[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.

David Kupka dkupka at redhat.com
Thu Jun 11 14:34:16 UTC 2015 

Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
> On 06/11/2015 03:55 PM, David Kupka wrote:
>> Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
>>> On 06/10/2015 02:14 PM, David Kupka wrote:
>>>> https://fedorahosted.org/freeipa/ticket/5057
>>> Hello David,
>>>
>>> The patch looks ok except it removes a permission to update 'uid' from
>>> an active user. This permission is required to delete(preserve) an
>>> active user.
>>>
>>>      -        # Active container
>>>      -        #
>>>      -        # Stage user administrators need write right on RDN when
>>>      -        # the active user is deleted (preserved)
>>>      -        'System: Write Active Users RDN by administrators': {
>>>      -            'ipapermlocation': DN(baseuser.active_container_dn,
>>>      api.env.basedn),
>>>      -            'ipapermbindruletype': 'permission',
>>>      -            'ipapermtarget': DN('uid=*',
>>>      baseuser.active_container_dn, api.env.basedn),
>>>      -            'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>>>      -            'ipapermright': {'write'},
>>>      -            'ipapermdefaultattr': {'uid'},
>>>      -            'default_privileges': {'Stage User Administrators'},
>>>      -        },
>>>      -        #
>>>
>>> I prepared a new patch (attached) with that permission and it makes
>>> 'user-del --preserve' happy.
>>> Now I think the name would rather be something like: 'System: Preserve
>>> an active user (user-del --preserve)'
>>>
>>> I also added back this comment in two permissions 'Note: targetfilter is
>>> the target parent container'.
>>> This was to say that the targetfilter setting was intentional.
>>> If you think it is not the right place, you may remove those comments.
>>>
>>> Thanks
>>> thierry
>>>
>>
>> Hello Thierry,
>> Indeed, I accidentally removed these. Thank you for careful review.
>> Rebase is needed but it is due to change in VERSION and is useless to do it
>> before push as there are too much patches going to master right now.
>> Martin, are you (as a reporter) OK with the patch?
>>
>
> Not entirely. I still see some weird permission in stageuser.py:
>
>          #
>          # Active container
>          #
>          # Stage user administrators need write right on RDN when
>          # the active user is deleted (preserved)
>          'System: Write Active Users RDN by administrators': {
>              'ipapermlocation': DN(baseuser.active_container_dn, api.env.basedn),
>              'ipapermbindruletype': 'permission',
>              'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
> api.env.basedn),
>              'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>              'ipapermright': {'write'},
>              'ipapermdefaultattr': {'uid'},
>              'default_privileges': {'Stage User Administrators'},
>          },
>
> This was supposed to be ""System: Modify User RDN". When the name is also
> fixed, I am fine.
>
Updated patch attached.


-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0052.2-Stage-User-Fix-permissions-naming-and-split-them-whe.patch
Type: text/x-patch
Size: 18043 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150611/758f2b46/attachment.bin>

More information about the Freeipa-devel mailing list