[Freeipa-devel] [PATCH] 227 virtual operations
Rob Crittenden
rcritten at redhat.com
Fri Jul 10 20:45:06 UTC 2009
Simo Sorce wrote:
> On Mon, 2009-06-01 at 14:49 -0400, Rob Crittenden wrote:
>> There are some operations, like those for the certificate system,
>> that
>> don't need to write to the directory server. So instead we have an
>> entry
>> that we test against to determine whether the operation is allowed or
>> not.
>>
>> This is done by attempting a write on the entry. If it would succeed
>> then permission is granted. If not then denied. The write we attempt
>> is
>> actually invalid so the write itself will fail but the attempt will
>> fail
>> first if access is not permitted, so we can distinguish between the
>> two
>> without polluting the entry.
>>
>> To use this you subclass from the VirtualCommand class, then make a
>> call
>> to super() to invoke the ACI enforcement. You also need to create the
>> virtual entry to test against, and perhaps set set of role and task
>> groups for delegation purposes.
>
> ack
>
pushed to master
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090710/69928ec6/attachment.bin>
More information about the Freeipa-devel
mailing list