[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission
Simo Sorce
ssorce at redhat.com
Thu Apr 10 13:07:41 UTC 2014
On Thu, 2014-04-10 at 15:02 +0200, Petr Viktorin wrote:
> On 04/10/2014 02:58 PM, Martin Kosek wrote:
> > On 04/10/2014 01:46 PM, Petr Viktorin wrote:
> >> On 04/09/2014 05:17 PM, Martin Kosek wrote:
> >>> On 04/09/2014 04:54 PM, Petr Viktorin wrote:
> >>>> The meta-permissions.
> >>>
> >>> :-)
> >>>
> >>>> Read access is given to all authenticated users. Reading membership info (i.e.
> >>>> privileges) is split into a separate permission.
> >>>>
> >>>> Another permission is added that allows read access to all ACIs.
> >>>> If we don't want to open that up for everyone, I could limit this to only ACIs
> >>>> containing "permission:". (Since old-style permissions store their information
> >>>> in ACIs, their ACIs need to be readable.)
> >>>
> >>> If I read the notes from our DevConf discussion correctly, there are some
> >>> inconsistencies:
> >>>
> >>> 1) We decided to not do special membership permission for
> >>> permission/privilege/role permissions.
> >>>
> >>> 2) We decided to give read access to permissions, privileges and roles only to
> >>> member of a certain privilege. Is there any reason to not do that? IMO, regular
> >>> users do not need to be able to read the permission/privilege/role
> >>> configuration of a FreeIPA installation to use it for IdM.
> >>>
> >>> Martin
> >>>
> >>
> >> Updated. I plan to add all the RBAC-related read permissions to a single
> >> privilege, "RBAC Readers". Or do we want more granularity by default?
> >>
> >> Requires my patch 0514.
> >
> > I was looking at the granularity we currently have with privilege and it is
> > mostly per FreeIPA function (Sudo Administrator or DNS Administrator), not per
> > IPA object (Sudo Command Administrator, Sudo Rule Administrator).
> >
> > I would thus follow the same principle with RBAC and create RBAC Administrator
> > privilege which will cover read permissions for... permissions... privileges
> > and roles. In time, we will also add new write privileges there as they are
> > currently missing.
> >
> > To sum it up, the patch works, I would just change the name of the privilege
> > and not focus it just on reading.
>
> So to confirm, we want one privilege to cover both reading and writing?
> Should I add new read permissions to existing "Administrator" privileges
> only, instead of creating new "Reader" permissions?
There may be people that need only reading, so a separate privilege for
just reading is usually a good idea.
Simo.
More information about the Freeipa-devel
mailing list