[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission

Petr Viktorin pviktori at redhat.com
Thu Apr 10 11:46:43 UTC 2014

On 04/09/2014 05:17 PM, Martin Kosek wrote:
> On 04/09/2014 04:54 PM, Petr Viktorin wrote:
>> The meta-permissions.
> :-)
>> Read access is given to all authenticated users. Reading membership info (i.e.
>> privileges) is split into a separate permission.
>> Another permission is added that allows read access to all ACIs.
>> If we don't want to open that up for everyone, I could limit this to only ACIs
>> containing "permission:". (Since old-style permissions store their information
>> in ACIs, their ACIs need to be readable.)
> If I read the notes from our DevConf discussion correctly, there are some
> inconsistencies:
> 1) We decided to not do special membership permission for
> permission/privilege/role permissions.
> 2) We decided to give read access to permissions, privileges and roles only to
> member of a certain privilege. Is there any reason to not do that? IMO, regular
> users do not need to be able to read the permission/privilege/role
> configuration of a FreeIPA installation to use it for IdM.
> Martin

Updated. I plan to add all the RBAC-related read permissions to a single 
privilege, "RBAC Readers". Or do we want more granularity by default?

Requires my patch 0514.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0513.2-Add-managed-read-permissions-to-permission.patch
Type: text/x-patch
Size: 3622 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/00654bfc/attachment.bin>

More information about the Freeipa-devel mailing list