[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

Petr Viktorin pviktori at redhat.com
Tue Apr 8 15:17:46 UTC 2014

On 04/08/2014 04:39 PM, Martin Kosek wrote:
> On 04/08/2014 01:14 PM, Petr Viktorin wrote:
>> On 04/08/2014 12:53 PM, Martin Kosek wrote:
>>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
> ...
>>> The patch is functional, but I am not really a big fan of placing it in the
>>> plugin. I would prefer if the ACI definition is also in the sudo plugin
>>> together with other definition. It would be then much easier to audit all
>>> sudo-related ACIs.
>>> Why can't we add this ACI to sudorule object managed permissions and just
>>> override the location and target?
>> I can do that. Most of the changes make this overriding possible, where the
>> permission is actually defined is a detail.
>>> I am not insisting on a specific format, I would simply prefer to have all
>>> plugin object related ACIs close together.
>> My reasoning is that finding the definition would not be straightforward. All
>> the object-specific permissions so far are defined in "their" plugins, as
>> determined by --type. This one won't have --type, and it's not clear if it
>> should be in sudorule, sudocmd or sudocmdgroup.
>> But, I don't have a strong preference. A `git grep` will always show the
>> definition.
> IMO sudorule is fine, I personally see it as an overarching plugin for sudo,
> sudocmds and sudocmdgroups are just part of the sudorule.
> We may just want to somehow differentiate the non--type ACIs from the regular
> --type ones. Whether it is a different attribute in the Object or a setting in
> managed permission is something I will leave up to you.

I went with a "non_object" key in the managed permission info.

Attaching new patches.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0508.2-Document-the-managed-permission-updater-operation.patch
Type: text/x-patch
Size: 2478 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/5a390920/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0509.2-Allow-overriding-all-attributes-of-default-permissio.patch
Type: text/x-patch
Size: 5459 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140408/5a390920/attachment-0001.bin>

More information about the Freeipa-devel mailing list