[Freeipa-devel] [PATCH] 0528 Add managed read permission to automount
Martin Kosek
mkosek at redhat.com
Thu Apr 17 05:51:50 UTC 2014
On 04/16/2014 06:15 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 11:59 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 04/16/2014 02:14 PM, Petr Viktorin wrote:
>>>> A single permission granting anonymous read access covers automountlocation,
>>>> automountmap, and automountkey.
>>>>
>>>
>>> This works fine, I am just wondering about the ACI:
>>>
>>> 1) Simo, are you OK with one ACI covering all automount objects? I personally
>>> am, I cannot imagine a situation when somebody allows automount maps but not
>>> the automount keys. But on the other hand, we also have separate permissions
>>> for sudo commands, sudo command groups, sudo rules...
>>
>> With sudo you may want a different set of users deciding WHAT can be
>> executed from WHO can execute it. I don't think automount needs that
>> level of specificity.
>>
>>>
>>> 2) Should we limit the ACI by an objectclass filter? I.e.
>>> (|(objectclass=automountmap)(objectclass=automount))?
>>
>> I think these are the only things living in that container so it may be
>> overkill. I'm not against adding it if someone feels more strongly about it.
>
>
> I think Rob summarized my own thought, and I think he has more authority
> than I have as he's been working on automount stuff more than I have.
>
> Simo.
Thanks for discussion. In that case, the ACI is good as is.
ACK. Pushed to master: adde918f38a7df8f72e5293d1d0c5a5637b7e5a8
Martin
More information about the Freeipa-devel
mailing list