[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

Martin Kosek mkosek at redhat.com
Tue Apr 8 14:39:42 UTC 2014

On 04/08/2014 01:14 PM, Petr Viktorin wrote:
> On 04/08/2014 12:53 PM, Martin Kosek wrote:
>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>> The patch is functional, but I am not really a big fan of placing it in the
>> plugin. I would prefer if the ACI definition is also in the sudo plugin
>> together with other definition. It would be then much easier to audit all
>> sudo-related ACIs.
>> Why can't we add this ACI to sudorule object managed permissions and just
>> override the location and target?
> I can do that. Most of the changes make this overriding possible, where the
> permission is actually defined is a detail.
>> I am not insisting on a specific format, I would simply prefer to have all
>> plugin object related ACIs close together.
> My reasoning is that finding the definition would not be straightforward. All
> the object-specific permissions so far are defined in "their" plugins, as
> determined by --type. This one won't have --type, and it's not clear if it
> should be in sudorule, sudocmd or sudocmdgroup.
> But, I don't have a strong preference. A `git grep` will always show the
> definition.

IMO sudorule is fine, I personally see it as an overarching plugin for sudo,
sudocmds and sudocmdgroups are just part of the sudorule.

We may just want to somehow differentiate the non--type ACIs from the regular
--type ones. Whether it is a different attribute in the Object or a setting in
managed permission is something I will leave up to you.


More information about the Freeipa-devel mailing list