[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
David Kupka
dkupka at redhat.com
Thu Jun 11 13:55:40 UTC 2015
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
> On 06/10/2015 02:14 PM, David Kupka wrote:
>> https://fedorahosted.org/freeipa/ticket/5057
> Hello David,
>
> The patch looks ok except it removes a permission to update 'uid' from
> an active user. This permission is required to delete(preserve) an
> active user.
>
> - # Active container
> - #
> - # Stage user administrators need write right on RDN when
> - # the active user is deleted (preserved)
> - 'System: Write Active Users RDN by administrators': {
> - 'ipapermlocation': DN(baseuser.active_container_dn,
> api.env.basedn),
> - 'ipapermbindruletype': 'permission',
> - 'ipapermtarget': DN('uid=*',
> baseuser.active_container_dn, api.env.basedn),
> - 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
> - 'ipapermright': {'write'},
> - 'ipapermdefaultattr': {'uid'},
> - 'default_privileges': {'Stage User Administrators'},
> - },
> - #
>
> I prepared a new patch (attached) with that permission and it makes
> 'user-del --preserve' happy.
> Now I think the name would rather be something like: 'System: Preserve
> an active user (user-del --preserve)'
>
> I also added back this comment in two permissions 'Note: targetfilter is
> the target parent container'.
> This was to say that the targetfilter setting was intentional.
> If you think it is not the right place, you may remove those comments.
>
> Thanks
> thierry
>
Hello Thierry,
Indeed, I accidentally removed these. Thank you for careful review.
Rebase is needed but it is due to change in VERSION and is useless to do
it before push as there are too much patches going to master right now.
Martin, are you (as a reporter) OK with the patch?
--
David Kupka
More information about the Freeipa-devel
mailing list