[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission

Petr Viktorin pviktori at redhat.com
Thu Apr 10 13:02:02 UTC 2014

On 04/10/2014 02:58 PM, Martin Kosek wrote:
> On 04/10/2014 01:46 PM, Petr Viktorin wrote:
>> On 04/09/2014 05:17 PM, Martin Kosek wrote:
>>> On 04/09/2014 04:54 PM, Petr Viktorin wrote:
>>>> The meta-permissions.
>>> :-)
>>>> Read access is given to all authenticated users. Reading membership info (i.e.
>>>> privileges) is split into a separate permission.
>>>> Another permission is added that allows read access to all ACIs.
>>>> If we don't want to open that up for everyone, I could limit this to only ACIs
>>>> containing "permission:". (Since old-style permissions store their information
>>>> in ACIs, their ACIs need to be readable.)
>>> If I read the notes from our DevConf discussion correctly, there are some
>>> inconsistencies:
>>> 1) We decided to not do special membership permission for
>>> permission/privilege/role permissions.
>>> 2) We decided to give read access to permissions, privileges and roles only to
>>> member of a certain privilege. Is there any reason to not do that? IMO, regular
>>> users do not need to be able to read the permission/privilege/role
>>> configuration of a FreeIPA installation to use it for IdM.
>>> Martin
>> Updated. I plan to add all the RBAC-related read permissions to a single
>> privilege, "RBAC Readers". Or do we want more granularity by default?
>> Requires my patch 0514.
> I was looking at the granularity we currently have with privilege and it is
> mostly per FreeIPA function (Sudo Administrator or DNS Administrator), not per
> IPA object (Sudo Command Administrator, Sudo Rule Administrator).
> I would thus follow the same principle with RBAC and create RBAC Administrator
> privilege which will cover read permissions for... permissions... privileges
> and roles. In time, we will also add new write privileges there as they are
> currently missing.
> To sum it up, the patch works, I would just change the name of the privilege
> and not focus it just on reading.

So to confirm, we want one privilege to cover both reading and writing?
Should I add new read permissions to existing "Administrator" privileges 
only, instead of creating new "Reader" permissions?


More information about the Freeipa-devel mailing list