[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name

Martin Kosek mkosek at redhat.com
Tue Apr 15 07:38:40 UTC 2014 

On 04/14/2014 07:18 PM, Simo Sorce wrote:
> On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
>> Hello,
>>
>> The first patch adds default read permissions to krbtpolicy. Since the 
>> plugin manages entries in two trees, there are two permissions. Since 
>> two permissions are needed to cover krbtpolicy, it can't be used as a 
>> permission's --type.
>> The permissions are added to a new privilege, 'Kerberos Ticket Policy 
>> Readers'.
>>
>> The second patch adds an ACI for reading the Kerberos realm name. Since 
>> client enrollment won't work without this, I don't see a reason for 
>> having it managed by a permission.
>>
> 
> LGTM
> 
> Simo.
> 

521 breaks a unit test:

======================================================================
FAIL: test_permission[37]: permission_find: Search for u'Testperm_RN' using
--subtree
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 301, in
<lambda>
    func = lambda: self.check(nice, **test)
  File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 319, in
check
    self.check_output(nice, cmd, args, options, expected, extra_check)
  File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 359, in
check_output
    assert_deepequal(expected, got, nice)
  File "/root/freeipa-master/ipatests/util.py", line 344, in assert_deepequal
    assert_deepequal(e_sub, g_sub, doc, stack + (key,))
  File "/root/freeipa-master/ipatests/util.py", line 352, in assert_deepequal
    VALUE % (doc, expected, got, stack)
AssertionError: assert_deepequal: expected != got.
  test_permission[37]: permission_find: Search for u'Testperm_RN' using --subtree
  expected = 1
  got = 2
  path = ('count',)

Otherwise it works fine (krbtpolicy-show for user cannot be tested yet as we
miss permissions for users).

Martin

More information about the Freeipa-devel mailing list