[Freeipa-devel] [PATCHES] 0508-0509 Add support for "non-object" managed permissions

Martin Kosek mkosek at redhat.com
Wed Apr 9 08:31:30 UTC 2014

On 04/08/2014 05:17 PM, Petr Viktorin wrote:
> On 04/08/2014 04:39 PM, Martin Kosek wrote:
>> On 04/08/2014 01:14 PM, Petr Viktorin wrote:
>>> On 04/08/2014 12:53 PM, Martin Kosek wrote:
>>>> On 04/08/2014 11:03 AM, Petr Viktorin wrote:
>> ...
>>>> The patch is functional, but I am not really a big fan of placing it in the
>>>> plugin. I would prefer if the ACI definition is also in the sudo plugin
>>>> together with other definition. It would be then much easier to audit all
>>>> sudo-related ACIs.
>>>> Why can't we add this ACI to sudorule object managed permissions and just
>>>> override the location and target?
>>> I can do that. Most of the changes make this overriding possible, where the
>>> permission is actually defined is a detail.
>>>> I am not insisting on a specific format, I would simply prefer to have all
>>>> plugin object related ACIs close together.
>>> My reasoning is that finding the definition would not be straightforward. All
>>> the object-specific permissions so far are defined in "their" plugins, as
>>> determined by --type. This one won't have --type, and it's not clear if it
>>> should be in sudorule, sudocmd or sudocmdgroup.
>>> But, I don't have a strong preference. A `git grep` will always show the
>>> definition.
>> IMO sudorule is fine, I personally see it as an overarching plugin for sudo,
>> sudocmds and sudocmdgroups are just part of the sudorule.
>> We may just want to somehow differentiate the non--type ACIs from the regular
>> --type ones. Whether it is a different attribute in the Object or a setting in
>> managed permission is something I will leave up to you.
> I went with a "non_object" key in the managed permission info.
> Attaching new patches.

This looks good to me, ACK.


More information about the Freeipa-devel mailing list