[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

Petr Viktorin pviktori at redhat.com
Tue Apr 8 09:03:26 UTC 2014

Patch 0508:
This documents the inputs for the permission updater in the module 
itself. This is taken from the design page. I expect it'll need an 
addition now and then, so I think it's better to have this near the code 
it corresponds to.

Patch 0509:
So far the new default permissions have been tied to an Object plugin, 
and took the ACI location and objectclass filter from the object. 
However there are some permissions that are not tied to an IPA object, 
for instance ones dealing with a compat tree. However, these permissions 
should behave similarly to the Object-based ones, so it makes sense to 
use the same updater with them.

A question is where the non-Object permissions should be stored. I can 
think of several alternatives:
a) in a special data file, like .update files
b) in a new plugin type
c) somewhere in the code

I went for c) for simplicity, but feel free to discuss. (CCing Rob since 
he had some strong opinions in this area.)

This patch makes ipapermlocation, ipapermtargetfilter and other 
Permission attributes overridable, and adds a central list of non-object 
permissions to the updater module. (For now, the list is empty).

My patch 0504.2 (Default read ACIs for Sudo objects) will add a 
non-object permission for ou=sudoers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0508-Document-the-managed-permission-updater-operation.patch
Type: text/x-patch
Size: 2478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/9092f54b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0509-Add-support-for-non-object-default-permissions.patch
Type: text/x-patch
Size: 5666 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/9092f54b/attachment-0001.bin>

More information about the Freeipa-devel mailing list