[Freeipa-devel] [PATCHES] 0489-0495 Add the extratargetfilter virtual attribute to permissions

Martin Kosek mkosek at redhat.com
Fri Mar 14 09:18:08 UTC 2014 

On 03/13/2014 06:26 PM, Petr Viktorin wrote:
> On 03/10/2014 05:40 PM, Petr Viktorin wrote:
>> On 03/07/2014 07:57 PM, Petr Viktorin wrote:
>>> Hello,
>>> This implements https://fedorahosted.org/freeipa/ticket/4216
>>>
>>> It feels like permissions have gone full circle, from being managed by
>>> virtual attributes, to storing all data in LDAP and exposing that, to
>>> exposing mainly virtual attributes after all. The good part is that the
>>> virtual attributes are now just a layer on top of well-structured LDAP
>>> entries.
>>>
>>>
>>> To the point: extratargetfilter lists all target filters that are not
>>> implied by --memberof or --user. The list is writable; changing it will
>>> preserve the implied filters. By default the full underlying list is not
>>> shown, you can use --all or --raw for that.
>>> In CLI, extratargetfilter is now named simply --filter, and the
>>> underlying ipapermtargetfilter is named --rawfilter.
>>>
>>> There are still some cases where the illusion is not complete:
>>>
>>> - When searching, extratargetfilter and ipapermtargetfilter behave the
>>> same, they search the full list.
>>>
>>> - When adding a filter that matches the requirements for --memberof or
>>> --type, the filter will be "used" for that option instead:
>>>
>>> $ ipa permission-add testperm --type user --perm write
>>> --filter='(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)'
>>> ---------------------------
>>> Added permission "testperm"
>>> ---------------------------
>>>    Permission name: testperm
>>>    Permissions: write
>>>    Bind rule type: permission
>>>    Subtree: cn=users,cn=accounts,$SUFFIX
>>>    Member of group: admins
>>>    Type: user
>>>
>>>
>>>
>>> Patches:
>>>
>>> 0489 - Outputting extratargetfilter
>>> 0490 - Writing extratargetfilter
>>> 0491 - CLI names for the options
>>> 0492 - Tests for the above
>>> 0493 - Searching by extratargetfilter
>>> 0494 - Fix an existing bug in --memberof
>>> 0495 - This uses the information made available in the previous patches
>>> to polish a rough edge of the --memberof/--user options.
>>>
>>
>> Attaching rebased patches.
> 
> Petr¹ found that extratargetfilter allowed the filter to be changed on managed
> permissions. Attached patches fix this.
> 

Thanks for the fix. I tested and checked the whole patch set and looks and
works good.

Pushed to master: 64cc4d81cce2143f13b9ddad946473d58bc42b36

Martin

More information about the Freeipa-devel mailing list