[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

Petr Viktorin pviktori at redhat.com
Tue Apr 8 11:14:02 UTC 2014 

On 04/08/2014 12:53 PM, Martin Kosek wrote:
> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>>
>> Patch 0508:
>> This documents the inputs for the permission updater in the module itself. This
>> is taken from the design page. I expect it'll need an addition now and then, so
>> I think it's better to have this near the code it corresponds to.
>>
>>
>> Patch 0509:
>> So far the new default permissions have been tied to an Object plugin, and took
>> the ACI location and objectclass filter from the object. However there are some
>> permissions that are not tied to an IPA object, for instance ones dealing with
>> a compat tree. However, these permissions should behave similarly to the
>> Object-based ones, so it makes sense to use the same updater with them.
>>
>> A question is where the non-Object permissions should be stored. I can think of
>> several alternatives:
>> a) in a special data file, like .update files
>> b) in a new plugin type
>> c) somewhere in the code
>>
>> I went for c) for simplicity, but feel free to discuss. (CCing Rob since he had
>> some strong opinions in this area.)
>>
>> This patch makes ipapermlocation, ipapermtargetfilter and other Permission
>> attributes overridable, and adds a central list of non-object permissions to
>> the updater module. (For now, the list is empty).
>>
>>
>> My patch 0504.2 (Default read ACIs for Sudo objects) will add a non-object
>> permission for ou=sudoers.
>
> The patch is functional, but I am not really a big fan of placing it in the
> plugin. I would prefer if the ACI definition is also in the sudo plugin
> together with other definition. It would be then much easier to audit all
> sudo-related ACIs.
>
> Why can't we add this ACI to sudorule object managed permissions and just
> override the location and target?

I can do that. Most of the changes make this overriding possible, where 
the permission is actually defined is a detail.

> I am not insisting on a specific format, I would simply prefer to have all
> plugin object related ACIs close together.

My reasoning is that finding the definition would not be 
straightforward. All the object-specific permissions so far are defined 
in "their" plugins, as determined by --type. This one won't have --type, 
and it's not clear if it should be in sudorule, sudocmd or sudocmdgroup.

But, I don't have a strong preference. A `git grep` will always show the 
definition.

-- 
Petr³

More information about the Freeipa-devel mailing list