[Freeipa-devel] [RFE] Permissions V2

Martin Kosek mkosek at redhat.com
Fri Dec 6 15:07:22 UTC 2013 

On 12/06/2013 03:28 PM, Simo Sorce wrote:
> On Fri, 2013-12-06 at 14:14 +0100, Petr Viktorin wrote:
>> On 12/02/2013 02:48 PM, Petr Viktorin wrote:
>>> On 12/02/2013 02:29 PM, Simo Sorce wrote:
> 
>>>> It would be very nice if you can add the resulting LDAP objects in the
>>>> example, that will allow me to reason on the correctness of the
>>>> translation.
>>>
>>> OK, I'll work on that.
>>
>> I've added the resulting LDAP objects to the tests here:
>> http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests
> 
> Thank you Petr,
> I was looking at them and I see we often use target=ldap://<dn> type for
> selecting which objects this apply to.
> 
> This was sort of necessary when the permissions were all in the base and
> we wanted to limit to specific entries in subtrees.
> 
> However I was wondering if we shouldn't transition/allow to user
> targetfilter or targetattrfilter (this would be needed to have
> add/delete permissions).
> 
> For example, instead of:
>   (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
> We could have:
>   (targetfilter = "(objectclass=ipaUser)")
> 
> It also occurs to me we could do very neat things like allowing manager
> access with (targetfilter = "(managedby=<dn>)"), and similar.
> 
> In general using targetfilter and targetattrfilter is more flexible and
> allow for applying different permission depending exacly on the object
> type or even specific sets of objects of a common type. Something the
> simple target filter cannot do.
> 
> What do you think ?
> 
> Simo.
> 
> 

I am all in. I still remember what we had to do to update ACIs for SUDO
commands just because the default RDN changed, e.g.:

remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version
3.0;acl "permission:     Delete Sudo command";allow (delete) groupdn =
"ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,    $SUFFIX";)'
add:aci: '(targetfilter = "(objectclass=ipasudocmd)")(target =
"ldap:///cn=sudocmds,cn=sudo,             $SUFFIX")(version 3.0;acl
"permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete
Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'

With this approach, no change would be needed at all - neat!

Martin

More information about the Freeipa-devel mailing list