[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission

Martin Kosek mkosek at redhat.com
Thu Apr 10 13:09:18 UTC 2014

On 04/10/2014 03:07 PM, Simo Sorce wrote:
> On Thu, 2014-04-10 at 15:02 +0200, Petr Viktorin wrote:
>> On 04/10/2014 02:58 PM, Martin Kosek wrote:
>>> On 04/10/2014 01:46 PM, Petr Viktorin wrote:
>>>> On 04/09/2014 05:17 PM, Martin Kosek wrote:
>>>>> On 04/09/2014 04:54 PM, Petr Viktorin wrote:
>>>>>> The meta-permissions.
>>>>> :-)
>>>>>> Read access is given to all authenticated users. Reading membership info (i.e.
>>>>>> privileges) is split into a separate permission.
>>>>>> Another permission is added that allows read access to all ACIs.
>>>>>> If we don't want to open that up for everyone, I could limit this to only ACIs
>>>>>> containing "permission:". (Since old-style permissions store their information
>>>>>> in ACIs, their ACIs need to be readable.)
>>>>> If I read the notes from our DevConf discussion correctly, there are some
>>>>> inconsistencies:
>>>>> 1) We decided to not do special membership permission for
>>>>> permission/privilege/role permissions.
>>>>> 2) We decided to give read access to permissions, privileges and roles only to
>>>>> member of a certain privilege. Is there any reason to not do that? IMO, regular
>>>>> users do not need to be able to read the permission/privilege/role
>>>>> configuration of a FreeIPA installation to use it for IdM.
>>>>> Martin
>>>> Updated. I plan to add all the RBAC-related read permissions to a single
>>>> privilege, "RBAC Readers". Or do we want more granularity by default?
>>>> Requires my patch 0514.
>>> I was looking at the granularity we currently have with privilege and it is
>>> mostly per FreeIPA function (Sudo Administrator or DNS Administrator), not per
>>> IPA object (Sudo Command Administrator, Sudo Rule Administrator).
>>> I would thus follow the same principle with RBAC and create RBAC Administrator
>>> privilege which will cover read permissions for... permissions... privileges
>>> and roles. In time, we will also add new write privileges there as they are
>>> currently missing.
>>> To sum it up, the patch works, I would just change the name of the privilege
>>> and not focus it just on reading.
>> So to confirm, we want one privilege to cover both reading and writing?
>> Should I add new read permissions to existing "Administrator" privileges 
>> only, instead of creating new "Reader" permissions?
> There may be people that need only reading, so a separate privilege for
> just reading is usually a good idea.
> Simo.

You were faster than me, see my other response in this thread. I would
personally not spam our privilege list with unused privileges and let people
create them when they really need it.

Our default permission/privileges should be the one that fits the most people
and is our recommended ACI model. Others may simply add privileges and change it.


More information about the Freeipa-devel mailing list