[Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený
jzeleny at redhat.com
Tue Jan 25 10:35:41 UTC 2011
Rob Crittenden <rcritten at redhat.com> wrote:
> Jan Zelený wrote:
> > Rob Crittenden<rcritten at redhat.com> wrote:
> >> Jan Zelený wrote:
> >>> Recent change of DNS module to version caused that dns object type
> >>> was replaced by dnszone and dnsrecord. This patch corrects dns types
> >>> in permissions class.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/646
> >>
> >> Nack. These values need to be added as valid types to the aci plugin and
> >> the _type_map needs to be updated.
> >>
> >> rob
> >
> > I'm sending an updated patch.
> >
> > Jan
>
> Since dnszone and dnsrecord point to the same kind of entry what is the
> point of having two separate names for them? When we read the entry we
> aren't going to be able to differentiate between the two.
I didn't take a look how the type thing works, so I'm kinda guessing here
(please ignore the comment if it is wrong):
Sure, object with idnszone class is always also in dnsrecord class, but that's
not the case backwards (idnsrecord object isn't always idnszone) - so I think
it is possible to set different ACIs for these two types.
> Can the type be made more specific?
If the mapping doesn't distinguish object classes and it can, maybe that's the
answer. Will investagate further. But if not, I still think this is the way to
go considering the underline issue which we tried to solve by this change.
Jan
More information about the Freeipa-devel
mailing list