[Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.
thierry bordaz
tbordaz at redhat.com
Thu Jun 11 17:49:31 UTC 2015
On 06/11/2015 04:34 PM, David Kupka wrote:
> Dne 11.6.2015 v 16:17 Martin Kosek napsal(a):
>> On 06/11/2015 03:55 PM, David Kupka wrote:
>>> Dne 11.6.2015 v 14:12 thierry bordaz napsal(a):
>>>> On 06/10/2015 02:14 PM, David Kupka wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/5057
>>>> Hello David,
>>>>
>>>> The patch looks ok except it removes a permission to update 'uid' from
>>>> an active user. This permission is required to delete(preserve) an
>>>> active user.
>>>>
>>>> - # Active container
>>>> - #
>>>> - # Stage user administrators need write right on RDN when
>>>> - # the active user is deleted (preserved)
>>>> - 'System: Write Active Users RDN by administrators': {
>>>> - 'ipapermlocation': DN(baseuser.active_container_dn,
>>>> api.env.basedn),
>>>> - 'ipapermbindruletype': 'permission',
>>>> - 'ipapermtarget': DN('uid=*',
>>>> baseuser.active_container_dn, api.env.basedn),
>>>> - 'ipapermtargetfilter':
>>>> {'(objectclass=posixaccount)'},
>>>> - 'ipapermright': {'write'},
>>>> - 'ipapermdefaultattr': {'uid'},
>>>> - 'default_privileges': {'Stage User Administrators'},
>>>> - },
>>>> - #
>>>>
>>>> I prepared a new patch (attached) with that permission and it makes
>>>> 'user-del --preserve' happy.
>>>> Now I think the name would rather be something like: 'System: Preserve
>>>> an active user (user-del --preserve)'
>>>>
>>>> I also added back this comment in two permissions 'Note:
>>>> targetfilter is
>>>> the target parent container'.
>>>> This was to say that the targetfilter setting was intentional.
>>>> If you think it is not the right place, you may remove those comments.
>>>>
>>>> Thanks
>>>> thierry
>>>>
>>>
>>> Hello Thierry,
>>> Indeed, I accidentally removed these. Thank you for careful review.
>>> Rebase is needed but it is due to change in VERSION and is useless
>>> to do it
>>> before push as there are too much patches going to master right now.
>>> Martin, are you (as a reporter) OK with the patch?
>>>
>>
>> Not entirely. I still see some weird permission in stageuser.py:
>>
>> #
>> # Active container
>> #
>> # Stage user administrators need write right on RDN when
>> # the active user is deleted (preserved)
>> 'System: Write Active Users RDN by administrators': {
>> 'ipapermlocation': DN(baseuser.active_container_dn,
>> api.env.basedn),
>> 'ipapermbindruletype': 'permission',
>> 'ipapermtarget': DN('uid=*', baseuser.active_container_dn,
>> api.env.basedn),
>> 'ipapermtargetfilter': {'(objectclass=posixaccount)'},
>> 'ipapermright': {'write'},
>> 'ipapermdefaultattr': {'uid'},
>> 'default_privileges': {'Stage User Administrators'},
>> },
>>
>> This was supposed to be ""System: Modify User RDN". When the name is
>> also
>> fixed, I am fine.
>>
> Updated patch attached.
>
>
Hi David,
All the tests are ok. The patch is fine for me. ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150611/eaa524b0/attachment.htm>
More information about the Freeipa-devel
mailing list