[Freeipa-devel] [RFE] Permissions V2
Petr Viktorin
pviktori at redhat.com
Fri Dec 6 13:14:52 UTC 2013
On 12/02/2013 02:48 PM, Petr Viktorin wrote:
> On 12/02/2013 02:29 PM, Simo Sorce wrote:
>> On Fri, 2013-11-29 at 16:51 +0100, Petr Viktorin wrote:
>>
>>> I've updated the design with
>>> - updated schema (this time the OIDs are even reserved properly!)
>>> - longer attribute descriptions with examples
>>> - updated update algorithm based on discussion with Simo
>>
>> Hi Petr,
>> thank you for the update.
>>
>>> Additionally, I've updated draft designs this one references [0, 1]. The
>>> CLI/API parts of those aren't finished but the LDAP should be ready for
>>> criticism.
>>
>> It would be very nice if you can add the resulting LDAP objects in the
>> example, that will allow me to reason on the correctness of the
>> translation.
>
> OK, I'll work on that.
I've added the resulting LDAP objects to the tests here:
http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests
>>> For examples, I felt that anything I show as an example should also go
>>> in the test suite, so I added the tests. (If you're into wiki design I'd
>>> appreciate ideas about how to make that section better.)
>>> If you need any more examples, or see some dangerous corner cases, tell
>>> me and I'll add them.
>>>
>>> There is still a race condition when the subtree changes, e.g. when
>>> you'd move an ACI from $SUFFIX to cn=users,cn=accounts,$SUFFIX, the
>>> rights are revoked between the times the ACI is removed and re-added.
>>> At this point I'd rather document it and file a bug (and possibly start
>>> working on it right after this) than redo the internals in yet another
>>> way in the same update.
>>
>> I think that this will be fine, *after* we change the default mode to
>> deny everything, and rely on permissions to allow. This way the lack of
>> an ACI will deny (not permit!) access to arbitrary attributes.
>
> Permissions can only allow access. All our deny ACIs are built in, not
> controlled by permissions.
>
>
>>> [0] http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
>>> [1] http://www.freeipa.org/page/V3/Managed_Read_permissions
>
--
Petr³
More information about the Freeipa-devel
mailing list