[Freeipa-devel] [PATCH] 0513 Add managed read permissions to permission
Petr Viktorin
pviktori at redhat.com
Thu Apr 10 11:46:43 UTC 2014
On 04/09/2014 05:17 PM, Martin Kosek wrote:
> On 04/09/2014 04:54 PM, Petr Viktorin wrote:
>> The meta-permissions.
>
> :-)
>
>> Read access is given to all authenticated users. Reading membership info (i.e.
>> privileges) is split into a separate permission.
>>
>> Another permission is added that allows read access to all ACIs.
>> If we don't want to open that up for everyone, I could limit this to only ACIs
>> containing "permission:". (Since old-style permissions store their information
>> in ACIs, their ACIs need to be readable.)
>
> If I read the notes from our DevConf discussion correctly, there are some
> inconsistencies:
>
> 1) We decided to not do special membership permission for
> permission/privilege/role permissions.
>
> 2) We decided to give read access to permissions, privileges and roles only to
> member of a certain privilege. Is there any reason to not do that? IMO, regular
> users do not need to be able to read the permission/privilege/role
> configuration of a FreeIPA installation to use it for IdM.
>
> Martin
>
Updated. I plan to add all the RBAC-related read permissions to a single
privilege, "RBAC Readers". Or do we want more granularity by default?
Requires my patch 0514.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0513.2-Add-managed-read-permissions-to-permission.patch
Type: text/x-patch
Size: 3622 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140410/00654bfc/attachment.bin>
More information about the Freeipa-devel
mailing list