[Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
Fraser Tweedale
ftweedal at redhat.com
Thu Aug 13 09:22:14 UTC 2015
On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote:
> On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
> >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
> >>usercertificate attr was moved from "System Modify Users" to this
> >>new permission.
> >>
> >>https://fedorahosted.org/freeipa/ticket/5177
> >>
> >>Note: hosts have permission "System: Manage Host Certificates", services
> >>don't have it but usercertificate is in "System: Modify Services". I would
> >>move it as well if usercertificate was not the only attr in "System: Modify
> >>Services".
> >>
> >New permission works as expected.
> >
> >What are the implications of removing userCertificate attribute from
> >"Modify Users" ACI? Users could be relying on it given that there
> >is (until now) no more fine-grained permission.
>
> I'm not sure what is the expected ACI upgrade behavior but applying this
> patch on installed server and running ipa-server-upgrade ends with
> userCertificate still in "System: Modify Users" permission - it eliminates
> your worry. The rest of users who still run IPA < 4.2 won't even notice.
>
Ah, I see.
This raises a different problem: different ACIs on different
deployments, depending on when IPA was installed. Unless I am
misunderstanding something, isn't that an undesirable situation?
Thanks,
Fraser
> >
> >Perhaps we should
> >
> >a) use update script to add the new permission to any roles that
> > have the Modify Users permission, or
> >b) not remove the userCertificate attribute from the ACI, or
> >c) deem this change acceptable and leave the patch as-is, in which
> > case: ACK
> >
> >Cheers,
> >Fraser
> >
> --
> Petr Vobornik
More information about the Freeipa-devel
mailing list