[Freeipa-devel] Fwd: [PATCH] 912 Display the value of memberOf ACIs in permission plugin.
Endi Sukma Dewata
edewata at redhat.com
Wed Jan 4 22:32:41 UTC 2012
On 1/4/2012 3:47 PM, Rob Crittenden wrote:
> I guess I'm just not convinced this additional complexity would buy us
> anything.
>
> Updated patch attached that fixes the memberof display and updates the
> tests trivially.
OK, the mod output is fixed. Since the exclusivity rules aren't changed,
the following combinations are currently possible via CLI:
1. filter
2a. type
2b. type + memberof
3a. subtree
3b. subtree + memberof
4a. targetgroup
4b. targetgroup + memberof
As discussed previously it doesn't really make sense to use memberof
with targetgroup, so should we fix the rules to avoid combination #4b?
If #4b is acceptable then this patch is ACKed as is.
Here's the UI modification that Petr has created in patch #66 (click Add):
http://edewata.fedorapeople.org/freeipa/install/ui/#rolebased=permission&ipaserver=rolebased&navigation=ipaserver
To reflect the correct possible combinations, we probably should move
the 'Member of group' field somewhere below the 'Target' drop-down list
and show it only when 'Type' or 'Subtree' is selected. If we keep option
#4b then we should also show it when the 'Target group' is selected.
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list