[Freeipa-devel] [RFE] Permissions V2

Simo Sorce simo at redhat.com
Fri Dec 6 15:59:07 UTC 2013 

On Fri, 2013-12-06 at 16:02 +0100, Petr Viktorin wrote:
> On 12/06/2013 03:49 PM, Simo Sorce wrote:
> > On Fri, 2013-12-06 at 15:46 +0100, Petr Viktorin wrote:
> >> On 12/06/2013 03:28 PM, Simo Sorce wrote:
> >>> On Fri, 2013-12-06 at 14:14 +0100, Petr Viktorin wrote:
> >>>> On 12/02/2013 02:48 PM, Petr Viktorin wrote:
> >>>>> On 12/02/2013 02:29 PM, Simo Sorce wrote:
> >>>
> >>>>>> It would be very nice if you can add the resulting LDAP objects in the
> >>>>>> example, that will allow me to reason on the correctness of the
> >>>>>> translation.
> >>>>>
> >>>>> OK, I'll work on that.
> >>>>
> >>>> I've added the resulting LDAP objects to the tests here:
> >>>> http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests
> >>>
> >>> Thank you Petr,
> >>> I was looking at them and I see we often use target=ldap://<dn> type for
> >>> selecting which objects this apply to.
> >>>
> >>> This was sort of necessary when the permissions were all in the base and
> >>> we wanted to limit to specific entries in subtrees.
> >>>
> >>> However I was wondering if we shouldn't transition/allow to user
> >>> targetfilter or targetattrfilter (this would be needed to have
> >>> add/delete permissions).
> >>>
> >>> For example, instead of:
> >>>     (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
> >>> We could have:
> >>>     (targetfilter = "(objectclass=ipaUser)")
> >>>
> >>> It also occurs to me we could do very neat things like allowing manager
> >>> access with (targetfilter = "(managedby=<dn>)"), and similar.
> >>>
> >>> In general using targetfilter and targetattrfilter is more flexible and
> >>> allow for applying different permission depending exacly on the object
> >>> type or even specific sets of objects of a common type. Something the
> >>> simple target filter cannot do.
> >>>
> >>> What do you think ?
> >>
> >> +1
> >>
> >> I don't think this should block the framework patches that are on list
> >> now, though. I'll file a RFE for tuning how the default and "type"
> >> permissions look. Would that be fine?
> >
> > Do we need a new attribute, or do you think we can do this without
> > changing the schema ?
> 
> Ah, yes. Please reserve ipaPermTargetAttrFilter.
> (ipaPermTargetFilter is already reserved)

Use:
2.16.840.1.113730.3.8.11.50


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list