[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
Petr Viktorin
pviktori at redhat.com
Wed Apr 9 11:41:32 UTC 2014
On 04/09/2014 10:59 AM, Martin Kosek wrote:
> On 04/07/2014 01:34 PM, Petr Viktorin wrote:
>> On 04/07/2014 01:28 PM, Martin Kosek wrote:
>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>> Hello,
>>>> This adds read permissions to read HBAC rules, services, and service groups.
>>>>
>>>> Read access is given to all authenticated users.
>>>
>>> So far looked OK in my tests. What about the ACIs like the following one?
>>>
>>> (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny
>>> (read,search,compare) userdn != "ldap:///all";)
>>>
>>> Do we want to remove them together with this patch to have the change grouped
>>> together with allow ACIs or do you plan to remove all similar deny ACIs at
>>> once? (together with the master read ACI)
>>>
>>> Martin
>>>
>>
>> I want to remove them after removing the global read ACI, so that in the mean
>> time we're not allowing more access than we should.
>
> Ok, makes sense. I tested the patch again and it worked fine (after I removed
> the deny rule).
>
> ACK.
>
> Martin
>
Thanks, pushed to master: 39327dbb75e92e4184bdda2dbd802cf349866861
--
Petr³
More information about the Freeipa-devel
mailing list