[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
Martin Kosek
mkosek at redhat.com
Thu Jun 11 14:17:31 UTC 2015
On 06/11/2015 03:55 PM, David Kupka wrote:
> Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
>> On 06/10/2015 02:14 PM, David Kupka wrote:
>>> https://fedorahosted.org/freeipa/ticket/5057
>> Hello David,
>>
>> The patch looks ok except it removes a permission to update 'uid' from
>> an active user. This permission is required to delete(preserve) an
>> active user.
>>
>> - # Active container
>> - #
>> - # Stage user administrators need write right on RDN when
>> - # the active user is deleted (preserved)
>> - 'System: Write Active Users RDN by administrators': {
>> - 'ipapermlocation': DN(baseuser.active_container_dn,
>> api.env.basedn),
>> - 'ipapermbindruletype': 'permission',
>> - 'ipapermtarget': DN('uid=*',
>> baseuser.active_container_dn, api.env.basedn),
>> - 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>> - 'ipapermright': {'write'},
>> - 'ipapermdefaultattr': {'uid'},
>> - 'default_privileges': {'Stage User Administrators'},
>> - },
>> - #
>>
>> I prepared a new patch (attached) with that permission and it makes
>> 'user-del --preserve' happy.
>> Now I think the name would rather be something like: 'System: Preserve
>> an active user (user-del --preserve)'
>>
>> I also added back this comment in two permissions 'Note: targetfilter is
>> the target parent container'.
>> This was to say that the targetfilter setting was intentional.
>> If you think it is not the right place, you may remove those comments.
>>
>> Thanks
>> thierry
>>
>
> Hello Thierry,
> Indeed, I accidentally removed these. Thank you for careful review.
> Rebase is needed but it is due to change in VERSION and is useless to do it
> before push as there are too much patches going to master right now.
> Martin, are you (as a reporter) OK with the patch?
>
Not entirely. I still see some weird permission in stageuser.py:
#
# Active container
#
# Stage user administrators need write right on RDN when
# the active user is deleted (preserved)
'System: Write Active Users RDN by administrators': {
'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
'ipapermbindruletype': 'permission',
'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=posixaccount)'},
'ipapermright': {'write'},
'ipapermdefaultattr': {'uid'},
'default_privileges': {'Stage User Administrators'},
},
This was supposed to be ""System: Modify User RDN". When the name is also
fixed, I am fine.
More information about the Freeipa-devel
mailing list