[Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
Alexander Bokovoy
abokovoy at redhat.com
Thu Aug 13 09:30:10 UTC 2015
On Thu, 13 Aug 2015, Fraser Tweedale wrote:
>On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote:
>> On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
>> >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
>> >>usercertificate attr was moved from "System Modify Users" to this
>> >>new permission.
>> >>
>> >>https://fedorahosted.org/freeipa/ticket/5177
>> >>
>> >>Note: hosts have permission "System: Manage Host Certificates", services
>> >>don't have it but usercertificate is in "System: Modify Services". I would
>> >>move it as well if usercertificate was not the only attr in "System: Modify
>> >>Services".
>> >>
>> >New permission works as expected.
>> >
>> >What are the implications of removing userCertificate attribute from
>> >"Modify Users" ACI? Users could be relying on it given that there
>> >is (until now) no more fine-grained permission.
>>
>> I'm not sure what is the expected ACI upgrade behavior but applying this
>> patch on installed server and running ipa-server-upgrade ends with
>> userCertificate still in "System: Modify Users" permission - it eliminates
>> your worry. The rest of users who still run IPA < 4.2 won't even notice.
>>
>Ah, I see.
>
>This raises a different problem: different ACIs on different
>deployments, depending on when IPA was installed. Unless I am
>misunderstanding something, isn't that an undesirable situation?
We have precedent of upgrading ACIs via upgrade plugins.
So this is something we need to design for and execute.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list