[Freeipa-devel] [PATCH] 0505 Default read ACIs for HBAC objects
pviktori at redhat.com
Wed Apr 9 11:41:32 UTC 2014
On 04/09/2014 10:59 AM, Martin Kosek wrote:
> On 04/07/2014 01:34 PM, Petr Viktorin wrote:
>> On 04/07/2014 01:28 PM, Martin Kosek wrote:
>>> On 04/03/2014 12:09 PM, Petr Viktorin wrote:
>>>> This adds read permissions to read HBAC rules, services, and service groups.
>>>> Read access is given to all authenticated users.
>>> So far looked OK in my tests. What about the ACIs like the following one?
>>> (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny
>>> (read,search,compare) userdn != "ldap:///all";)
>>> Do we want to remove them together with this patch to have the change grouped
>>> together with allow ACIs or do you plan to remove all similar deny ACIs at
>>> once? (together with the master read ACI)
>> I want to remove them after removing the global read ACI, so that in the mean
>> time we're not allowing more access than we should.
> Ok, makes sense. I tested the patch again and it worked fine (after I removed
> the deny rule).
Thanks, pushed to master: 39327dbb75e92e4184bdda2dbd802cf349866861
More information about the Freeipa-devel