[Freeipa-devel] Managed permission versioning

Martin Kosek mkosek at redhat.com
Thu Apr 17 13:48:09 UTC 2014 

I would like to discuss more on the managed read permissions upgrades [1].
Right now, we simply merge an old permission with the new one, making sure that
we only add new attributes instead of just replacing them, to prevent a managed
permission to be spoiled by a lower FreeIPA server version which runs an updates.

I was thinking about it some more and seems to me we could run in problems when
we for example find out that some permission is too relaxed and we want to
remove some default attribute. Or when we want to update the permission filter.
Or when object has anonymous and authenticated permission and we want to move
attribute from anonymous to authenticated permission.

Changes like this can happen, especially in the first release and we do not
have means to address them. What about simply versioning the permissions as we
do with our configs? I.e.

1) Introduce new MUST numeric attribute ipaPermVersion
2) Add 'version' field to managed permissions:

    managed_permissions = {
        'System: Read Roles': {
            'version': 1,
            'replaces_global_anonymous_aci': True,
            'ipapermbindruletype': 'permission',
            'ipapermright': {'read', 'search', 'compare'},
            'ipapermdefaultattr': {
                'businesscategory', 'cn', 'description', 'member', 'memberof',
                'o', 'objectclass', 'ou', 'owner', 'seealso',
            },
            'default_privileges': {'RBAC Readers'},
        },
    }
3) Modify updater to only update the permission if it's version is higher than
the one in LDAP. In that case, it should simply replace the managed permission
attributes with the new one, no merging (except the attributes that we allow
users to change).

When we want to change the permission, we simply do the changes, bump the
version and we are done and we do not need to fear some older FreeIPA will
overwrite it. That of course assumes that the versioning would be available
from FreeIPA 4.0.

Makes sense?

[1] http://www.freeipa.org/page/V3/Managed_Read_permissions

-- 
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

More information about the Freeipa-devel mailing list