugin-Do-not-change-extra-target-filters.patch
Type: text/x-patch
Size: 9656 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140307/b85a4296/attachment-0006.bin>

More information about the Freeipa-devel mailing list