[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

[Martin Kosek]

On 04/08/2014 11:03 AM, Petr Viktorin wrote:
> 
> Patch 0508:
> This documents the inputs for the permission updater in the module itself. This
> is taken from the design page. I expect it'll need an addition now and then, so
> I think it's better to have this near the code it corresponds to.
> 
> 
> Patch 0509:
> So far the new default permissions have been tied to an Object plugin, and took
> the ACI location and objectclass filter from the object. However there are some
> permissions that are not tied to an IPA object, for instance ones dealing with
> a compat tree. However, these permissions should behave similarly to the
> Object-based ones, so it makes sense to use the same updater with them.
> 
> A question is where the non-Object permissions should be stored. I can think of
> several alternatives:
> a) in a special data file, like .update files
> b) in a new plugin type
> c) somewhere in the code
> 
> I went for c) for simplicity, but feel free to discuss. (CCing Rob since he had
> some strong opinions in this area.)
> 
> This patch makes ipapermlocation, ipapermtargetfilter and other Permission
> attributes overridable, and adds a central list of non-object permissions to
> the updater module. (For now, the list is empty).
> 
> 
> My patch 0504.2 (Default read ACIs for Sudo objects) will add a non-object
> permission for ou=sudoers.

The patch is functional, but I am not really a big fan of placing it in the
plugin. I would prefer if the ACI definition is also in the sudo plugin
together with other definition. It would be then much easier to audit all
sudo-related ACIs.

Why can't we add this ACI to sudorule object managed permissions and just
override the location and target?

I am not insisting on a specific format, I would simply prefer to have all
plugin object related ACIs close together.

Martin