[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
David Kupka
dkupka at redhat.com
Thu Jun 11 14:34:16 UTC 2015
Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
> On 06/11/2015 03:55 PM, David Kupka wrote:
>> Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
>>> On 06/10/2015 02:14 PM, David Kupka wrote:
>>>> https://fedorahosted.org/freeipa/ticket/5057
>>> Hello David,
>>>
>>> The patch looks ok except it removes a permission to update 'uid' from
>>> an active user. This permission is required to delete(preserve) an
>>> active user.
>>>
>>> - # Active container
>>> - #
>>> - # Stage user administrators need write right on RDN when
>>> - # the active user is deleted (preserved)
>>> - 'System: Write Active Users RDN by administrators': {
>>> - 'ipapermlocation': DN(baseuser.active_container_dn,
>>> api.env.basedn),
>>> - 'ipapermbindruletype': 'permission',
>>> - 'ipapermtarget': DN('uid=*',
>>> baseuser.active_container_dn, api.env.basedn),
>>> - 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>>> - 'ipapermright': {'write'},
>>> - 'ipapermdefaultattr': {'uid'},
>>> - 'default_privileges': {'Stage User Administrators'},
>>> - },
>>> - #
>>>
>>> I prepared a new patch (attached) with that permission and it makes
>>> 'user-del --preserve' happy.
>>> Now I think the name would rather be something like: 'System: Preserve
>>> an active user (user-del --preserve)'
>>>
>>> I also added back this comment in two permissions 'Note: targetfilter is
>>> the target parent container'.
>>> This was to say that the targetfilter setting was intentional.
>>> If you think it is not the right place, you may remove those comments.
>>>
>>> Thanks
>>> thierry
>>>
>>
>> Hello Thierry,
>> Indeed, I accidentally removed these. Thank you for careful review.
>> Rebase is needed but it is due to change in VERSION and is useless to do it
>> before push as there are too much patches going to master right now.
>> Martin, are you (as a reporter) OK with the patch?
>>
>
> Not entirely. I still see some weird permission in stageuser.py:
>
> #
> # Active container
> #
> # Stage user administrators need write right on RDN when
> # the active user is deleted (preserved)
> 'System: Write Active Users RDN by administrators': {
> 'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
> 'ipapermbindruletype': 'permission',
> 'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
> api.env.basedn),
> 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
> 'ipapermright': {'write'},
> 'ipapermdefaultattr': {'uid'},
> 'default_privileges': {'Stage User Administrators'},
> },
>
> This was supposed to be ""System: Modify User RDN". When the name is also
> fixed, I am fine.
>
Updated patch attached.
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0052.2-Stage-User-Fix-permissions-naming-and-split-them-whe.patch
Type: text/x-patch
Size: 18043 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150611/758f2b46/attachment.bin>
More information about the Freeipa-devel
mailing list