[Freeipa-devel] [RFE] Permissions V2

[Petr Viktorin]

On 12/02/2013 02:29 PM, Simo Sorce wrote:
> On Fri, 2013-11-29 at 16:51 +0100, Petr Viktorin wrote:
>
>> I've updated the design with
>> - updated schema (this time the OIDs are even reserved properly!)
>> - longer attribute descriptions with examples
>> - updated update algorithm based on discussion with Simo
>
> Hi Petr,
> thank you for the update.
>
>> Additionally, I've updated draft designs this one references [0, 1]. The
>> CLI/API parts of those aren't finished but the LDAP should be ready for
>> criticism.
>
> It would be very nice if you can add the resulting LDAP objects in the
> example, that will allow me to reason on the correctness of the
> translation.

OK, I'll work on that.

>> For examples, I felt that anything I show as an example should also go
>> in the test suite, so I added the tests. (If you're into wiki design I'd
>> appreciate ideas about how to make that section better.)
>> If you need any more examples, or see some dangerous corner cases, tell
>> me and I'll add them.
>>
>> There is still a race condition when the subtree changes, e.g. when
>> you'd move an ACI from $SUFFIX to cn=users,cn=accounts,$SUFFIX, the
>> rights are revoked between the times the ACI is removed and re-added.
>> At this point I'd rather document it and file a bug (and possibly start
>> working on it right after this) than redo the internals in yet another
>> way in the same update.
>
> I think that this will be fine, *after* we change the default mode to
> deny everything, and rely on permissions to allow. This way the lack of
> an ACI will deny (not permit!) access to arbitrary attributes.

Permissions can only allow access. All our deny ACIs are built in, not 
controlled by permissions.


>> [0] http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
>> [1] http://www.freeipa.org/page/V3/Managed_Read_permissions

-- 
Petr³