[Freeipa-devel] [RFE] Permissions V2

[Simo Sorce]

On Fri, 2013-11-29 at 16:51 +0100, Petr Viktorin wrote:

> I've updated the design with
> - updated schema (this time the OIDs are even reserved properly!)
> - longer attribute descriptions with examples
> - updated update algorithm based on discussion with Simo

Hi Petr,
thank you for the update.

> Additionally, I've updated draft designs this one references [0, 1]. The 
> CLI/API parts of those aren't finished but the LDAP should be ready for 
> criticism.

It would be very nice if you can add the resulting LDAP objects in the
example, that will allow me to reason on the correctness of the
translation.

> For examples, I felt that anything I show as an example should also go 
> in the test suite, so I added the tests. (If you're into wiki design I'd 
> appreciate ideas about how to make that section better.)
> If you need any more examples, or see some dangerous corner cases, tell 
> me and I'll add them.
> 
> There is still a race condition when the subtree changes, e.g. when 
> you'd move an ACI from $SUFFIX to cn=users,cn=accounts,$SUFFIX, the 
> rights are revoked between the times the ACI is removed and re-added.
> At this point I'd rather document it and file a bug (and possibly start 
> working on it right after this) than redo the internals in yet another 
> way in the same update.

I think that this will be fine, *after* we change the default mode to
deny everything, and rely on permissions to allow. This way the lack of
an ACI will deny (not permit!) access to arbitrary attributes.

> [0] http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
> [1] http://www.freeipa.org/page/V3/Managed_Read_permissions
> 
> 
> PS. the hack I used to generate the test plan for mediawiki is here: 
> https://github.com/encukou/ipa-tools/blob/master/mw-format-tests.py


Haven't read all the way through thetest code, but having tests is
excellent.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York