[Freeipa-devel] [PATCH] 0528 Add managed read permission to automount

Martin Kosek mkosek at redhat.com
Thu Apr 17 05:51:50 UTC 2014

On 04/16/2014 06:15 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 11:59 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 04/16/2014 02:14 PM, Petr Viktorin wrote:
>>>> A single permission granting anonymous read access covers automountlocation,
>>>> automountmap, and automountkey.
>>> This works fine, I am just wondering about the ACI:
>>> 1) Simo, are you OK with one ACI covering all automount objects? I personally
>>> am, I cannot imagine a situation when somebody allows automount maps but not
>>> the automount keys. But on the other hand, we also have separate permissions
>>> for sudo commands, sudo command groups, sudo rules...
>> With sudo you may want a different set of users deciding WHAT can be 
>> executed from WHO can execute it. I don't think automount needs that 
>> level of specificity.
>>> 2) Should we limit the ACI by an objectclass filter? I.e.
>>> (|(objectclass=automountmap)(objectclass=automount))?
>> I think these are the only things living in that container so it may be 
>> overkill. I'm not against adding it if someone feels more strongly about it.
> I think Rob summarized my own thought, and I think he has more authority
> than I have as he's been working on automount stuff more than I have.
> Simo.

Thanks for discussion. In that case, the ACI is good as is.

ACK. Pushed to master: adde918f38a7df8f72e5293d1d0c5a5637b7e5a8


More information about the Freeipa-devel mailing list