[Freeipa-devel] [PATCHES] 0489-0495 Add the extratargetfilter virtual attribute to permissions

Petr Viktorin pviktori at redhat.com
Thu Mar 13 17:26:03 UTC 2014 

On 03/10/2014 05:40 PM, Petr Viktorin wrote:
> On 03/07/2014 07:57 PM, Petr Viktorin wrote:
>> Hello,
>> This implements https://fedorahosted.org/freeipa/ticket/4216
>>
>> It feels like permissions have gone full circle, from being managed by
>> virtual attributes, to storing all data in LDAP and exposing that, to
>> exposing mainly virtual attributes after all. The good part is that the
>> virtual attributes are now just a layer on top of well-structured LDAP
>> entries.
>>
>>
>> To the point: extratargetfilter lists all target filters that are not
>> implied by --memberof or --user. The list is writable; changing it will
>> preserve the implied filters. By default the full underlying list is not
>> shown, you can use --all or --raw for that.
>> In CLI, extratargetfilter is now named simply --filter, and the
>> underlying ipapermtargetfilter is named --rawfilter.
>>
>> There are still some cases where the illusion is not complete:
>>
>> - When searching, extratargetfilter and ipapermtargetfilter behave the
>> same, they search the full list.
>>
>> - When adding a filter that matches the requirements for --memberof or
>> --type, the filter will be "used" for that option instead:
>>
>> $ ipa permission-add testperm --type user --perm write
>> --filter='(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)'
>> ---------------------------
>> Added permission "testperm"
>> ---------------------------
>>    Permission name: testperm
>>    Permissions: write
>>    Bind rule type: permission
>>    Subtree: cn=users,cn=accounts,$SUFFIX
>>    Member of group: admins
>>    Type: user
>>
>>
>>
>> Patches:
>>
>> 0489 - Outputting extratargetfilter
>> 0490 - Writing extratargetfilter
>> 0491 - CLI names for the options
>> 0492 - Tests for the above
>> 0493 - Searching by extratargetfilter
>> 0494 - Fix an existing bug in --memberof
>> 0495 - This uses the information made available in the previous patches
>> to polish a rough edge of the --memberof/--user options.
>>
>
> Attaching rebased patches.

Petr¹ found that extratargetfilter allowed the filter to be changed on 
managed permissions. Attached patches fix this.

-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0489.3-permission-plugin-Output-the-extratargetfilter-virtu.patch
Type: text/x-patch
Size: 46428 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0490.3-permission-plugin-Write-support-for-extratargetfilte.patch
Type: text/x-patch
Size: 9898 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0491.3-permission-CLI-Rename-filter-to-rawfilter-extratarge.patch
Type: text/x-patch
Size: 8504 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0492.3-permission-plugin-Add-tests-for-extratargetfilter.patch
Type: text/x-patch
Size: 13890 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0493.3-permission-plugin-Support-searching-by-extratargetfi.patch
Type: text/x-patch
Size: 3552 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0494.3-permission-plugin-Do-not-fail-on-non-DN-memberof-fil.patch
Type: text/x-patch
Size: 1424 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0495.3-permission-plugin-Do-not-change-extra-target-filters.patch
Type: text/x-patch
Size: 9656 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140313/0ba8abab/attachment-0006.bin>

More information about the Freeipa-devel mailing list