[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions
Martin Kosek
mkosek at redhat.com
Wed Apr 9 08:31:30 UTC 2014
On 04/08/2014 05:17 PM, Petr Viktorin wrote:
> On 04/08/2014 04:39 PM, Martin Kosek wrote:
>> On 04/08/2014 01:14 PM, Petr Viktorin wrote:
>>> On 04/08/2014 12:53 PM, Martin Kosek wrote:
>>>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>> ...
>>>> The patch is functional, but I am not really a big fan of placing it in the
>>>> plugin. I would prefer if the ACI definition is also in the sudo plugin
>>>> together with other definition. It would be then much easier to audit all
>>>> sudo-related ACIs.
>>>>
>>>> Why can't we add this ACI to sudorule object managed permissions and just
>>>> override the location and target?
>>>
>>> I can do that. Most of the changes make this overriding possible, where the
>>> permission is actually defined is a detail.
>>>
>>>> I am not insisting on a specific format, I would simply prefer to have all
>>>> plugin object related ACIs close together.
>>>
>>> My reasoning is that finding the definition would not be straightforward. All
>>> the object-specific permissions so far are defined in "their" plugins, as
>>> determined by --type. This one won't have --type, and it's not clear if it
>>> should be in sudorule, sudocmd or sudocmdgroup.
>>>
>>> But, I don't have a strong preference. A `git grep` will always show the
>>> definition.
>>>
>>
>> IMO sudorule is fine, I personally see it as an overarching plugin for sudo,
>> sudocmds and sudocmdgroups are just part of the sudorule.
>>
>> We may just want to somehow differentiate the non--type ACIs from the regular
>> --type ones. Whether it is a different attribute in the Object or a setting in
>> managed permission is something I will leave up to you.
>
> I went with a "non_object" key in the managed permission info.
>
> Attaching new patches.
This looks good to me, ACK.
Martin
More information about the Freeipa-devel
mailing list