[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission

Martin Kosek mkosek at redhat.com
Thu Apr 10 12:58:04 UTC 2014

On 04/10/2014 01:46 PM, Petr Viktorin wrote:
> On 04/09/2014 05:17 PM, Martin Kosek wrote:
>> On 04/09/2014 04:54 PM, Petr Viktorin wrote:
>>> The meta-permissions.
>> :-)
>>> Read access is given to all authenticated users. Reading membership info (i.e.
>>> privileges) is split into a separate permission.
>>> Another permission is added that allows read access to all ACIs.
>>> If we don't want to open that up for everyone, I could limit this to only ACIs
>>> containing "permission:". (Since old-style permissions store their information
>>> in ACIs, their ACIs need to be readable.)
>> If I read the notes from our DevConf discussion correctly, there are some
>> inconsistencies:
>> 1) We decided to not do special membership permission for
>> permission/privilege/role permissions.
>> 2) We decided to give read access to permissions, privileges and roles only to
>> member of a certain privilege. Is there any reason to not do that? IMO, regular
>> users do not need to be able to read the permission/privilege/role
>> configuration of a FreeIPA installation to use it for IdM.
>> Martin
> Updated. I plan to add all the RBAC-related read permissions to a single
> privilege, "RBAC Readers". Or do we want more granularity by default?
> Requires my patch 0514.

I was looking at the granularity we currently have with privilege and it is
mostly per FreeIPA function (Sudo Administrator or DNS Administrator), not per
IPA object (Sudo Command Administrator, Sudo Rule Administrator).

I would thus follow the same principle with RBAC and create RBAC Administrator
privilege which will cover read permissions for... permissions... privileges
and roles. In time, we will also add new write privileges there as they are
currently missing.

To sum it up, the patch works, I would just change the name of the privilege
and not focus it just on reading.


More information about the Freeipa-devel mailing list