[Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
Petr Vobornik
pvoborni at redhat.com
Thu Aug 13 09:04:42 UTC 2015
On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
> On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
>> usercertificate attr was moved from "System Modify Users" to this
>> new permission.
>>
>> https://fedorahosted.org/freeipa/ticket/5177
>>
>> Note: hosts have permission "System: Manage Host Certificates", services
>> don't have it but usercertificate is in "System: Modify Services". I would
>> move it as well if usercertificate was not the only attr in "System: Modify
>> Services".
>>
> New permission works as expected.
>
> What are the implications of removing userCertificate attribute from
> "Modify Users" ACI? Users could be relying on it given that there
> is (until now) no more fine-grained permission.
I'm not sure what is the expected ACI upgrade behavior but applying this
patch on installed server and running ipa-server-upgrade ends with
userCertificate still in "System: Modify Users" permission - it
eliminates your worry. The rest of users who still run IPA < 4.2 won't
even notice.
>
> Perhaps we should
>
> a) use update script to add the new permission to any roles that
> have the Modify Users permission, or
> b) not remove the userCertificate attribute from the ACI, or
> c) deem this change acceptable and leave the patch as-is, in which
> case: ACK
>
> Cheers,
> Fraser
>
--
Petr Vobornik
More information about the Freeipa-devel
mailing list