[Freeipa-devel] Stage users - inconsistent permission names
thierry bordaz
tbordaz at redhat.com
Wed Jun 10 10:45:23 UTC 2015
On 06/10/2015 12:16 PM, Martin Kosek wrote:
> On 06/10/2015 10:01 AM, David Kupka wrote:
>> On 06/10/2015 09:12 AM, Martin Kosek wrote:
>>> Hello Thierry/David,
>>>
>>> I saw the new privileges and permissions for the Staged Users functionality and
>>> found couple spelling/English issues that I think we should fix before Alpha/GA
>>> so that we can just rename them and not care about upgrade changes.
>>>
>>> Namely:
>>>
>>> # ipa permission-find stage | grep -i "Permission name"
>>> Permission name: System: Add Stage Users by Provisioning and Administrators
>>>
>>> Should be "System: Add Stage User"
>>>
>>> Permission should not care who will do it, it is privilege/role's job.
>>>
>>> Permission name: System: Delete modify Stage Users by administrators
>>>
>>> Why is Modify and Delete combined in 1 permission?
Hello Martin, David,
Sorry for the delay.
Each permission creates a DS aci. At first to limit the number of aci I
tried to group them.
So I should rather separate each individual right into separate
permission (e.g. 'write'/MOD and 'delete'/DEL), is that correct ?
I agree it is cleaner and easier to maintain.
>>>
>>> Should be "System: Modify Stage User" and "System: Remove Stage User"
>>>
>>> Permission name: System: Preserve an active user to a delete Users
>>>
>>> Maybe "System: Preserve User"? We do not use "deleted users" bur rather
>>> "preserved users anyway"
Yes. Petr Viktorin already warned be to use the proper naming.
Deleted users are better renamed in Preserved users (due to the CLI option)
>>>
>>> Permission name: System: Reactive delete users
>>>
>>> "System: Undelete User" to reflect the command name.
>>>
>>> Permission name: System: Read Stage User kerberos principal key and password
>>>
>>> Rather "System: Read Stage User password" - I do not think we need to call out
>>> the principal key explicitly, but this is negotiable.
That fine for me. In initial version of the patch I put 'credentials'
but then switched to exact attributes.
>>> Permission name: System: Read Stage Users by administrators
>>>
>>> "System: Read Stage Users"
>>>
>>> Permission name: System: Read/Write delete Users by administrators
>>>
>>> This needs to be 2 permissions:
>>>
>>> "System: Read Preserved Users"
>>> "System: Modify Preserved Users"
>>>
>>> Permission name: System: Reset userPassord and kerberos keys of delete users
>>> by administrator
>>>
>>> Rather "System: Reset Preserved User password"
>>>
>>> Permission name: System: Write Active Users RDN by administrators
>>>
>>> Rather "System: Modify User RDN"
>>>
>>> Permission name: System: Write Delete Users RDN by administrators
>>>
>>> Why is this permission needed, isn't "System: Modify Preserved Users" enough?
Absolutely you are right, this aci is already covered by "Modify
Preserved Users"
thanks
thierry
>>>
>> Hello,
>> it's probably my fault, I should have paid more attention when reviewing the
>> patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and
>> can fix it.
>>
> Great, thanks! Ideally, this should be fixed for Alpha - it should not be that
> hard, the names are now already proposed.
More information about the Freeipa-devel
mailing list