[Freeipa-devel] Stage users - inconsistent permission names

Martin Kosek mkosek at redhat.com
Wed Jun 10 10:16:50 UTC 2015 

On 06/10/2015 10:01 AM, David Kupka wrote:
> On 06/10/2015 09:12 AM, Martin Kosek wrote:
>> Hello Thierry/David,
>>
>> I saw the new privileges and permissions for the Staged Users functionality and
>> found couple spelling/English issues that I think we should fix before Alpha/GA
>> so that we can just rename them and not care about upgrade changes.
>>
>> Namely:
>>
>> # ipa permission-find stage | grep -i "Permission name"
>>    Permission name: System: Add Stage Users by Provisioning and Administrators
>>
>> Should be "System: Add Stage User"
>>
>> Permission should not care who will do it, it is privilege/role's job.
>>
>>    Permission name: System: Delete modify Stage Users by administrators
>>
>> Why is Modify and Delete combined in 1 permission?
>>
>> Should be "System: Modify Stage User" and "System: Remove Stage User"
>>
>>    Permission name: System: Preserve an active user to a delete Users
>>
>> Maybe "System: Preserve User"? We do not use "deleted users" bur rather
>> "preserved users anyway"
>>
>>    Permission name: System: Reactive delete users
>>
>> "System: Undelete User" to reflect the command name.
>>
>>    Permission name: System: Read Stage User kerberos principal key and password
>>
>> Rather "System: Read Stage User password" - I do not think we need to call out
>> the principal key explicitly, but this is negotiable.
>>
>>    Permission name: System: Read Stage Users by administrators
>>
>> "System: Read Stage Users"
>>
>>    Permission name: System: Read/Write delete Users by administrators
>>
>> This needs to be 2 permissions:
>>
>> "System: Read Preserved Users"
>> "System: Modify Preserved Users"
>>
>>    Permission name: System: Reset userPassord and kerberos keys of delete users
>> by administrator
>>
>> Rather "System: Reset Preserved User password"
>>
>>    Permission name: System: Write Active Users RDN by administrators
>>
>> Rather "System: Modify User RDN"
>>
>>    Permission name: System: Write Delete Users RDN by administrators
>>
>> Why is this permission needed, isn't "System: Modify Preserved Users" enough?
>>
> Hello,
> it's probably my fault, I should have paid more attention when reviewing the
> patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and
> can fix it.
> 

Great, thanks! Ideally, this should be fixed for Alpha - it should not be that
hard, the names are now already proposed.

More information about the Freeipa-devel mailing list