[Freeipa-devel] [PATCH] 227 virtual operations
Simo Sorce
ssorce at redhat.com
Fri Jul 10 14:06:51 UTC 2009
On Mon, 2009-06-01 at 14:49 -0400, Rob Crittenden wrote:
> There are some operations, like those for the certificate system,
> that
> don't need to write to the directory server. So instead we have an
> entry
> that we test against to determine whether the operation is allowed or
> not.
>
> This is done by attempting a write on the entry. If it would succeed
> then permission is granted. If not then denied. The write we attempt
> is
> actually invalid so the write itself will fail but the attempt will
> fail
> first if access is not permitted, so we can distinguish between the
> two
> without polluting the entry.
>
> To use this you subclass from the VirtualCommand class, then make a
> call
> to super() to invoke the ACI enforcement. You also need to create the
> virtual entry to test against, and perhaps set set of role and task
> groups for delegation purposes.
ack
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list